MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx
Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx.
This patch introduce internal min/max and replace force-tlsxx implementation.
SSL method configuration is store in 'struct tls_version_filter'.
SSL method configuration to openssl setting is abstract in 'methodVersions' table.
With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max).
With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
diff --git a/include/types/listener.h b/include/types/listener.h
index 8aae395..93f3662 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -27,6 +27,7 @@
#ifdef USE_OPENSSL
#include <openssl/ssl.h>
+#include <types/ssl_sock.h>
#endif
#include <common/config.h>
@@ -101,18 +102,7 @@
*/
#ifdef USE_OPENSSL
-/* bind_conf ssl options */
#define BC_SSL_O_NONE 0x0000
-#define BC_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */
-#define BC_SSL_O_NO_TLSV10 0x0002 /* disable TLSv10 */
-#define BC_SSL_O_NO_TLSV11 0x0004 /* disable TLSv11 */
-#define BC_SSL_O_NO_TLSV12 0x0008 /* disable TLSv12 */
-/* 0x000F reserved for 'no' protocol version options */
-#define BC_SSL_O_USE_SSLV3 0x0010 /* force SSLv3 */
-#define BC_SSL_O_USE_TLSV10 0x0020 /* force TLSv10 */
-#define BC_SSL_O_USE_TLSV11 0x0040 /* force TLSv11 */
-#define BC_SSL_O_USE_TLSV12 0x0080 /* force TLSv12 */
-/* 0x00F0 reserved for 'force' protocol version options */
#define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
#define BC_SSL_O_PREF_CLIE_CIPH 0x0200 /* prefer client ciphers */
#endif
@@ -148,6 +138,7 @@
struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
int strict_sni; /* refuse negotiation if sni doesn't match a certificate */
int ssl_options; /* ssl options */
+ struct tls_version_filter ssl_methods; /* ssl methods */
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */
struct eb_root sni_w_ctx; /* sni_ctx tree of all known certs wildcards sorted by name */
struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */
diff --git a/include/types/server.h b/include/types/server.h
index 83b1e80..bf4eae1 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -27,6 +27,7 @@
#ifdef USE_OPENSSL
#include <openssl/ssl.h>
+#include <types/ssl_sock.h>
#endif
#include <common/config.h>
@@ -161,18 +162,6 @@
#ifdef USE_OPENSSL
/* server ssl options */
#define SRV_SSL_O_NONE 0x0000
-#define SRV_SSL_O_NO_VMASK 0x000F /* force version mask */
-#define SRV_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */
-#define SRV_SSL_O_NO_TLSV10 0x0002 /* disable TLSv1.0 */
-#define SRV_SSL_O_NO_TLSV11 0x0004 /* disable TLSv1.1 */
-#define SRV_SSL_O_NO_TLSV12 0x0008 /* disable TLSv1.2 */
-/* 0x000F reserved for 'no' protocol version options */
-#define SRV_SSL_O_USE_VMASK 0x00F0 /* force version mask */
-#define SRV_SSL_O_USE_SSLV3 0x0010 /* force SSLv3 */
-#define SRV_SSL_O_USE_TLSV10 0x0020 /* force TLSv1.0 */
-#define SRV_SSL_O_USE_TLSV11 0x0040 /* force TLSv1.1 */
-#define SRV_SSL_O_USE_TLSV12 0x0080 /* force TLSv1.2 */
-/* 0x00F0 reserved for 'force' protocol version options */
#define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
#define SRV_SSL_O_NO_REUSE 0x200 /* disable session reuse */
#endif
@@ -281,6 +270,7 @@
SSL_SESSION *reused_sess;
char *ciphers; /* cipher suite to use if non-null */
int options; /* ssl options */
+ struct tls_version_filter methods; /* ssl methods */
int verify; /* verify method (set of SSL_VERIFY_* flags) */
char *verify_host; /* hostname of certificate must match this host */
char *ca_file; /* CAfile to use on verify */
diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index e3a85ca..ecdad46 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -22,7 +22,6 @@
#ifndef _TYPES_SSL_SOCK_H
#define _TYPES_SSL_SOCK_H
-#include <types/listener.h>
#include <openssl/ssl.h>
#include <ebmbtree.h>
@@ -35,6 +34,12 @@
struct ebmb_node name; /* node holding the servername value */
};
+struct tls_version_filter {
+ uint16_t flags; /* ssl options */
+ uint8_t min; /* min TLS version */
+ uint8_t max; /* max TLS version */
+};
+
extern struct list tlskeys_reference;
struct tls_sess_key {