diff --git a/lib/vector-core/src/tls/incoming.rs b/lib/vector-core/src/tls/incoming.rs index dbd9ea1f58707..264c8c3006fe3 100644 --- a/lib/vector-core/src/tls/incoming.rs +++ b/lib/vector-core/src/tls/incoming.rs @@ -29,8 +29,8 @@ use crate::tcp::{self, TcpKeepaliveConfig}; impl TlsSettings { pub fn acceptor(&self) -> crate::tls::Result { if self.identity.is_some() { - let mut acceptor = if self.min_tls_version.is_some() || self.ciphersuites.is_some() { - SslAcceptor::custom(SslMethod::tls(), &self.min_tls_version, &self.ciphersuites) + let mut acceptor = if self.min_tls_version.is_some() || self.ciphersuites.is_some() || self.curves.is_some() { + SslAcceptor::custom(SslMethod::tls(), &self.min_tls_version, &self.ciphersuites, &self.curves) .map_err(|error_ex| match error_ex { ErrorEx::OpenSslError { error_stack: e } => { TlsError::CreateAcceptor { source: e } diff --git a/lib/vector-core/src/tls/mod.rs b/lib/vector-core/src/tls/mod.rs index e020e17754d67..c389da16aa2b4 100644 --- a/lib/vector-core/src/tls/mod.rs +++ b/lib/vector-core/src/tls/mod.rs @@ -185,7 +185,7 @@ pub fn tls_connector_builder(settings: &MaybeTlsSettings) -> Result TlsError::SslBuildError { source: e }, ErrorEx::InvalidTlsVersion => TlsError::InvalidTlsVersion, diff --git a/lib/vector-core/src/tls/settings.rs b/lib/vector-core/src/tls/settings.rs index b4a397c363f97..c18abc2715495 100644 --- a/lib/vector-core/src/tls/settings.rs +++ b/lib/vector-core/src/tls/settings.rs @@ -163,6 +163,13 @@ pub struct TlsConfig { /// TLS ciphersuites to enable. pub ciphersuites: Option, + + /// Elliptic curve groups to enable. + /// + /// Comma-separated list of supported elliptic curve groups (e.g., "P-256", "P-384", "P-521"). + /// Only available with OpenSSL 1.1.1+, BoringSSL, or LibreSSL 2.5.1+. + #[configurable(metadata(docs::examples = "P-256,P-384"))] + pub curves: Option, } impl TlsConfig { @@ -187,6 +194,7 @@ pub struct TlsSettings { server_name: Option, pub min_tls_version: Option, pub ciphersuites: Option, + pub curves: Option, } #[derive(Clone)] @@ -224,6 +232,7 @@ impl TlsSettings { server_name: options.server_name.clone(), min_tls_version: options.min_tls_version.clone(), ciphersuites: options.ciphersuites.clone(), + curves: options.curves.clone(), }) } @@ -889,7 +898,7 @@ mod test { }, ]; for t in tests { - match builder.set_min_tls_version_and_ciphersuites(&t.text, &None) { + match builder.set_min_tls_version_and_ciphersuites(&t.text, &None, &None) { Ok(()) => { assert!(t.want.is_ok()); assert_eq!(builder.min_proto_version(), t.num); @@ -930,7 +939,7 @@ mod test { }, ]; for t in tests { - match builder.set_min_tls_version_and_ciphersuites(&t.min_tls_version, &t.ciphersuite) { + match builder.set_min_tls_version_and_ciphersuites(&t.min_tls_version, &t.ciphersuite, &None) { Ok(()) => assert!(t.want.is_ok()), Err(e) => assert_eq!(t.want.err().unwrap(), e), } diff --git a/patch/openssl/src/ssl/connector.rs b/patch/openssl/src/ssl/connector.rs index b369563cbfe38..b38b9ef9c8981 100644 --- a/patch/openssl/src/ssl/connector.rs +++ b/patch/openssl/src/ssl/connector.rs @@ -320,14 +320,17 @@ impl SslAcceptor { Ok(SslAcceptorBuilder(ctx)) } - /// Creates a new builder configured with a minimum supported TLS version and a set of ciphersuites + /// Creates a new builder configured with a minimum supported TLS version, ciphersuites, and curves /// - pub fn custom(method: SslMethod, min_tls_version: &Option, ciphersuites: &Option) -> Result { + pub fn custom(method: SslMethod, min_tls_version: &Option, ciphersuites: &Option, curves: &Option) -> Result { let mut ctx = ctx(method).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?; let dh = Dh::params_from_pem(FFDHE_2048.as_bytes()).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?; ctx.set_tmp_dh(&dh).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?; - setup_curves(&mut ctx).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?; - ctx.set_min_tls_version_and_ciphersuites(min_tls_version, ciphersuites)?; + // Only setup default curves if no custom curves are specified + if curves.is_none() { + setup_curves(&mut ctx).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?; + } + ctx.set_min_tls_version_and_ciphersuites(min_tls_version, ciphersuites, curves)?; Ok(SslAcceptorBuilder(ctx)) } diff --git a/patch/openssl/src/ssl/mod.rs b/patch/openssl/src/ssl/mod.rs index 5d3c84489111b..04ebfa4015834 100644 --- a/patch/openssl/src/ssl/mod.rs +++ b/patch/openssl/src/ssl/mod.rs @@ -1788,7 +1788,7 @@ impl SslContextBuilder { /// Sets the context's minimal TLS version, specified as "VersionTLS1[0..3]", and a comma-separated list of ciphersuites. /// - pub fn set_min_tls_version_and_ciphersuites(&mut self, min_tls_version: &Option, ciphersuites: &Option) -> Result<(), ErrorEx>{ + pub fn set_min_tls_version_and_ciphersuites(&mut self, min_tls_version: &Option, ciphersuites: &Option, curves: &Option) -> Result<(), ErrorEx>{ let mut min_proto_version = SslVersion::TLS1; if let Some(min_tls_version) = min_tls_version { min_proto_version = match min_tls_version.as_str() { @@ -1812,6 +1812,13 @@ impl SslContextBuilder { return Err(ErrorEx::InvalidCiphersuite); } } + #[cfg(any(ossl111, boringssl, libressl251, awslc))] + if let Some(curves) = curves { + if !curves.is_empty() { + let curves = &curves.replace(",", ":"); + self.set_groups_list(&curves).map_err(|e| ErrorEx::OpenSslError { error_stack: e })?; + } + } Ok(()) } }