Implement option for honor_cipher order, defaults to on on patched OTP

basho · Dec 20, 2013 · 9449774 · 9449774
1 parent 8359c3e
commit 9449774
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 3 deletions.
diff --git a/priv/riak_api.schema b/priv/riak_api.schema
@@ -80,3 +80,26 @@
         [ IP || {_, IP} <- HTTPS]
     end
 }.
+
+%% @doc Whether or not to honor the order in which the server lists its
+%% preferred ciphers.
+{mapping, "honor_cipher_order", "riak_api.honor_cipher_order", [
+  {datatype, {enum, [on, off]}},
+  {default, on}
+]}.
+
+{translation,
+  "riak_api.honor_cipher_order",
+   fun(Conf) ->
+     OTPVer = erlang:system_info(otp_release),
+     CipherOrder = cuttlefish_util:conf_get_value("honor_cipher_order", Conf),
+     %% This is only available, as of December 2013, in basho patched R16B02,
+     %% so disable it if the VM is not patched by basho. This can be revised
+     %% for R17, when this patch is expected to be present mainline.
+     case {CipherOrder, string:str(OTPVer, "basho")} of
+       {_, 0} -> false;
+       {on, _} -> true;
+       {off, _} -> false
+     end
+   end
+}.
diff --git a/src/riak_api_pb_server.erl b/src/riak_api_pb_server.erl
@@ -136,7 +136,12 @@ wait_for_tls({msg, MsgCode, _MsgData}, State=#state{socket=Socket,
                                          {verify_fun, {fun validate_function/3,
                                                        {CACerts, []}}},
                                          {reuse_sessions, false} %% required!
-                                        ]) of
+                                        ] ++
+                                        %% conditionally include the honor cipher order, don't pass it if it
+                                        %% disabled because it will crash unpatched OTP
+                                        [{honor_cipher_order, true} ||
+                                         app_helper:get_env(riak_api, honor_cipher_order, false) ]
+                               ) of
                 {ok, NewSocket} ->
                     CommonName = case ssl:peercert(NewSocket) of
                         {ok, Cert} ->

diff --git a/src/riak_api_web.erl b/src/riak_api_web.erl
@@ -66,12 +66,18 @@ spec_from_binding(https, Name, {Ip, Port}) ->
         riak_core_ssl_util:parse_ciphers(riak_core_security:get_ciphers()),
     SslOpts = app_helper:get_env(riak_core, ssl,
                                  [{certfile, filename:join(Etc, "cert.pem")},
-                                  {keyfile, filename:join(Etc, "key.pem")}]),
+                                  {keyfile, filename:join(Etc, "key.pem")}]) 
+        %% conditionally include the honor cipher order, don't pass it if it
+        %% disabled because it will crash unpatched OTP
+        ++ [{honor_cipher_order, true} ||
+            app_helper:get_env(riak_api, honor_cipher_order, false) ]
+        ++ [{ciphers, Ciphers}],
+
     lists:flatten([{name, Name},
                    {ip, Ip},
                    {port, Port},
                    {ssl, true},
-                   {ssl_opts, SslOpts ++ [{ciphers, Ciphers}]},
+                   {ssl_opts, SslOpts},
                    {nodelay, true}],
                   common_config()).