MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx
Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx.
This patch introduce internal min/max and replace force-tlsxx implementation.
SSL method configuration is store in 'struct tls_version_filter'.
SSL method configuration to openssl setting is abstract in 'methodVersions' table.
With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max).
With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
diff --git a/include/types/server.h b/include/types/server.h
index 83b1e80..bf4eae1 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -27,6 +27,7 @@
#ifdef USE_OPENSSL
#include <openssl/ssl.h>
+#include <types/ssl_sock.h>
#endif
#include <common/config.h>
@@ -161,18 +162,6 @@
#ifdef USE_OPENSSL
/* server ssl options */
#define SRV_SSL_O_NONE 0x0000
-#define SRV_SSL_O_NO_VMASK 0x000F /* force version mask */
-#define SRV_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */
-#define SRV_SSL_O_NO_TLSV10 0x0002 /* disable TLSv1.0 */
-#define SRV_SSL_O_NO_TLSV11 0x0004 /* disable TLSv1.1 */
-#define SRV_SSL_O_NO_TLSV12 0x0008 /* disable TLSv1.2 */
-/* 0x000F reserved for 'no' protocol version options */
-#define SRV_SSL_O_USE_VMASK 0x00F0 /* force version mask */
-#define SRV_SSL_O_USE_SSLV3 0x0010 /* force SSLv3 */
-#define SRV_SSL_O_USE_TLSV10 0x0020 /* force TLSv1.0 */
-#define SRV_SSL_O_USE_TLSV11 0x0040 /* force TLSv1.1 */
-#define SRV_SSL_O_USE_TLSV12 0x0080 /* force TLSv1.2 */
-/* 0x00F0 reserved for 'force' protocol version options */
#define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
#define SRV_SSL_O_NO_REUSE 0x200 /* disable session reuse */
#endif
@@ -281,6 +270,7 @@
SSL_SESSION *reused_sess;
char *ciphers; /* cipher suite to use if non-null */
int options; /* ssl options */
+ struct tls_version_filter methods; /* ssl methods */
int verify; /* verify method (set of SSL_VERIFY_* flags) */
char *verify_host; /* hostname of certificate must match this host */
char *ca_file; /* CAfile to use on verify */