Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 5db33cbdc4f2952cbd3c140edce0eda84e1447b4^! / . / include / types / server.h
commit5db33cbdc4f2952cbd3c140edce0eda84e1447b4[log] [tgz]
authorEmmanuel Hocdet <manu@gandi.net>Thu Mar 30 19:19:37 2017 +0200
committerWilly Tarreau <w@1wt.eu>Fri May 12 15:49:04 2017 +0200
tree50643d03ca78f30b9655250efffc8fc67f14bae7
parent6cb2d1e9638f22f080d1391e6bb8260b6a0b1f95 [diff] [blame]
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx

Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx.
This patch introduce internal min/max and replace force-tlsxx implementation.
SSL method configuration is store in 'struct tls_version_filter'.
SSL method configuration to openssl setting is abstract in 'methodVersions' table.
With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max).
With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.

diff --git a/include/types/server.h b/include/types/server.h
index 83b1e80..bf4eae1 100644
--- a/include/types/server.h
+++ b/include/types/server.h

@@ -27,6 +27,7 @@
 
 #ifdef USE_OPENSSL
 #include <openssl/ssl.h>
+#include <types/ssl_sock.h>
 #endif
 
 #include <common/config.h>
@@ -161,18 +162,6 @@
 #ifdef USE_OPENSSL
 /* server ssl options */
 #define SRV_SSL_O_NONE         0x0000
-#define SRV_SSL_O_NO_VMASK     0x000F /* force version mask */
-#define SRV_SSL_O_NO_SSLV3     0x0001 /* disable SSLv3 */
-#define SRV_SSL_O_NO_TLSV10    0x0002 /* disable TLSv1.0 */
-#define SRV_SSL_O_NO_TLSV11    0x0004 /* disable TLSv1.1 */
-#define SRV_SSL_O_NO_TLSV12    0x0008 /* disable TLSv1.2 */
-/* 0x000F reserved for 'no' protocol version options */
-#define SRV_SSL_O_USE_VMASK    0x00F0 /* force version mask */
-#define SRV_SSL_O_USE_SSLV3    0x0010 /* force SSLv3 */
-#define SRV_SSL_O_USE_TLSV10   0x0020 /* force TLSv1.0 */
-#define SRV_SSL_O_USE_TLSV11   0x0040 /* force TLSv1.1 */
-#define SRV_SSL_O_USE_TLSV12   0x0080 /* force TLSv1.2 */
-/* 0x00F0 reserved for 'force' protocol version options */
 #define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
 #define SRV_SSL_O_NO_REUSE     0x200  /* disable session reuse */
 #endif
@@ -281,6 +270,7 @@
 		SSL_SESSION *reused_sess;
 		char *ciphers;			/* cipher suite to use if non-null */
 		int options;			/* ssl options */
+		struct tls_version_filter methods;	/* ssl methods */
 		int verify;			/* verify method (set of SSL_VERIFY_* flags) */
 		char *verify_host;              /* hostname of certificate must match this host */
 		char *ca_file;			/* CAfile to use on verify */