Add TLS version and cipher suites to legacy HTTPS.

This change adds nbdkit curl plugin parameters for specifying TLS version and not allowed cipher suites (OWASP recommendation). Tested: manually, TLSv1.0 is not negotiated during connection. Awaiting confirmation for cipher suites. Warning: this change may break legacy mode, if used with nbdkit without ssl-version and ssl-cipher-list (see review #272350). Change-Id: I06c5acc7a87de6c1bd1b0cdcef2af8585a3da965 Signed-off-by: Golgowski, Wiktor <wiktor.golgowski@intel.com>
author: Golgowski, Wiktor <wiktor.golgowski@intel.com> 2020-09-23 21:06:30 +0300
committer: Golgowski, Wiktor <wiktor.golgowski@intel.com> 2020-09-23 21:18:04 +0300
commit: b253675eb507f07f8072b287c0ea68448808eb0b (patch)
tree: 82eac5af1d1cac3bde757876b133146ff8494d2d
parent: 82935680e9bf7e26fa6363461e5416ff31659902 (diff)
download: virtual-media-b253675eb507f07f8072b287c0ea68448808eb0b.tar.xz
1 files changed, 8 insertions, 3 deletions
diff --git a/src/state/activating_state.cpp b/src/state/activating_state.cpp
index bc9a30b..18afa60 100644
--- a/src/state/activating_state.cpp
+++ b/src/state/activating_state.cpp
@@ -62,7 +62,7 @@ std::unique_ptr<BasicState> ActivatingState::activateProxyMode()
                      "/usr/sbin/nbd-client", machine.getConfig().nbdDevice));
 
     if (!process->spawn(Configuration::MountPoint::toArgs(machine.getConfig()),
-                        [& machine = machine](int exitCode, bool isReady) {
+                        [&machine = machine](int exitCode, bool isReady) {
                             LogMsg(Logger::Info, machine.getName(),
                                    " process ended.");
                             machine.getExitCode() = exitCode;
@@ -197,7 +197,7 @@ std::unique_ptr<resource::Process>
     // Insert extra params
     args.insert(args.end(), params.begin(), params.end());
 
-    if (!process->spawn(args, [& machine = machine, secret = std::move(secret)](
+    if (!process->spawn(args, [&machine = machine, secret = std::move(secret)](
                                   int exitCode, bool isReady) {
             LogMsg(Logger::Info, machine.getName(), " process ended.");
             machine.getExitCode() = exitCode;
@@ -233,7 +233,12 @@ std::unique_ptr<resource::Process>
                                        // ... to mount http resource at url
                                        "url=" + url,
                                        // custom OpenBMC path for CA
-                                       "capath=/etc/ssl/certs/authority"};
+                                       "capath=/etc/ssl/certs/authority",
+                                       "ssl-version=tlsv1.1",
+                                       "ssl-cipher-list=\"!AES256-GCM-SHA384:"
+                                       "!AES128-GCM-SHA256:"
+                                       "!AES256-SHA256:"
+                                       "!AES128-SHA256"};
 
     // Authenticate if needed
     if (machine.getTarget()->credentials)
author	Golgowski, Wiktor <wiktor.golgowski@intel.com>	2020-09-23 21:06:30 +0300
committer	Golgowski, Wiktor <wiktor.golgowski@intel.com>	2020-09-23 21:18:04 +0300
commit	b253675eb507f07f8072b287c0ea68448808eb0b (patch)
tree	82eac5af1d1cac3bde757876b133146ff8494d2d
parent	82935680e9bf7e26fa6363461e5416ff31659902 (diff)
download	virtual-media-b253675eb507f07f8072b287c0ea68448808eb0b.tar.xz