Mercurial > hg > orthanc
changeset 4381:df313e410f0c varian
Add support to configure minimimum accepted TLS version and cipher suite
author | Andrew Wallis <andrew.wallis@varian.com>> |
---|---|
date | Fri, 11 Dec 2020 11:59:10 -0500 |
parents | 85b5b0e1bac9 |
children | 3aacd2bd8bbc |
files | OrthancFramework/Sources/HttpServer/HttpServer.cpp OrthancFramework/Sources/HttpServer/HttpServer.h OrthancServer/Resources/Configuration.json OrthancServer/Sources/main.cpp |
diffstat | 4 files changed, 76 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/OrthancFramework/Sources/HttpServer/HttpServer.cpp Thu Dec 17 12:48:14 2020 +0100 +++ b/OrthancFramework/Sources/HttpServer/HttpServer.cpp Fri Dec 11 11:59:10 2020 -0500 @@ -1631,9 +1631,16 @@ options.push_back("ssl_ca_file"); options.push_back(trustedClientCertificates_.c_str()); } - if (ssl_) { + // Restrict minimum SSL/TLS protocol version + options.push_back("ssl_protocol_version"); + options.push_back(sslMinimumVersion_.c_str()); + + // Set the accepted ciphers list + options.push_back("ssl_cipher_list"); + options.push_back(sslCiphers_.c_str()); + // Set the SSL certificate, if any options.push_back("ssl_certificate"); options.push_back(certificate_.c_str()); @@ -1783,6 +1790,18 @@ #endif } + void HttpServer::SetSslMinimumVersion(std::string version) + { + Stop(); + sslMinimumVersion_ = std::move(version); + } + + void HttpServer::SetSslCiphers(std::string ciphers) + { + Stop(); + sslCiphers_ = std::move(ciphers); + } + void HttpServer::SetKeepAliveEnabled(bool enabled) { Stop();
--- a/OrthancFramework/Sources/HttpServer/HttpServer.h Thu Dec 17 12:48:14 2020 +0100 +++ b/OrthancFramework/Sources/HttpServer/HttpServer.h Fri Dec 11 11:59:10 2020 -0500 @@ -97,6 +97,8 @@ std::string trustedClientCertificates_; bool ssl_; std::string certificate_; + std::string sslMinimumVersion_; + std::string sslCiphers_; uint16_t port_; IIncomingHttpRequestFilter* filter_; bool keepAlive_; @@ -141,6 +143,12 @@ void SetSslVerifyPeers(bool enabled); + // set the minimum accepted version of SSL/TLS protocol according to the CivetWeb table published here: + // https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md#ssl_protocol_version-0 + void SetSslMinimumVersion(std::string version); + + void SetSslCiphers(std::string ciphers); + void SetSslTrustedClientCertificates(const char* path); bool IsKeepAliveEnabled() const;
--- a/OrthancServer/Resources/Configuration.json Thu Dec 17 12:48:14 2020 +0100 +++ b/OrthancServer/Resources/Configuration.json Fri Dec 11 11:59:10 2020 -0500 @@ -170,6 +170,22 @@ // if "SslEnabled" is true. "SslCertificate" : "certificate.pem", + // Sets the minimum accepted SSL protocol version + // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md + // "ssl_protocol_version" for mapping + // By default require SSL 1.2 + // This option is only meaningful if "SslEnabled" is true. + /** + "SslMinimumProtocolVersion" : "4", + **/ + + // Set the allowed ciphers for SSL connections + // If not set, this will default to FIPS 140-2 ciphers + // This option is only meaningful if "SslEnabled" is true. + /** + "SslCiphersAccepted" : "", + **/ + // Whether or not peer client certificates shall be checked. This // option is only meaningful if "SslEnabled" is true. "SslVerifyPeers" : false,
--- a/OrthancServer/Sources/main.cpp Thu Dec 17 12:48:14 2020 +0100 +++ b/OrthancServer/Sources/main.cpp Fri Dec 11 11:59:10 2020 -0500 @@ -1043,6 +1043,38 @@ lock.GetConfiguration().GetStringParameter("SslCertificate", "certificate.pem")); httpServer.SetSslEnabled(true); httpServer.SetSslCertificate(certificate.c_str()); + + // Default to TLS 1.2 as SSL minimum + // See https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md "ssl_protocol_version" for mapping + std::string tls1_2 = "4"; + std::string minimumVersion = lock.GetConfiguration().GetStringParameter("SslMinimumProtocolVersion", tls1_2); + httpServer.SetSslMinimumVersion(minimumVersion); + + // Default to FIPS 140-2 ciphers + const std::vector<std::string> fipsCiphers = { + "ECDHE-ECDSA-AES256-GCM-SHA384", + "ECDHE-ECDSA-AES256-SHA384", + "ECDHE-RSA-AES256-GCM-SHA384", + "ECDHE-RSA-AES128-GCM-SHA256", + "ECDHE-RSA-AES256-SHA384", + "ECDHE-RSA-AES128-SHA256", + "ECDHE-RSA-AES128-SHA", + "ECDHE-RSA-AES256-SHA", + "DHE-RSA-AES256-SHA", + "DHE-RSA-AES128-SHA", + "AES256-SHA", + "AES128-SHA"}; + + // Format default cipher string + std::string defaultCipherString; + for (const auto &cipher : fipsCiphers) + { + defaultCipherString += cipher + ":"; + } + defaultCipherString.pop_back(); + + std::string ciphersAccepted = lock.GetConfiguration().GetStringParameter("SslCiphersAccepted", defaultCipherString); + httpServer.SetSslCiphers(ciphersAccepted); } else {