Add support for probabilistically choosing server ciphers

Summary:Since SSLContextManager sets SSL_OP_CIPHER_SERVER_PREFERENCE on the SSL_CTX when it creates contexts, we may be unable to accommodate any clients who prefer a different ciphersuite. Having differently weighted cipher preference lists allows SSLContext to set a list with a different most-preferred cipher for some fraction of new handshakes. Note: resumption will work with the previously negotiated ciphersuite even if the server doesn't explicitly prefer/support it anymore, provided the cipher is supported in OpenSSL. Reviewed By: knekritz Differential Revision: D3050496 fb-gh-sync-id: 1c3b77ce3af87f939f8b8c6fe72b6a64eeaeeeb4 shipit-source-id: 1c3b77ce3af87f939f8b8c6fe72b6a64eeaeeeb4
kufan · Mar 21, 2016 · 12ceee6 · 12ceee6
1 parent 2b3ccc3
commit 12ceee6
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/wangle/ssl/SSLContextConfig.h b/wangle/ssl/SSLContextConfig.h
@@ -92,6 +92,8 @@ struct SSLContextConfig {
   std::string eccCurveName{"prime256v1"};
   // Ciphers to negotiate if TLS version >= 1.1
   std::string tls11Ciphers{""};
+  // Knobs to tune ciphersuite picking probability for TLS >= 1.1
+  std::vector<std::pair<std::string, int>> tls11AltCipherlist;
   // Weighted lists of NPN strings to advertise
   std::list<folly::SSLContext::NextProtocolsItem>
       nextProtocols;

diff --git a/wangle/ssl/SSLContextManager.cpp b/wangle/ssl/SSLContextManager.cpp
@@ -492,15 +492,20 @@ SSLContextManager::ctxSetupByOpensslFeature(
 #endif
 
   // Specify cipher(s) to be used for TLS1.1 client
-  if (!ctxConfig.tls11Ciphers.empty()) {
+  if (!ctxConfig.tls11Ciphers.empty() ||
+      !ctxConfig.tls11AltCipherlist.empty()) {
 #ifdef PROXYGEN_HAVE_SERVERNAMECALLBACK
     // Specified TLS1.1 ciphers are valid
+    // XXX: this callback will be called for every new (TLS 1.1 or greater)
+    // handshake, so it relies on ctxConfig.tls11Ciphers and
+    // ctxConfig.tls11AltCipherlist not changing.
     sslCtx->addClientHelloCallback(
       std::bind(
         &SSLContext::switchCiphersIfTLS11,
         sslCtx.get(),
         std::placeholders::_1,
-        ctxConfig.tls11Ciphers
+        ctxConfig.tls11Ciphers,
+        ctxConfig.tls11AltCipherlist
       )
     );
 #else