lib/gelf/transport/tcp_tls.rb in gelf-3.0.0 vs lib/gelf/transport/tcp_tls.rb in gelf-3.1.0.pre.rc.1

@@ -4,33 +4,43 @@
   module Transport
     # Provides encryption capabilities for TCP connections
     class TCPTLS < TCP
       # Supported tls_options:
       #   'no_default_ca' [Boolean] prevents OpenSSL from using the systems CA store.
-      #   'tls_version' [Symbol] any of :TLSv1, :TLSv1_1, :TLSv1_2 (default)
+      #   'version' [Symbol] any of :TLSv1, :TLSv1_1, :TLSv1_2 (default)
+      #   'ca' [String] the path to a custom CA store
       #   'cert' [String, IO] the client certificate file
       #   'key' [String, IO] the key for the client certificate
       #   'all_ciphers' [Boolean] allows any ciphers to be used, may be insecure
+      #   'rescue_ssl_errors' [Boolean] similar to rescue_network_errors in notifier.rb, allows SSL exceptions to be raised
+      #   'no_verify' [Boolean] disable peer verification
+
+      attr_accessor :rescue_ssl_errors
+
       def initialize(addresses, tls_options={})
         @tls_options = tls_options
+        @rescue_ssl_errors = @tls_options['rescue_ssl_errors']
+        @rescue_ssl_errors if @rescue_ssl_errors.nil?
         super(addresses)
       end
 
       protected
 
       def write_socket(socket, message)
         super(socket, message)
       rescue OpenSSL::SSL::SSLError
         socket.close unless socket.closed?
+        raise unless rescue_ssl_errors
         false
       end
 
       def connect(host, port)
         plain_socket = super(host, port)
         start_tls(plain_socket)
       rescue OpenSSL::SSL::SSLError
         plain_socket.close unless plain_socket.closed?
+        raise unless rescue_ssl_errors
         nil
       end
 
       # Initiates TLS communication on the socket
       def start_tls(plain_socket)
@@ -72,20 +82,15 @@
         else
           data
         end
       end
 
-      # These are A-level ciphers as reported from Graylog 2.0.1
-      # which were also available on Ruby using OpenSSL 1.0.2h
-      # A lot of AES-128-CBC based ciphers were not available
-      SECURE_CIPHERS = %w(
-                           AES128-GCM-SHA256
-                           ECDHE-RSA-AES128-GCM-SHA256
-                           DHE-RSA-AES128-GCM-SHA256
-                         ).freeze
+      # Ciphers have to come from the CipherString class, specifically the _TXT_ constants here - https://github.com/jruby/jruby-openssl/blob/master/src/main/java/org/jruby/ext/openssl/CipherStrings.java#L47-L178
       def restrict_ciphers(ctx)
-        ctx.ciphers = SECURE_CIPHERS
+        # This CipherString is will allow a variety of 'currently' cryptographically secure ciphers, 
+        # while also retaining a broad level of compatibility
+        ctx.ciphers = "TLSv1_2:TLSv1_1:TLSv1:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA:!3DES"
       end
 
       def verify_mode
         @tls_options['no_verify'] ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
       end
@@ -101,11 +106,23 @@
         end
       end
 
       def ssl_cert_store
         OpenSSL::X509::Store.new.tap do |store|
-          # TODO: allow passing in expected server certificate and disabling system CAs
-          store.set_default_paths
+          unless @tls_options['no_default_ca']
+            store.set_default_paths
+          end
+
+          if @tls_options.key?('ca')
+            ca = @tls_options['ca']
+            if File.directory?(ca)
+              store.add_path(@tls_options['ca'])
+            elsif File.file?(ca)
+              store.add_file(ca)
+            else
+              $stderr.puts "No directory or file: #{ca}"
+            end
+          end
         end
       end
     end
   end
 end