Attempt to configure/reconfigure TLS. This operation is atomic and will * leave the SSL_CTX unchanged if fails. */
| 314 | * leave the SSL_CTX unchanged if fails. |
| 315 | */ |
| 316 | int tlsConfigure(redisTLSContextConfig *ctx_config) { |
| 317 | char errbuf[256]; |
| 318 | SSL_CTX *ctx = NULL; |
| 319 | SSL_CTX *client_ctx = NULL; |
| 320 | int protocols; |
| 321 | |
| 322 | if (!ctx_config->cert_file) { |
| 323 | serverLog(LL_WARNING, "No tls-cert-file configured!"); |
| 324 | goto error; |
| 325 | } |
| 326 | |
| 327 | if (!ctx_config->key_file) { |
| 328 | serverLog(LL_WARNING, "No tls-key-file configured!"); |
| 329 | goto error; |
| 330 | } |
| 331 | |
| 332 | if (((g_pserver->tls_auth_clients != TLS_CLIENT_AUTH_NO) || g_pserver->tls_cluster || g_pserver->tls_replication) && |
| 333 | !ctx_config->ca_cert_file && !ctx_config->ca_cert_dir) { |
| 334 | serverLog(LL_WARNING, "Either tls-ca-cert-file or tls-ca-cert-dir must be specified when tls-cluster, tls-replication or tls-auth-clients are enabled!"); |
| 335 | goto error; |
| 336 | } |
| 337 | |
| 338 | /* Update the last modified times for the TLS elements */ |
| 339 | ctx_config->key_file_last_modified = getLastModifiedTime(ctx_config->key_file); |
| 340 | ctx_config->cert_file_last_modified = getLastModifiedTime(ctx_config->cert_file); |
| 341 | ctx_config->client_cert_file_last_modified = getLastModifiedTime(ctx_config->client_cert_file); |
| 342 | ctx_config->client_key_file_last_modified = getLastModifiedTime(ctx_config->client_key_file); |
| 343 | ctx_config->ca_cert_dir_last_modified = getLastModifiedTime(ctx_config->ca_cert_dir); |
| 344 | ctx_config->ca_cert_file_last_modified = getLastModifiedTime(ctx_config->ca_cert_file); |
| 345 | |
| 346 | protocols = parseProtocolsConfig(ctx_config->protocols); |
| 347 | if (protocols == -1) goto error; |
| 348 | |
| 349 | /* Create server side/generla context */ |
| 350 | ctx = createSSLContext(ctx_config, protocols, 0); |
| 351 | if (!ctx) goto error; |
| 352 | |
| 353 | if (ctx_config->session_caching) { |
| 354 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); |
| 355 | SSL_CTX_sess_set_cache_size(ctx, ctx_config->session_cache_size); |
| 356 | SSL_CTX_set_timeout(ctx, ctx_config->session_cache_timeout); |
| 357 | SSL_CTX_set_session_id_context(ctx, (const unsigned char *) "KeyDB", 5); |
| 358 | } else { |
| 359 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); |
| 360 | } |
| 361 | |
| 362 | #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION |
| 363 | SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); |
| 364 | #endif |
| 365 | |
| 366 | if (ctx_config->prefer_server_ciphers) |
| 367 | SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
| 368 | |
| 369 | #if ((OPENSSL_VERSION_NUMBER < 0x30000000L) && defined(SSL_CTX_set_ecdh_auto)) |
| 370 | SSL_CTX_set_ecdh_auto(ctx, 1); |
| 371 | #endif |
| 372 | SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); |
| 373 |
no test coverage detected