MINOR: server: Make 'default-server' support 'no-ssl*' and 'no-tlsv*' keywords.
This patch makes 'default-server' directive support 'no-sslv3' (resp. 'no-ssl-reuse',
'no-tlsv10', 'no-tlsv11', 'no-tlsv12', and 'no-tls-tickets') setting.
New keywords 'sslv3' (resp. 'ssl-reuse', 'tlsv10', 'tlsv11', 'tlsv12', and
'tls-no-tickets') have been added to disable these settings both in 'server' and
'default-server' directives.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2e7ae4b..2066e30 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6692,6 +6692,48 @@
return 0;
}
+/* parse the "ssl-reuse" server keyword */
+static int srv_parse_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+ newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_REUSE;
+ return 0;
+}
+
+/* parse the "sslv3" server keyword */
+static int srv_parse_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+ newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_SSLV3;
+ return 0;
+}
+
+/* parse the "tlsv10" server keyword */
+static int srv_parse_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+ newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV10;
+ return 0;
+}
+
+/* parse the "tlsv11" server keyword */
+static int srv_parse_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+ newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV11;
+ return 0;
+}
+
+/* parse the "tlsv12" server keyword */
+static int srv_parse_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+ newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV12;
+ return 0;
+}
+
+/* parse the "tls-tickets" server keyword */
+static int srv_parse_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+ newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLS_TICKETS;
+ return 0;
+}
+
/* parse the "verify" server keyword */
static int srv_parse_verify(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
@@ -7430,16 +7472,22 @@
{ "no-force-tlsv10", srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
{ "no-force-tlsv11", srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
{ "no-force-tlsv12", srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
- { "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 0 }, /* disable session reuse */
- { "no-sslv3", srv_parse_no_sslv3, 0, 0 }, /* disable SSLv3 */
- { "no-tlsv10", srv_parse_no_tlsv10, 0, 0 }, /* disable TLSv10 */
- { "no-tlsv11", srv_parse_no_tlsv11, 0, 0 }, /* disable TLSv11 */
- { "no-tlsv12", srv_parse_no_tlsv12, 0, 0 }, /* disable TLSv12 */
- { "no-tls-tickets", srv_parse_no_tls_tickets, 0, 0 }, /* disable session resumption tickets */
+ { "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 1 }, /* disable session reuse */
+ { "no-sslv3", srv_parse_no_sslv3, 0, 1 }, /* disable SSLv3 */
+ { "no-tlsv10", srv_parse_no_tlsv10, 0, 1 }, /* disable TLSv10 */
+ { "no-tlsv11", srv_parse_no_tlsv11, 0, 1 }, /* disable TLSv11 */
+ { "no-tlsv12", srv_parse_no_tlsv12, 0, 1 }, /* disable TLSv12 */
+ { "no-tls-tickets", srv_parse_no_tls_tickets, 0, 1 }, /* disable session resumption tickets */
{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 0 }, /* send PROXY protocol header v2 with SSL info */
{ "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 0 }, /* send PROXY protocol header v2 with CN */
{ "sni", srv_parse_sni, 1, 0 }, /* send SNI extension */
{ "ssl", srv_parse_ssl, 0, 0 }, /* enable SSL processing */
+ { "ssl-reuse", srv_parse_ssl_reuse, 0, 1 }, /* enable session reuse */
+ { "sslv3", srv_parse_sslv3, 0, 1 }, /* enable SSLv3 */
+ { "tlsv10", srv_parse_tlsv10, 0, 1 }, /* enable TLSv10 */
+ { "tlsv11", srv_parse_tlsv11, 0, 1 }, /* enable TLSv11 */
+ { "tlsv12", srv_parse_tlsv12, 0, 1 }, /* enable TLSv12 */
+ { "tls-tickets", srv_parse_tls_tickets, 0, 1 }, /* enable session resumption tickets */
{ "verify", srv_parse_verify, 1, 0 }, /* set SSL verify method */
{ "verifyhost", srv_parse_verifyhost, 1, 0 }, /* require that SSL cert verifies for hostname */
{ NULL, NULL, 0, 0 },