MEDIUM: ssl: revert ssl/tls version settings relative to default-server.
Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx.
min-tlsxx and max-tlsxx can be overwrite on local definition. This directives
should be the only ones needed in default-server.
To simplify next patches (rework of tls versions settings with min/max) all
ssl/tls version settings relative to default-server are reverted first:
remove: 'sslv3', 'tls*', 'no-force-sslv3', 'no-force-tls*'.
remove from default-server: 'no-sslv3', 'no-tls*'.
Note:
. force-tlsxx == min-tlsxx + max-tlsxx : would be ok in default-server.
. no-tlsxx is keep for compatibility: should not be propagated to default-server.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index fea06cb..68cffd4 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10949,22 +10949,30 @@
This option enforces use of SSLv3 only when SSL is used to communicate with
the server. SSLv3 is generally less expensive than the TLS counterparts for
high connection rates. This option is also available on global statement
- "ssl-default-server-options". See also "no-force-sslv3", "no-tlsv*", "no-sslv3".
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+ Supported in default-server: No
force-tlsv10
This option enforces use of TLSv1.0 only when SSL is used to communicate with
the server. This option is also available on global statement
- "ssl-default-server-options". See also "no-force-tlsv10", "no-tlsv*", "no-sslv3".
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+ Supported in default-server: No
force-tlsv11
This option enforces use of TLSv1.1 only when SSL is used to communicate with
the server. This option is also available on global statement
- "ssl-default-server-options". See also "no-force-tlsv11", "no-tlsv*", "no-sslv3".
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+ Supported in default-server: No
force-tlsv12
This option enforces use of TLSv1.2 only when SSL is used to communicate with
the server. This option is also available on global statement
- "ssl-default-server-options". See also "no-force-tlsv12", "no-tlsv*", "no-sslv3".
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+ Supported in default-server: No
id <value>
Set a persistent ID for the server. This ID must be positive and unique for
@@ -11091,34 +11099,6 @@
It may also be used as "default-server" setting to reset any previous
"default-server" "check-ssl" setting.
-no-force-sslv3
- This option may be used as "server" setting to reset any "force-sslv3"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "force-sslv3" setting.
-
-no-force-tlsv10
- This option may be used as "server" setting to reset any "force-tlsv10"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "force-tlsv10" setting.
-
-no-force-tlsv11
- This option may be used as "server" setting to reset any "force-tlsv11"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "force-tlsv11" setting.
-
-no-force-tlsv12
- This option may be used as "server" setting to reset any "force-tlsv12"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "force-tlsv12" setting.
-
no-send-proxy
This option may be used as "server" setting to reset any "send-proxy"
setting which would have been inherited from "default-server" directive as
@@ -11165,6 +11145,8 @@
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. See also "force-sslv3", "force-tlsv*".
+ Supported in default-server: No
+
no-tls-tickets
This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket
@@ -11181,6 +11163,8 @@
option is also available on global statement "ssl-default-server-options".
See also "tlsv10", "force-sslv3", "force-tlsv*".
+ Supported in default-server: No
+
no-tlsv11
This option disables support for TLSv1.1 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
@@ -11189,6 +11173,8 @@
option is also available on global statement "ssl-default-server-options".
See also "tlsv11", "force-sslv3", "force-tlsv*".
+ Supported in default-server: No
+
no-tlsv12
This option disables support for TLSv1.2 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
@@ -11197,6 +11183,8 @@
option is also available on global statement "ssl-default-server-options".
See also "tlsv12", "force-sslv3", "force-tlsv*".
+ Supported in default-server: No
+
no-verifyhost
This option may be used as "server" setting to reset any "verifyhost"
setting which would have been inherited from "default-server" directive as
@@ -11435,13 +11423,6 @@
See the "no-ssl" to disable "ssl" option and "check-ssl" option to force
SSL health checks.
-sslv3
- This option may be used as "server" setting to reset any "no-sslv3"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "no-sslv3" setting.
-
ssl-reuse
This option may be used as "server" setting to reset any "no-ssl-reuse"
setting which would have been inherited from "default-server" directive as
@@ -11478,27 +11459,6 @@
enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
used, it has to be enabled on both proxies.
-tlsv10
- This option may be used as "server" setting to reset any "no-tlsv10"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "no-tlsv10" setting.
-
-tlsv11
- This option may be used as "server" setting to reset any "no-tlsv11"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "no-tlsv11" setting.
-
-tlsv12
- This option may be used as "server" setting to reset any "no-tlsv12"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "no-tlsv12" setting.
-
tls-tickets
This option may be used as "server" setting to reset any "no-tls-tickets"
setting which would have been inherited from "default-server" directive as
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index acb7d28..a0f21cf 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6597,52 +6597,6 @@
return 0;
}
-/* parse the "no-force-sslv3" server keyword */
-static int srv_parse_no_force_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-#ifndef OPENSSL_NO_SSL3
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_SSLV3;
- return 0;
-#else
- if (err)
- memprintf(err, "'%s' : library does not support protocol SSLv3", args[*cur_arg]);
- return ERR_ALERT | ERR_FATAL;
-#endif
-}
-
-/* parse the "no-force-tlsv10" server keyword */
-static int srv_parse_no_force_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV10;
- return 0;
-}
-
-/* parse the "no-force-tlsv11" server keyword */
-static int srv_parse_no_force_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-#if SSL_OP_NO_TLSv1_1
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV11;
- return 0;
-#else
- if (err)
- memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[*cur_arg]);
- return ERR_ALERT | ERR_FATAL;
-#endif
-}
-
-/* parse the "no-force-tlsv12" server keyword */
-static int srv_parse_no_force_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-#if SSL_OP_NO_TLSv1_2
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV12;
- return 0;
-#else
- if (err)
- memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[*cur_arg]);
- return ERR_ALERT | ERR_FATAL;
-#endif
-}
-
/* parse the "no-send-proxy-v2-ssl" server keyword */
static int srv_parse_no_send_proxy_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
@@ -6765,34 +6719,6 @@
return 0;
}
-/* parse the "sslv3" server keyword */
-static int srv_parse_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_SSLV3;
- return 0;
-}
-
-/* parse the "tlsv10" server keyword */
-static int srv_parse_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV10;
- return 0;
-}
-
-/* parse the "tlsv11" server keyword */
-static int srv_parse_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV11;
- return 0;
-}
-
-/* parse the "tlsv12" server keyword */
-static int srv_parse_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV12;
- return 0;
-}
-
/* parse the "tls-tickets" server keyword */
static int srv_parse_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
@@ -7538,28 +7464,20 @@
{ "force-tlsv11", srv_parse_force_tlsv11, 0, 1 }, /* force TLSv11 */
{ "force-tlsv12", srv_parse_force_tlsv12, 0, 1 }, /* force TLSv12 */
{ "no-check-ssl", srv_parse_no_check_ssl, 0, 1 }, /* disable SSL for health checks */
- { "no-force-sslv3", srv_parse_no_force_sslv3, 0, 1 }, /* do not force SSLv3 */
- { "no-force-tlsv10", srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
- { "no-force-tlsv11", srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
- { "no-force-tlsv12", srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
{ "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */
{ "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn, 0, 1 }, /* do not send PROXY protocol header v2 with CN */
{ "no-ssl", srv_parse_no_ssl, 0, 1 }, /* disable SSL processing */
{ "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 1 }, /* disable session reuse */
- { "no-sslv3", srv_parse_no_sslv3, 0, 1 }, /* disable SSLv3 */
- { "no-tlsv10", srv_parse_no_tlsv10, 0, 1 }, /* disable TLSv10 */
- { "no-tlsv11", srv_parse_no_tlsv11, 0, 1 }, /* disable TLSv11 */
- { "no-tlsv12", srv_parse_no_tlsv12, 0, 1 }, /* disable TLSv12 */
+ { "no-sslv3", srv_parse_no_sslv3, 0, 0 }, /* disable SSLv3 */
+ { "no-tlsv10", srv_parse_no_tlsv10, 0, 0 }, /* disable TLSv10 */
+ { "no-tlsv11", srv_parse_no_tlsv11, 0, 0 }, /* disable TLSv11 */
+ { "no-tlsv12", srv_parse_no_tlsv12, 0, 0 }, /* disable TLSv12 */
{ "no-tls-tickets", srv_parse_no_tls_tickets, 0, 1 }, /* disable session resumption tickets */
{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1 }, /* send PROXY protocol header v2 with SSL info */
{ "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1 }, /* send PROXY protocol header v2 with CN */
{ "sni", srv_parse_sni, 1, 1 }, /* send SNI extension */
{ "ssl", srv_parse_ssl, 0, 1 }, /* enable SSL processing */
{ "ssl-reuse", srv_parse_ssl_reuse, 0, 1 }, /* enable session reuse */
- { "sslv3", srv_parse_sslv3, 0, 1 }, /* enable SSLv3 */
- { "tlsv10", srv_parse_tlsv10, 0, 1 }, /* enable TLSv10 */
- { "tlsv11", srv_parse_tlsv11, 0, 1 }, /* enable TLSv11 */
- { "tlsv12", srv_parse_tlsv12, 0, 1 }, /* enable TLSv12 */
{ "tls-tickets", srv_parse_tls_tickets, 0, 1 }, /* enable session resumption tickets */
{ "verify", srv_parse_verify, 1, 1 }, /* set SSL verify method */
{ "verifyhost", srv_parse_verifyhost, 1, 1 }, /* require that SSL cert verifies for hostname */