CORE-2426 support ossl cipher strings #19792
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michael-redpanda
requested review from
jackietung-redpanda
and removed request for
a team
|
new failures in https://buildkite.com/redpanda/redpanda/builds/50138#01900a41-7a1c-4dba-94bf-eb2641090014: new failures in https://buildkite.com/redpanda/redpanda/builds/50138#01900a41-7a22-40d8-a85d-7f0b11841c0f: new failures in https://buildkite.com/redpanda/redpanda/builds/50138#01900a30-d379-4780-b83a-5e7b6637d119: new failures in https://buildkite.com/redpanda/redpanda/builds/50138#01900a41-7a24-40f3-9137-ad5cfaa120e4: new failures in https://buildkite.com/redpanda/redpanda/builds/50138#01900a30-d376-4248-94b3-fd53d882d06b: new failures in https://buildkite.com/redpanda/redpanda/builds/50138#01900a41-7a1f-4eac-854f-e0d3f1854300: new failures in https://buildkite.com/redpanda/redpanda/builds/50177#01900d23-e5b1-4612-9e4f-24cff3f3ab86: |
BenPope
reviewed
Jun 12, 2024
cmake/v_library.cmake
Outdated
| @@ -94,6 +94,10 @@ function(v_cc_library) | |||
| ${V_DEFAULT_LINKOPTS} | |||
| ) | |||
| target_compile_definitions(${_NAME} PUBLIC ${V_CC_LIB_DEFINES}) | |||
| ## TODO: Remove this when fully switched over to OSSL | |||
| if (ENABLE_OSSL_IN_SEASTAR) | |||
| target_compile_definitions(${_NAME} PUBLIC ENABLE_OSSL_IN_SEASTAR) | |||
There was a problem hiding this comment.
This should be attached to the seastar library and brought in by the dependency on it via v::base.
Or at least put it in v::base;
There was a problem hiding this comment.
yeah good point, there actually already is something there
| << " }"; | ||
| return o; | ||
| } | ||
| operator<<(std::ostream& o, const config::tls_config& c); |
There was a problem hiding this comment.
Why not also move the other implementation stuff?
Should be able to get includes down to:
#include "base/seastarx.h"
#include <seastar/core/future.hh>
#include <seastar/core/sstring.hh>
#include <seastar/net/tls.hh>
#include <yaml-cpp/node/node.h>
#include <iosfwd>
#include <optional>
src/v/config/tls_config.h
Outdated
| @@ -46,6 +46,14 @@ struct key_cert { | |||
| } | |||
| }; | |||
|
|
|||
| static constexpr std::string_view tlsv1_2_cipher_string | |||
There was a problem hiding this comment.
Prefer inline constexpr in header files, alternatively have a function:
void set_preferred_priority(ss::tls::credentials_builder&);
Created tls_config.cc to hold implementation of TLS config Signed-off-by: Michael Boquard <michael@redpanda.com>
When compiling with OpenSSL in Seastar, switch to a new set of calls to Seastar to enable a faster set of ciphers than what OpenSSL selects by default. Signed-off-by: Michael Boquard <michael@redpanda.com>
* Updated certs to use cRLSign extension * Updated RFC test to start node with TLS enabled * Updated error condition searchs for OpenSSL responses Signed-off-by: Michael Boquard <michael@redpanda.com>
michael-redpanda
force-pushed
the
CORE-2426-Support-OSSL-Cipher-Strings
branch
from
8f7f50f to
e578efe
Compare
|
Force push
|
BenPope
approved these changes
Jun 12, 2024
michael-redpanda
added a commit
to michael-redpanda/redpanda
that referenced
this pull request
Nov 20, 2024
This was a miss when redpanda-data#19792 landed. Only RSA based cipher strings were included in the list. This wasn't caught because our integration tests only use RSA based certificates. Also this may have taken some time for customers to find as this bug didn't effect TLSv1.3. Signed-off-by: Michael Boquard <michael@redpanda.com>
vbotbuildovich
pushed a commit
to vbotbuildovich/redpanda
that referenced
this pull request
Nov 20, 2024
This was a miss when redpanda-data#19792 landed. Only RSA based cipher strings were included in the list. This wasn't caught because our integration tests only use RSA based certificates. Also this may have taken some time for customers to find as this bug didn't effect TLSv1.3. Signed-off-by: Michael Boquard <michael@redpanda.com> (cherry picked from commit f0c141b)
michael-redpanda
added a commit
that referenced
this pull request
Nov 20, 2024
This was a miss when #19792 landed. Only RSA based cipher strings were included in the list. This wasn't caught because our integration tests only use RSA based certificates. Also this may have taken some time for customers to find as this bug didn't effect TLSv1.3. Signed-off-by: Michael Boquard <michael@redpanda.com> (cherry picked from commit f0c141b)
WillemKauf
pushed a commit
to WillemKauf/redpanda
that referenced
this pull request
Dec 3, 2024
This was a miss when redpanda-data#19792 landed. Only RSA based cipher strings were included in the list. This wasn't caught because our integration tests only use RSA based certificates. Also this may have taken some time for customers to find as this bug didn't effect TLSv1.3. Signed-off-by: Michael Boquard <michael@redpanda.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds support for OpenSSL configuration for Redpanda
Backports Required
Release Notes