TLS: Configuration options.

Add configuration options for TLS protocol versions, ciphers/cipher suites selection, etc.
pmem · Oct 7, 2019 · 61733de · 61733de
1 parent 6b62948
commit 61733de
Show file tree

Hide file tree

Showing 13 changed files with 414 additions and 160 deletions.
diff --git a/TLS.md b/TLS.md
@@ -48,45 +48,35 @@ both TCP and TLS available, but you'll need to assign different ports.
 To make a Replica connect to the master using TLS, use `--tls-replication yes`,
 and to make Redis Cluster use TLS across nodes use `--tls-cluster yes`.
 
-**NOTE: This is still very much work in progress and some configuration is still
-missing or may change.**
-
 Connections
 -----------
 
-Connection abstraction API is mostly done and seems to hold well for hiding
-implementation details between TLS and TCP.
-
-1. Multi-threading I/O is not supported.  The main issue to address is the need
-   to manipulate AE based on OpenSSL return codes.  We can either propagate this
-   out of the thread, or explore ways of further optimizing MT I/O by having
-   event loops that live inside the thread and borrow connections in/out.
+All socket operations now go through a connection abstraction layer that hides
+I/O and read/write event handling from the caller.
 
-2. Finish cleaning up the implementation.  Make sure all error cases are handled
-   and reflected into connection state, connection state validated before
-   certain operations, etc.
-    - Clean (non-errno) interface to report would-block.
-    - Consistent error reporting.
+**Multi-threading I/O is not currently supported for TLS**, as a TLS connection
+needs to do its own manipulation of AE events which is not thread safe. The
+solution is probably to manage independent AE loops for I/O threads and longer
+term association of connections with threads. This may potentially improve
+overall performance as well.
 
-3. Sync IO for TLS is currently implemented in a hackish way, i.e. making the
-   socket blocking and configuring socket-level timeout.  This means the timeout
-   value may not be so accurate, and there would be a lot of syscall overhead.
-   However I believe that getting rid of syncio completely in favor of pure
-   async work is probably a better move than trying to fix that. For replication
-   it would probably not be so hard. For cluster keys migration it might be more
-   difficult, but there are probably other good reasons to improve that part
-   anyway.
+Sync IO for TLS is currently implemented in a hackish way, i.e. making the
+socket blocking and configuring socket-level timeout.  This means the timeout
+value may not be so accurate, and there would be a lot of syscall overhead.
+However I believe that getting rid of syncio completely in favor of pure async
+work is probably a better move than trying to fix that. For replication it would
+probably not be so hard. For cluster keys migration it might be more difficult,
+but there are probably other good reasons to improve that part anyway.
 
-TLS Features
-------------
+To-Do List
+==========
 
-1. Add metrics to INFO.
-2. Add certificate authentication configuration (i.e. option to skip client
-auth, master auth, etc.).
-3. Add TLS cipher configuration options.
-4. [Optional] Add session caching support. Check if/how it's handled by clients
-   to assess how useful/important it is.
+Additional TLS Features
+-----------------------
 
+1. Add metrics to INFO?
+2. Add session caching support. Check if/how it's handled by clients to assess
+   how useful/important it is.
 
 redis-benchmark
 ---------------
@@ -100,8 +90,8 @@ probably to migrate to hiredis async mode.
 
 redis-cli
 ---------
-1. Support tls in --slave and --rdb
 
+1. Add support for TLS in --slave and --rdb modes.
 
 Others
 ------

diff --git a/redis.conf b/redis.conf
@@ -173,6 +173,30 @@ tcp-keepalive 300
 #
 # tls-cluster yes
 
+# Explicitly specify TLS versions to support. Allowed values are case insensitive
+# and include "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" (OpenSSL >= 1.1.1) or
+# "default" which is currently >= TLSv1.1.
+#
+# tls-protocols TLSv1.2
+
+# Configure allowed ciphers.  See the ciphers(1ssl) manpage for more information
+# about the syntax of this string.
+#
+# Note: this configuration applies only to <= TLSv1.2.
+#
+# tls-ciphers DEFAULT:!MEDIUM
+
+# Configure allowed TLSv1.3 ciphersuites.  See the ciphers(1ssl) manpage for more
+# information about the syntax of this string, and specifically for TLSv1.3
+# ciphersuites.
+#
+# tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256
+
+# When choosing a cipher, use the server's preference instead of the client
+# preference. By default, the server follows the client's preference.
+#
+# tls-prefer-server-cipher yes
+
 ################################# GENERAL #####################################
 
 # By default Redis does not run as a daemon. Use 'yes' if you need it.

diff --git a/src/Makefile b/src/Makefile
@@ -93,6 +93,8 @@ else
 ifeq ($(uname_S),Darwin)
 	# Darwin
 	FINAL_LIBS+= -ldl
+	OPENSSL_CFLAGS=-I/usr/local/opt/openssl/include
+	OPENSSL_LDFLAGS=-L/usr/local/opt/openssl/lib
 else
 ifeq ($(uname_S),AIX)
         # AIX

diff --git a/src/config.c b/src/config.c
@@ -219,7 +219,7 @@ void queueLoadModule(sds path, sds *argv, int argc) {
 }
 
 void loadServerConfigFromString(char *config) {
-    char *err = NULL;
+    const char *err = NULL;
     int linenum = 0, totlines, i;
     int slaveof_linenum = 0;
     sds *lines;
@@ -286,15 +286,6 @@ void loadServerConfigFromString(char *config) {
             if (server.port < 0 || server.port > 65535) {
                 err = "Invalid port"; goto loaderr;
             }
-        } else if (!strcasecmp(argv[0],"tls-port") && argc == 2) {
-#ifdef USE_OPENSSL
-            server.tls_port = atoi(argv[1]);
-            if (server.port < 0 || server.port > 65535) {
-                err = "Invalid port"; goto loaderr;
-            }
-#else
-            err = "TLS not supported"; goto loaderr;
-#endif
         } else if (!strcasecmp(argv[0],"tcp-backlog") && argc == 2) {
             server.tcp_backlog = atoi(argv[1]);
             if (server.tcp_backlog < 0) {
@@ -806,24 +797,42 @@ void loadServerConfigFromString(char *config) {
                 err = sentinelHandleConfiguration(argv+1,argc-1);
                 if (err) goto loaderr;
             }
-        } else if (!strcasecmp(argv[0],"tls-cert-file") && argc == 2) {
-            zfree(server.tls_cert_file);
-            server.tls_cert_file = zstrdup(argv[1]);
-        } else if (!strcasecmp(argv[0],"tls-key-file") && argc == 2) {
-            zfree(server.tls_key_file);
-            server.tls_key_file = zstrdup(argv[1]);
-        } else if (!strcasecmp(argv[0],"tls-dh-params-file") && argc == 2) {
-            zfree(server.tls_dh_params_file);
-            server.tls_dh_params_file = zstrdup(argv[1]);
-        } else if (!strcasecmp(argv[0],"tls-ca-cert-file") && argc == 2) {
-            zfree(server.tls_ca_cert_file);
-            server.tls_ca_cert_file = zstrdup(argv[1]);
+#ifdef USE_OPENSSL
+        } else if (!strcasecmp(argv[0],"tls-port") && argc == 2) {
+            server.tls_port = atoi(argv[1]);
+            if (server.port < 0 || server.port > 65535) {
+                err = "Invalid tls-port"; goto loaderr;
+            }
         } else if (!strcasecmp(argv[0],"tls-cluster") && argc == 2) {
             server.tls_cluster = yesnotoi(argv[1]);
         } else if (!strcasecmp(argv[0],"tls-replication") && argc == 2) {
             server.tls_replication = yesnotoi(argv[1]);
         } else if (!strcasecmp(argv[0],"tls-auth-clients") && argc == 2) {
             server.tls_auth_clients = yesnotoi(argv[1]);
+        } else if (!strcasecmp(argv[0],"tls-cert-file") && argc == 2) {
+            zfree(server.tls_ctx_config.cert_file);
+            server.tls_ctx_config.cert_file = zstrdup(argv[1]);
+        } else if (!strcasecmp(argv[0],"tls-key-file") && argc == 2) {
+            zfree(server.tls_ctx_config.key_file);
+            server.tls_ctx_config.key_file = zstrdup(argv[1]);
+        } else if (!strcasecmp(argv[0],"tls-dh-params-file") && argc == 2) {
+            zfree(server.tls_ctx_config.dh_params_file);
+            server.tls_ctx_config.dh_params_file = zstrdup(argv[1]);
+        } else if (!strcasecmp(argv[0],"tls-ca-cert-file") && argc == 2) {
+            zfree(server.tls_ctx_config.ca_cert_file);
+            server.tls_ctx_config.ca_cert_file = zstrdup(argv[1]);
+        } else if (!strcasecmp(argv[0],"tls-protocols") && argc >= 2) {
+            zfree(server.tls_ctx_config.protocols);
+            server.tls_ctx_config.protocols = zstrdup(argv[1]);
+        } else if (!strcasecmp(argv[0],"tls-ciphers") && argc == 2) {
+            zfree(server.tls_ctx_config.ciphers);
+            server.tls_ctx_config.ciphers = zstrdup(argv[1]);
+        } else if (!strcasecmp(argv[0],"tls-ciphersuites") && argc == 2) {
+            zfree(server.tls_ctx_config.ciphersuites);
+            server.tls_ctx_config.ciphersuites = zstrdup(argv[1]);
+        } else if (!strcasecmp(argv[0],"tls-prefer-server-ciphers") && argc == 2) {
+            server.tls_ctx_config.prefer_server_ciphers = yesnotoi(argv[1]);
+#endif  /* USE_OPENSSL */
         } else {
             err = "Bad directive or wrong number of arguments"; goto loaderr;
         }
@@ -1268,46 +1277,90 @@ void configSetCommand(client *c) {
       "appendfsync",server.aof_fsync,aof_fsync_enum) {
     } config_set_enum_field(
       "repl-diskless-load",server.repl_diskless_load,repl_diskless_load_enum) {
-
+#ifdef USE_OPENSSL
     /* TLS fields. */
     } config_set_special_field("tls-cert-file") {
-        if (tlsConfigure((char *) o->ptr, server.tls_key_file,
-                    server.tls_dh_params_file, server.tls_ca_cert_file) == C_ERR) {
+        redisTLSContextConfig tmpctx = server.tls_ctx_config;
+        tmpctx.cert_file = (char *) o->ptr;
+        if (tlsConfigure(&tmpctx) == C_ERR) {
             addReplyError(c,
                     "Unable to configure tls-cert-file. Check server logs.");
             return;
         }
-        zfree(server.tls_cert_file);
-        server.tls_cert_file = zstrdup(o->ptr);
+        zfree(server.tls_ctx_config.cert_file);
+        server.tls_ctx_config.cert_file = zstrdup(o->ptr);
     } config_set_special_field("tls-key-file") {
-        if (tlsConfigure(server.tls_cert_file, (char *) o->ptr,
-                    server.tls_dh_params_file, server.tls_ca_cert_file) == C_ERR) {
+        redisTLSContextConfig tmpctx = server.tls_ctx_config;
+        tmpctx.key_file = (char *) o->ptr;
+        if (tlsConfigure(&tmpctx) == C_ERR) {
             addReplyError(c,
                     "Unable to configure tls-key-file. Check server logs.");
             return;
         }
-        zfree(server.tls_key_file);
-        server.tls_key_file = zstrdup(o->ptr);
+        zfree(server.tls_ctx_config.key_file);
+        server.tls_ctx_config.key_file = zstrdup(o->ptr);
     } config_set_special_field("tls-dh-params-file") {
-        if (tlsConfigure(server.tls_cert_file, server.tls_key_file,
-                    (char *) o->ptr, server.tls_ca_cert_file) == C_ERR) {
+        redisTLSContextConfig tmpctx = server.tls_ctx_config;
+        tmpctx.dh_params_file = (char *) o->ptr;
+        if (tlsConfigure(&tmpctx) == C_ERR) {
             addReplyError(c,
                     "Unable to configure tls-dh-params-file. Check server logs.");
             return;
         }
-        zfree(server.tls_dh_params_file);
-        server.tls_dh_params_file = zstrdup(o->ptr);
+        zfree(server.tls_ctx_config.dh_params_file);
+        server.tls_ctx_config.dh_params_file = zstrdup(o->ptr);
     } config_set_special_field("tls-ca-cert-file") {
-        if (tlsConfigure(server.tls_cert_file, server.tls_key_file,
-                    server.tls_dh_params_file, (char *) o->ptr) == C_ERR) {
+        redisTLSContextConfig tmpctx = server.tls_ctx_config;
+        tmpctx.ca_cert_file = (char *) o->ptr;
+        if (tlsConfigure(&tmpctx) == C_ERR) {
             addReplyError(c,
                     "Unable to configure tls-ca-cert-file. Check server logs.");
             return;
         }
-        zfree(server.tls_ca_cert_file);
-        server.tls_ca_cert_file = zstrdup(o->ptr);
+        zfree(server.tls_ctx_config.ca_cert_file);
+        server.tls_ctx_config.ca_cert_file = zstrdup(o->ptr);
     } config_set_bool_field("tls-auth-clients", server.tls_auth_clients) {
-
+    } config_set_bool_field("tls-replication", server.tls_replication) {
+    } config_set_bool_field("tls-cluster", server.tls_cluster) {
+    } config_set_special_field("tls-protocols") {
+        redisTLSContextConfig tmpctx = server.tls_ctx_config;
+        tmpctx.protocols = (char *) o->ptr;
+        if (tlsConfigure(&tmpctx) == C_ERR) {
+            addReplyError(c,
+                    "Unable to configure tls-protocols. Check server logs.");
+            return;
+        }
+        zfree(server.tls_ctx_config.protocols);
+        server.tls_ctx_config.protocols = zstrdup(o->ptr);
+    } config_set_special_field("tls-ciphers") {
+        redisTLSContextConfig tmpctx = server.tls_ctx_config;
+        tmpctx.ciphers = (char *) o->ptr;
+        if (tlsConfigure(&tmpctx) == C_ERR) {
+            addReplyError(c,
+                "Unable to configure tls-ciphers. Check server logs.");
+            return;
+        }
+        zfree(server.tls_ctx_config.ciphers);
+        server.tls_ctx_config.ciphers = zstrdup(o->ptr);
+    } config_set_special_field("tls-ciphersuites") {
+        redisTLSContextConfig tmpctx = server.tls_ctx_config;
+        tmpctx.ciphersuites = (char *) o->ptr;
+        if (tlsConfigure(&tmpctx) == C_ERR) {
+            addReplyError(c,
+                "Unable to configure tls-ciphersuites. Check server logs.");
+            return;
+        }
+        zfree(server.tls_ctx_config.ciphersuites);
+        server.tls_ctx_config.ciphersuites = zstrdup(o->ptr);
+    } config_set_special_field("tls-prefer-server-ciphers") {
+        redisTLSContextConfig tmpctx = server.tls_ctx_config;
+        tmpctx.prefer_server_ciphers = yesnotoi(o->ptr);
+        if (tlsConfigure(&tmpctx) == C_ERR) {
+            addReplyError(c, "Unable to reconfigure TLS. Check server logs.");
+            return;
+        }
+        server.tls_ctx_config.prefer_server_ciphers = tmpctx.prefer_server_ciphers;
+#endif  /* USE_OPENSSL */
     /* Everyhing else is an error... */
     } config_set_else {
         addReplyErrorFormat(c,"Unsupported CONFIG parameter: %s",
@@ -1381,10 +1434,15 @@ void configGetCommand(client *c) {
     config_get_string_field("pidfile",server.pidfile);
     config_get_string_field("slave-announce-ip",server.slave_announce_ip);
     config_get_string_field("replica-announce-ip",server.slave_announce_ip);
-    config_get_string_field("tls-cert-file",server.tls_cert_file);
-    config_get_string_field("tls-key-file",server.tls_key_file);
-    config_get_string_field("tls-dh-params-file",server.tls_dh_params_file);
-    config_get_string_field("tls-ca-cert-file",server.tls_ca_cert_file);
+#ifdef USE_OPENSSL
+    config_get_string_field("tls-cert-file",server.tls_ctx_config.cert_file);
+    config_get_string_field("tls-key-file",server.tls_ctx_config.key_file);
+    config_get_string_field("tls-dh-params-file",server.tls_ctx_config.dh_params_file);
+    config_get_string_field("tls-ca-cert-file",server.tls_ctx_config.ca_cert_file);
+    config_get_string_field("tls-protocols",server.tls_ctx_config.protocols);
+    config_get_string_field("tls-ciphers",server.tls_ctx_config.ciphers);
+    config_get_string_field("tls-ciphersuites",server.tls_ctx_config.ciphersuites);
+#endif
 
     /* Numerical values */
     config_get_numerical_field("maxmemory",server.maxmemory);
@@ -1476,7 +1534,8 @@ void configGetCommand(client *c) {
     config_get_bool_field("tls-cluster",server.tls_cluster);
     config_get_bool_field("tls-replication",server.tls_replication);
     config_get_bool_field("tls-auth-clients",server.tls_auth_clients);
-
+    config_get_bool_field("tls-prefer-server-ciphers",
+            server.tls_ctx_config.prefer_server_ciphers);
     /* Enum values */
     config_get_enum_field("maxmemory-policy",
             server.maxmemory_policy,maxmemory_policy_enum);
@@ -1590,6 +1649,7 @@ void configGetCommand(client *c) {
         }
         matches++;
     }
+
     setDeferredMapLen(c,replylen,matches);
 }
 
@@ -2200,9 +2260,6 @@ int rewriteConfig(char *path) {
     rewriteConfigNumericalOption(state,"cluster-announce-port",server.cluster_announce_port,CONFIG_DEFAULT_CLUSTER_ANNOUNCE_PORT);
     rewriteConfigNumericalOption(state,"cluster-announce-bus-port",server.cluster_announce_bus_port,CONFIG_DEFAULT_CLUSTER_ANNOUNCE_BUS_PORT);
     rewriteConfigNumericalOption(state,"tcp-backlog",server.tcp_backlog,CONFIG_DEFAULT_TCP_BACKLOG);
-    rewriteConfigYesNoOption(state,"tls-cluster",server.tls_cluster,0);
-    rewriteConfigYesNoOption(state,"tls-replication",server.tls_replication,0);
-    rewriteConfigYesNoOption(state,"tls-auth-clients",server.tls_auth_clients,1);
     rewriteConfigBindOption(state);
     rewriteConfigStringOption(state,"unixsocket",server.unixsocket,NULL);
     rewriteConfigOctalOption(state,"unixsocketperm",server.unixsocketperm,CONFIG_DEFAULT_UNIX_SOCKET_PERM);
@@ -2282,10 +2339,19 @@ int rewriteConfig(char *path) {
     rewriteConfigEnumOption(state,"supervised",server.supervised_mode,supervised_mode_enum,SUPERVISED_NONE);
     rewriteConfigNumericalOption(state,"rdb-key-save-delay",server.rdb_key_save_delay,CONFIG_DEFAULT_RDB_KEY_SAVE_DELAY);
     rewriteConfigNumericalOption(state,"key-load-delay",server.key_load_delay,CONFIG_DEFAULT_KEY_LOAD_DELAY);
-    rewriteConfigStringOption(state,"tls-cert-file",server.tls_cert_file,NULL);
-    rewriteConfigStringOption(state,"tls-key-file",server.tls_key_file,NULL);
-    rewriteConfigStringOption(state,"tls-dh-params-file",server.tls_dh_params_file,NULL);
-    rewriteConfigStringOption(state,"tls-ca-cert-file",server.tls_ca_cert_file,NULL);
+#ifdef USE_OPENSSL
+    rewriteConfigYesNoOption(state,"tls-cluster",server.tls_cluster,0);
+    rewriteConfigYesNoOption(state,"tls-replication",server.tls_replication,0);
+    rewriteConfigYesNoOption(state,"tls-auth-clients",server.tls_auth_clients,1);
+    rewriteConfigStringOption(state,"tls-cert-file",server.tls_ctx_config.cert_file,NULL);
+    rewriteConfigStringOption(state,"tls-key-file",server.tls_ctx_config.key_file,NULL);
+    rewriteConfigStringOption(state,"tls-dh-params-file",server.tls_ctx_config.dh_params_file,NULL);
+    rewriteConfigStringOption(state,"tls-ca-cert-file",server.tls_ctx_config.ca_cert_file,NULL);
+    rewriteConfigStringOption(state,"tls-protocols",server.tls_ctx_config.protocols,NULL);
+    rewriteConfigStringOption(state,"tls-ciphers",server.tls_ctx_config.ciphers,NULL);
+    rewriteConfigStringOption(state,"tls-ciphersuites",server.tls_ctx_config.ciphersuites,NULL);
+    rewriteConfigYesNoOption(state,"tls-prefer-server-ciphers",server.tls_ctx_config.prefer_server_ciphers,0);
+#endif
 
     /* Rewrite Sentinel config if in Sentinel mode. */
     if (server.sentinel_mode) rewriteConfigSentinelOption(state);

diff --git a/src/replication.c b/src/replication.c
@@ -2023,11 +2023,14 @@ void syncWithMaster(connection *conn) {
     /* Set the slave port, so that Master's INFO command can list the
      * slave listening port correctly. */
     if (server.repl_state == REPL_STATE_SEND_PORT) {
-        sds port = sdsfromlonglong(server.slave_announce_port ?
-            server.slave_announce_port : server.port);
+        int port;
+        if (server.slave_announce_port) port = server.slave_announce_port;
+        else if (server.tls_replication && server.tls_port) port = server.tls_port;
+        else port = server.port;
+        sds portstr = sdsfromlonglong(port);
         err = sendSynchronousCommand(SYNC_CMD_WRITE,conn,"REPLCONF",
-                "listening-port",port, NULL);
-        sdsfree(port);
+                "listening-port",portstr, NULL);
+        sdsfree(portstr);
         if (err) goto write_error;
         sdsfree(err);
         server.repl_state = REPL_STATE_RECEIVE_PORT;