CP-12512 A switch to set stunnel protocol version

Before this change, when we wrote client-mode configuration for stunnel
we did not specify SSL/TLS version or ciphersuites, so it was using
defaults (e.g. SSLv3 for stunnel 4.15, TLSv1.0 for stunnel 4.56)

Now we specify these things: TLSv1.2 protocol and TLSv1.2 ciphersuites
are specified, or if the legacy flag is set, we allow all TLS protocol
versions (but not SSL) and we add the ciphersuites that were accepted
for incoming connections in older XenServer versions (6.5 and earlier).

Signed-off-by: Thomas Sanders <thomas.sanders@citrix.com>

Author: thomassa

stunnel/stunnel.ml

@@ -13,6 +13,9 @@
  *)
 (* Copyright (C) 2007 XenSource Inc *)
 
+module D=Debug.Make(struct let name="stunnel" end)
+open D
+
 open Printf
 open Pervasiveext
 open Xstringext
@@ -33,6 +36,11 @@ let stunnel_logger = ref ignore
 
 let timeoutidle = ref None
 
+let legacy_protocol_and_ciphersuites_allowed = ref true
+
+let is_legacy_protocol_and_ciphersuites_allowed () =
+	!legacy_protocol_and_ciphersuites_allowed
+
 let init_stunnel_path () =
 	try cached_stunnel_path := Some (Unix.getenv "XE_STUNNEL")
 	with Not_found ->
@@ -116,32 +124,56 @@ type t = { mutable pid: pid; fd: Unix.file_descr; host: string; port: int;
 	   unique_id: int option;
 	   mutable logfile: string;
 	   verified: bool;
+	   legacy: bool;
 	 }
 
-let config_file verify_cert extended_diagnosis host port = 
-	let lines = ["client=yes"; "foreground=yes"; "socket = r:TCP_NODELAY=1"; "socket = r:SO_KEEPALIVE=1"; "socket = a:SO_KEEPALIVE=1";
-							 (match !timeoutidle with None -> "" | Some x -> Printf.sprintf "TIMEOUTidle = %d" x);
-							 Printf.sprintf "connect=%s:%d" host port] @
-    (if extended_diagnosis then
-       ["debug=4"]
-     else
-       []) @
-    (if verify_cert then
-       ["verify=2";
-        sprintf "CApath=%s" certificate_path;
-        sprintf "CRLpath=%s" crl_path]
-     else
-       [])
+let config_file verify_cert extended_diagnosis host port legacy =
+
+    let good_ciphers = "!EXPORT:TLSv1.2" in
+    let back_compat_ciphers = "RSA+AES256-SHA:RSA+AES128-SHA:RSA+RC4-SHA:RSA+RC4-MD5:RSA+DES-CBC3-SHA" in
+
+	let lines = [
+		"client=yes"; "foreground=yes"; "socket = r:TCP_NODELAY=1"; "socket = r:SO_KEEPALIVE=1"; "socket = a:SO_KEEPALIVE=1";
+		(match !timeoutidle with None -> "" | Some x -> Printf.sprintf "TIMEOUTidle = %d" x);
+		Printf.sprintf "connect=%s:%d" host port;
+		"fips = no"; (* stunnel fips-mode stops us using sslVersion other than TLSv1 which means 1.0 only. *)
+	] @	(if extended_diagnosis then
+			["debug=4"]
+		else
+			[]
+	) @ (
+		if verify_cert then
+			["verify=2";
+			sprintf "CApath=%s" certificate_path;
+			sprintf "CRLpath=%s" crl_path]
+		else
+			[]
+	) @ (
+		if legacy then [
+			"sslVersion = all";
+			"options = NO_SSLv2";
+			"options = NO_SSLv3";
+			"ciphers = " ^ good_ciphers ^ ":" ^ back_compat_ciphers;
+		] else [
+			"sslVersion = TLSv1.2";
+			"ciphers = " ^ good_ciphers;
+		]
+	)
   in
     String.concat "" (List.map (fun x -> x ^ "\n") lines)
 
+let set_legacy_protocol_and_ciphersuites_allowed b =
+	legacy_protocol_and_ciphersuites_allowed := b;
+	info "legacy-config %B; example: %s" b
+		(String.escaped (config_file false false "dummyhost" 443 b))
+
 let ignore_exn f x = try f x with _ -> ()
 
-let rec disconnect ?(wait = true) ?(force = false) x = 
+let rec disconnect ?(wait = true) ?(force = false) x =
   List.iter (ignore_exn Unix.close) [ x.fd ];
 
   let do_disc waiter pid =
-    let res = 
+    let res =
       try waiter ()
       with Unix.Unix_error (Unix.ECHILD, _, _) -> pid, Unix.WEXITED 0 in
     match res with
@@ -151,18 +183,24 @@ let rec disconnect ?(wait = true) ?(force = false) x =
         disconnect ~wait:wait ~force:force x
     | _ -> ()
   in
+  let verbose = x.legacy && not (!legacy_protocol_and_ciphersuites_allowed) in
   match x.pid with
-    | FEFork pid -> do_disc
-        (fun () -> 
-           (if wait then Forkhelpers.waitpid 
-            else Forkhelpers.waitpid_nohang) pid)
-        (Forkhelpers.getpid pid)
-    | StdFork pid -> do_disc
-        (fun () -> 
-           (if wait then Unix.waitpid [] 
-            else Unix.waitpid [Unix.WNOHANG]) pid)
-        pid
-    | Nopid -> ()
+    | FEFork fpid ->
+        let pid_int = Forkhelpers.getpid fpid in
+        if verbose then info "Disconnecting FEFork %d" pid_int;
+        do_disc
+          (fun () ->
+             (if wait then Forkhelpers.waitpid 
+              else Forkhelpers.waitpid_nohang) fpid)
+          pid_int
+    | StdFork pid ->
+        if verbose then info "Disconnecting StdFork %d" pid;
+        do_disc
+          (fun () ->
+             (if wait then Unix.waitpid []
+              else Unix.waitpid [Unix.WNOHANG]) pid)
+          pid
+    | Nopid -> if verbose then info "Disconnecting Nopid"
 
 (* With some probability, stunnel fails during its startup code before it reads
    the config data from us. Therefore we get a SIGPIPE writing the config data.
@@ -192,10 +230,13 @@ let attempt_one_connect ?unique_id ?(use_fork_exec_helper = true)
       ["-fd"; if use_fork_exec_helper then config_out_uuid else config_out_fd]
     end in
   let data_out,data_in = Unix.socketpair Unix.PF_UNIX Unix.SOCK_STREAM 0 in
+  (* Dereference just once to ensure we are consistent in t and config_file *)
+  let legacy = !legacy_protocol_and_ciphersuites_allowed in
   let t = 
     { pid = Nopid; fd = data_out; host = host; port = port; 
       connected_time = Unix.gettimeofday (); unique_id = unique_id; 
-      logfile = ""; verified = verify_cert } in
+      logfile = ""; verified = verify_cert;
+	  legacy = legacy } in
   let result = Forkhelpers.with_logfile_fd "stunnel"
     ~delete:(not extended_diagnosis)
     (fun logfd ->
@@ -221,7 +262,7 @@ let attempt_one_connect ?unique_id ?(use_fork_exec_helper = true)
 	       (fun () ->
             match config_in with
             | Some fd -> begin
-	              let config = config_file verify_cert extended_diagnosis host port in
+	              let config = config_file verify_cert extended_diagnosis host port legacy in
 	              (* Catch the occasional initialisation failure of stunnel: *)
 	              try
 	                let n = Unix.write fd config 0 (String.length config) in

stunnel/stunnel.mli

@@ -37,6 +37,7 @@ type t = { mutable pid: pid;
 	   unique_id: int option;
 	   mutable logfile: string;
 	   verified: bool;
+	   legacy: bool;
 	 }
 
 (** Connects via stunnel (optionally via an external 'fork/exec' helper) to
@@ -60,3 +61,7 @@ val diagnose_failure : t -> unit
 val test : string -> int -> unit
 
 val must_verify_cert : bool option -> bool
+
+val set_legacy_protocol_and_ciphersuites_allowed : bool -> unit
+
+val is_legacy_protocol_and_ciphersuites_allowed : unit -> bool

stunnel/stunnel_cache.ml

@@ -78,19 +78,22 @@ let unlocked_gc () =
   let all_ids = Hashtbl.fold (fun k _ acc -> k :: acc) !stunnels [] in
 
   let to_gc = ref [] in
-  (* Find the ones which are too old *)
+  (* Find the ones which are too old or have unwanted legacy config *)
   let now = Unix.gettimeofday () in
   Hashtbl.iter
     (fun idx stunnel ->
        let time = Hashtbl.find !times idx in
        let idle = now -. time in
        let age = now -. stunnel.Stunnel.connected_time in
-       if age > max_age then begin
-	 debug "Expiring stunnel id %s; age (%.2f) > limit (%.2f)" (id_of_stunnel stunnel) age max_age;
-	 to_gc := idx :: !to_gc
+       if stunnel.Stunnel.legacy && not (Stunnel.is_legacy_protocol_and_ciphersuites_allowed ()) then (
+         info "Expiring stunnel id %s because it is legacy-mode." (id_of_stunnel stunnel);
+         to_gc := idx :: !to_gc
+       ) else if age > max_age then begin
+         debug "Expiring stunnel id %s; age (%.2f) > limit (%.2f)" (id_of_stunnel stunnel) age max_age;
+         to_gc := idx :: !to_gc
        end else if idle > max_idle then begin
-	 debug "Expiring stunnel id %s; idle (%.2f) > limit (%.2f)" (id_of_stunnel stunnel) age max_idle;
-	 to_gc := idx :: !to_gc
+         debug "Expiring stunnel id %s; idle (%.2f) > limit (%.2f)" (id_of_stunnel stunnel) age max_idle;
+         to_gc := idx :: !to_gc
        end) !stunnels;
   let num_remaining = List.length all_ids - (List.length !to_gc) in
   if num_remaining > max_stunnel then begin
@@ -132,27 +135,32 @@ let gc () = Mutex.execute m unlocked_gc
 
 let counter = ref 0
 
-let add (x: Stunnel.t) = 
-  let now = Unix.gettimeofday () in
-  Mutex.execute m
-    (fun () ->
-       let idx = !counter in
-       incr counter;
-       Hashtbl.add !times idx now;
-       Hashtbl.add !stunnels idx x;
-       let ep = { host = x.Stunnel.host; port = x.Stunnel.port; verified = x.Stunnel.verified } in
-       let existing = 
-	 if Hashtbl.mem !index ep
-	 then Hashtbl.find !index ep
-	 else [] in
-       Hashtbl.replace !index ep (idx :: existing);
-       debug "Adding stunnel id %s (idle %.2f) to the cache"
-	     (id_of_stunnel x) 0.;
-       unlocked_gc ()
-    )
-  
+let add (x: Stunnel.t) =
+	if x.Stunnel.legacy && not (Stunnel.is_legacy_protocol_and_ciphersuites_allowed ()) then (
+		info "Legacy-protocol stunnel (id=%s) not allowed in cache: disconnecting." (id_of_stunnel x);
+		Stunnel.disconnect ~force:true x
+	) else (
+		let now = Unix.gettimeofday () in
+		Mutex.execute m (fun () ->
+			let idx = !counter in
+			incr counter;
+			Hashtbl.add !times idx now;
+			Hashtbl.add !stunnels idx x;
+			let ep = { host = x.Stunnel.host; port = x.Stunnel.port; verified = x.Stunnel.verified } in
+			let existing =
+				if Hashtbl.mem !index ep
+				then Hashtbl.find !index ep
+				else [] in
+			Hashtbl.replace !index ep (idx :: existing);
+			debug "Adding stunnel id %s (idle %.2f) to the cache"
+				(id_of_stunnel x) 0.;
+			unlocked_gc ()
+		)
+	)
+
 (** Returns an Stunnel.t for this endpoint (oldest first), raising Not_found
-    if none can be found *)
+    if none can be found. First performs a garbage-collection, which discards
+    legacy-config and expired stunnels if needed. *)
 let remove host port verified =
   let ep = { host = host; port = port; verified = verified } in
   Mutex.execute m
@@ -179,7 +187,7 @@ let remove host port verified =
 let flush () =
   Mutex.execute m 
     (fun () ->
-      info "Flushing cache";
+      info "Flushing cache of all %d stunnels." (Hashtbl.length !stunnels);
       Hashtbl.iter (fun id st -> Stunnel.disconnect st) !stunnels;
       Hashtbl.clear !stunnels;
       Hashtbl.clear !times;
@@ -191,6 +199,5 @@ let connect ?use_fork_exec_helper ?write_to_log host port verify_cert =
   try
     remove host port verify_cert
   with Not_found ->
-    error "Failed to find stunnel in cache for endpoint %s:%d" host port;
+    info "connect did not find cached stunnel for endpoint %s:%d" host port;
     Stunnel.connect ?use_fork_exec_helper ?write_to_log ~verify_cert host port
-