From ba6a8ef35b95637e49b955bcbf646a31ab00fe3e Mon Sep 17 00:00:00 2001
From: Calle Wilund <calle@scylladb.com>
Date: Mon, 7 Jan 2019 13:15:13 +0000
Subject: [PATCH] tls: Use a default prio string disabling TLS1.0 forcing min
 128bits

Fixes #4010

Unless user sets this explicitly, we should try explicitly avoid
deprecated protocol versions. While gnutls should do this for
connections initiated thusly, clients such as drivers etc might
use obsolete versions.

Message-Id: <20190107131513.30197-1-calle@scylladb.com>
---
 db/config.cc               | 2 ++
 db/config.hh               | 2 ++
 init.cc                    | 2 ++
 service/storage_service.cc | 1 +
 4 files changed, 7 insertions(+)

diff --git a/db/config.cc b/db/config.cc
index 74cee32fe3..84df7f3d32 100644
--- a/db/config.cc
+++ b/db/config.cc
@@ -102,6 +102,8 @@ db::config::config()
 db::config::~config()
 {}
 
+const sstring db::config::default_tls_priority("SECURE128:-VERS-TLS1.0");
+
 namespace utils {
 
 template<>
diff --git a/db/config.hh b/db/config.hh
index 3e0b16603f..8b76db0bbc 100644
--- a/db/config.hh
+++ b/db/config.hh
@@ -762,6 +762,8 @@ public:
     add_options(boost::program_options::options_description_easy_init&);
 
     const db::extensions& extensions() const;
+
+    static const sstring default_tls_priority;
 private:
     template<typename T>
     struct log_legacy_value : public named_value<T, value_status::Used> {
diff --git a/init.cc b/init.cc
index 8fc0996e3e..cf168b287a 100644
--- a/init.cc
+++ b/init.cc
@@ -105,6 +105,8 @@ void init_ms_fd_gossiper(sharded<gms::feature_service>& features
             creds->set_x509_trust_file(ms_trust_store, x509_crt_format::PEM).get();
         }
 
+        creds->set_priority_string(db::config::default_tls_priority);
+
         if (!ms_tls_prio.empty()) {
             creds->set_priority_string(ms_tls_prio);
         }
diff --git a/service/storage_service.cc b/service/storage_service.cc
index eedec1293e..637c8d6d83 100644
--- a/service/storage_service.cc
+++ b/service/storage_service.cc
@@ -2166,6 +2166,7 @@ future<> storage_service::start_native_transport() {
                     auto cred = std::make_shared<seastar::tls::credentials_builder>();
 
                     cred->set_dh_level(seastar::tls::dh_params::level::MEDIUM);
+                    cred->set_priority_string(db::config::default_tls_priority);
 
                     if (ceo.count("priority_string")) {
                         cred->set_priority_string(ceo.at("priority_string"));