Merge pull request #654 from zowe/zss-tls1.3

allowing disable of TLSv1.3
zowe · Oct 16, 2023 · d83a479 · d83a479
2 parents b423393 + 61baa0b
commit d83a479
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 7 deletions.
diff --git a/bin/start.sh b/bin/start.sh
@@ -173,7 +173,12 @@ if [[ "${OSNAME}" == "OS/390" ]]; then
   else
     ZSS_SERVER="${ZSS_SERVER_31}"
   fi
-
+
+  if [ "$ZWE_components_zss_agent_https_trace" = "true" ] && [ "$ZWES_LOG_FILE" != "/dev/null" ]; then
+    export GSK_TRACE_FILE="${ZWES_LOG_FILE}.tlstrace"
+    export GSK_TRACE=0xFF
+  fi
+
   if [ "$ZWES_LOG_FILE" = "/dev/null" ]; then
     _BPX_SHAREAS=NO _BPX_JOBNAME=${ZWE_zowe_job_prefix}SZ ${ZSS_SERVER} --schemas "${ZWES_SCHEMA_PATHS}" --configs "${ZWES_CONFIG}" 2>&1
   else

diff --git a/c/zss.c b/c/zss.c
@@ -113,17 +113,20 @@ static int traceLevel = 0;
   TLS_SECP521R1                 \
   TLS_X25519
 
-#define DEFAULT_TLS_CIPHERS               \
-  TLS_AES_256_GCM_SHA384                  \
-  TLS_AES_128_GCM_SHA256                  \
-  TLS_CHACHA20_POLY1305_SHA256            \
+#define DEFAULT_TLS_CIPHERS_V12           \
   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     \
   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     \
   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   \
   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 
+#define DEFAULT_TLS_CIPHERS_V13           \
+  TLS_AES_256_GCM_SHA384                  \
+  TLS_AES_128_GCM_SHA256                  \
+  TLS_CHACHA20_POLY1305_SHA256            \
+  DEFAULT_TLS_CIPHERS_V12
+
 #define LOGGING_COMPONENT_PREFIX "_zss."
 
 static int stringEndsWith(char *s, char *suffix);
@@ -1157,14 +1160,23 @@ static bool readAgentHttpsSettingsV2(ShortLivedHeap *slh,
   }
   JsonObject *httpsConfigObject = jsonAsObject(httpsConfig);
   TlsSettings *settings = (TlsSettings*)SLHAlloc(slh, sizeof(*settings));
+  settings->maxTls = jsonObjectGetString(httpsConfigObject, "maxTls");
   char *ciphers = jsonObjectGetString(httpsConfigObject, "ciphers");
   /* 
    * Takes a string of ciphers. This isn't ideal, but any other methods are
    * going to be fairly complicated.
    *
    * ciphers: 13021303003500380039002F00320033
    */
-  settings->ciphers = ciphers ? ciphers : DEFAULT_TLS_CIPHERS;
+  ECVT *ecvt = getECVT();
+  /*
+     2.3 (1020300) no tls 1.3
+  */
+  if ((ecvt->ecvtpseq > 0x1020300) && (settings->maxTls == NULL || !strcmp(settings->maxTls, "TLSv1.3"))) {
+    settings->ciphers = ciphers ? ciphers : DEFAULT_TLS_CIPHERS_V13;
+  } else {
+    settings->ciphers = ciphers ? ciphers : DEFAULT_TLS_CIPHERS_V12;
+  }
   /* 
    * Takes a string of keyshares. This isn't ideal, but any other methods are
    * going to be fairly complicated.

diff --git a/deps/zowe-common-c b/deps/zowe-common-c
diff --git a/schemas/zss-config.json b/schemas/zss-config.json
@@ -106,6 +106,11 @@
               "$ref": "#/$defs/ipsAndHostnames",
               "default": [ "0.0.0.0" ]
             },
+            "trace": {
+              "type": "boolean",
+              "description": "Enables TLS tracing to diagnose connection issues. Output will be within the zowe log directory.",
+              "default": false
+            },
             "label": {
               "type": [ "string", "null" ],
               "description": "The label (aka alias), identifying the server's certificate in the key store"
@@ -125,6 +130,12 @@
             "keyshares": {
               "type": [ "string", "null" ],
               "description": "The list of key shares in order of priority"
+            },
+            "maxTls": {
+              "type": [ "string", "null" ],
+              "enum": ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"],
+              "default": "TLSv1.3",
+              "description": "Maximum tls version allowed."
             }
           }
         },