MINOR: ssl: remove duplicate ssl_methods in struct bind_conf
Patch "MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list"
introduce ssl_methods in struct ssl_bind_conf. struct bind_conf have now
ssl_methods and ssl_conf.ssl_methods (unused). It's error-prone. This patch
remove the duplicate structure to avoid any confusion.
diff --git a/include/types/listener.h b/include/types/listener.h
index 064c040..f04a8ea 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -140,7 +140,6 @@
struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
int strict_sni; /* refuse negotiation if sni doesn't match a certificate */
int ssl_options; /* ssl options */
- struct tls_version_filter ssl_methods; /* ssl methods */
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */
struct eb_root sni_w_ctx; /* sni_ctx tree of all known certs wildcards sorted by name */
struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 36f8cc2..de1dd9a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2129,15 +2129,11 @@
node = node_ecdsa ? node_ecdsa : (node_rsa ? node_rsa : node_anonymous);
if (node) {
- int min, max;
/* switch ctx */
+ struct ssl_bind_conf *conf = container_of(node, struct sni_ctx, name)->conf;
ssl_sock_switchctx_set(ctx->ssl, container_of(node, struct sni_ctx, name)->ctx);
- min = container_of(node, struct sni_ctx, name)->conf->ssl_methods.min;
- if (min != s->ssl_methods.min)
- methodVersions[min].ssl_set_version(ctx->ssl, SET_MIN);
- max = container_of(node, struct sni_ctx, name)->conf->ssl_methods.max;
- if (max != s->ssl_methods.max)
- methodVersions[max].ssl_set_version(ctx->ssl, SET_MAX);
+ methodVersions[conf->ssl_methods.min].ssl_set_version(ctx->ssl, SET_MIN);
+ methodVersions[conf->ssl_methods.max].ssl_set_version(ctx->ssl, SET_MAX);
return 1;
}
if (!s->strict_sni) {
@@ -3552,7 +3548,7 @@
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_RELEASE_BUFFERS |
SSL_MODE_SMALL_BUFFERS;
- struct tls_version_filter *conf_ssl_methods = &bind_conf->ssl_methods;
+ struct tls_version_filter *conf_ssl_methods = &bind_conf->ssl_conf.ssl_methods;
int i, min, max, hole;
int flags = MC_SSL_O_ALL;
int cfgerr = 0;
@@ -3666,8 +3662,8 @@
int flags = MC_SSL_O_ALL;
/* Real min and max should be determinate with configuration and openssl's capabilities */
- min = conf_ssl_methods->min ? conf_ssl_methods->min : bind_conf->ssl_methods.min;
- max = conf_ssl_methods->max ? conf_ssl_methods->max : bind_conf->ssl_methods.max;
+ min = conf_ssl_methods->min ? conf_ssl_methods->min : bind_conf->ssl_conf.ssl_methods.min;
+ max = conf_ssl_methods->max ? conf_ssl_methods->max : bind_conf->ssl_conf.ssl_methods.max;
if (min)
flags |= (methodVersions[min].flag - 1);
if (max)
@@ -6739,7 +6735,7 @@
static int bind_parse_tls_method_options(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- return parse_tls_method_options(args[cur_arg], &conf->ssl_methods, err);
+ return parse_tls_method_options(args[cur_arg], &conf->ssl_conf.ssl_methods, err);
}
static int srv_parse_tls_method_options(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
@@ -6787,7 +6783,7 @@
static int bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- return parse_tls_method_minmax(args, cur_arg, &conf->ssl_methods, err);
+ return parse_tls_method_minmax(args, cur_arg, &conf->ssl_conf.ssl_methods, err);
}
static int srv_parse_tls_method_minmax(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
@@ -6923,11 +6919,11 @@
if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
conf->ssl_options |= global_ssl.listen_default_ssloptions;
- conf->ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags;
- if (!conf->ssl_methods.min)
- conf->ssl_methods.min = global_ssl.listen_default_sslmethods.min;
- if (!conf->ssl_methods.max)
- conf->ssl_methods.max = global_ssl.listen_default_sslmethods.max;
+ conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags;
+ if (!conf->ssl_conf.ssl_methods.min)
+ conf->ssl_conf.ssl_methods.min = global_ssl.listen_default_sslmethods.min;
+ if (!conf->ssl_conf.ssl_methods.max)
+ conf->ssl_conf.ssl_methods.max = global_ssl.listen_default_sslmethods.max;
return 0;
}