1 2 /** 3 * Copyright (C) 2018-present MongoDB, Inc. 4 * 5 * This program is free software: you can redistribute it and/or modify 6 * it under the terms of the Server Side Public License, version 1, 7 * as published by MongoDB, Inc. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * Server Side Public License for more details. 13 * 14 * You should have received a copy of the Server Side Public License 15 * along with this program. If not, see 16 * <http://www.mongodb.com/licensing/server-side-public-license>. 17 * 18 * As a special exception, the copyright holders give permission to link the 19 * code of portions of this program with the OpenSSL library under certain 20 * conditions as described in each individual source file and distribute 21 * linked combinations including the program with the OpenSSL library. You 22 * must comply with the Server Side Public License in all respects for 23 * all of the code used other than as permitted herein. If you modify file(s) 24 * with this exception, you may extend this exception to your version of the 25 * file(s), but you are not obligated to do so. If you do not wish to do so, 26 * delete this exception statement from your version. If you delete this 27 * exception statement from all source files in the program, then also delete 28 * it in the license file. 29 */ 30 31 #pragma once 32 33 #include "mongo/util/net/ssl_manager.h" 34 35 #include <boost/optional.hpp> 36 #include <map> 37 #include <set> 38 #include <vector> 39 40 #include "mongo/base/status.h" 41 #include "mongo/crypto/sha256_block.h" 42 #include "mongo/db/auth/role_name.h" 43 44 namespace mongo { 45 46 namespace optionenvironment { 47 class OptionSection; 48 class Environment; 49 } // namespace optionenvironment 50 51 struct SSLParams { 52 using TLSCATrusts = std::map<SHA256Block, std::set<RoleName>>; 53 54 enum class Protocols { TLS1_0, TLS1_1, TLS1_2, TLS1_3 }; 55 AtomicInt32 sslMode; // --sslMode - the TLS operation mode, see enum SSLModes 56 std::string sslPEMTempDHParam; // --setParameter OpenSSLDiffieHellmanParameters=file : PEM file 57 // with DH parameters. 58 std::string sslPEMKeyFile; // --sslPEMKeyFile 59 std::string sslPEMKeyPassword; // --sslPEMKeyPassword 60 std::string sslClusterFile; // --sslInternalKeyFile 61 std::string sslClusterPassword; // --sslInternalKeyPassword 62 std::string sslCAFile; // --sslCAFile 63 std::string sslClusterCAFile; // --sslClusterCAFile 64 std::string sslCRLFile; // --sslCRLFile 65 std::string sslCipherConfig; // --sslCipherConfig 66 67 boost::optional<TLSCATrusts> tlsCATrusts; // --setParameter tlsCATrusts 68 69 std::vector<Protocols> sslDisabledProtocols; // --sslDisabledProtocols 70 std::vector<Protocols> tlsLogVersions; // --tlsLogVersion 71 bool sslWeakCertificateValidation = false; // --sslWeakCertificateValidation 72 bool sslFIPSMode = false; // --sslFIPSMode 73 bool sslAllowInvalidCertificates = false; // --sslAllowInvalidCertificates 74 bool sslAllowInvalidHostnames = false; // --sslAllowInvalidHostnames 75 bool disableNonSSLConnectionLogging = 76 false; // --setParameter disableNonSSLConnectionLogging=true 77 bool suppressNoTLSPeerCertificateWarning = 78 false; // --setParameter suppressNoTLSPeerCertificateWarning 79 bool tlsWithholdClientCertificate = false; // --setParameter tlsWithholdClientCertificate 80 SSLParamsSSLParams81 SSLParams() { 82 sslMode.store(SSLMode_disabled); 83 } 84 85 enum SSLModes { 86 /** 87 * Make unencrypted outgoing connections and do not accept incoming SSL-connections. 88 */ 89 SSLMode_disabled, 90 91 /** 92 * Make unencrypted outgoing connections and accept both unencrypted and SSL-connections. 93 */ 94 SSLMode_allowSSL, 95 96 /** 97 * Make outgoing SSL-connections and accept both unecrypted and SSL-connections. 98 */ 99 SSLMode_preferSSL, 100 101 /** 102 * Make outgoing SSL-connections and only accept incoming SSL-connections. 103 */ 104 SSLMode_requireSSL 105 }; 106 }; 107 108 extern SSLParams sslGlobalParams; 109 110 Status addSSLServerOptions(mongo::optionenvironment::OptionSection* options); 111 112 Status addSSLClientOptions(mongo::optionenvironment::OptionSection* options); 113 114 Status storeSSLServerOptions(const mongo::optionenvironment::Environment& params); 115 116 /** 117 * Canonicalize SSL options for the given environment that have different representations with 118 * the same logical meaning. 119 */ 120 Status canonicalizeSSLServerOptions(mongo::optionenvironment::Environment* params); 121 122 Status validateSSLServerOptions(const mongo::optionenvironment::Environment& params); 123 124 Status storeSSLClientOptions(const mongo::optionenvironment::Environment& params); 125 } // namespace mongo 126