BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0
In bug #676, it was reported that ssl-min-ver SSLv3 does not work in
Amazon environments with OpenSSL 1.0.2.
The reason for this is a patch of Amazon OpenSSL which sets
SSL_OP_NO_SSLv3 in SSL_CTX_new(). Which is kind of a problem with our
implementation of ssl-{min,max}-ver in old openSSL versions, because it
does not try to clear existing version flags.
This patch fixes the bug by cleaning versions flags known by HAProxy in
the SSL_CTX before applying the right ones.
Should be backported as far as 1.8.
(cherry picked from commit d0712f3873546a0c24f3204ad75dd7eacd689602)
[wla: context edit]
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
(cherry picked from commit 4356453a4300435a3fea6cbb5bf424e0b6540468)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 3dbab2b..4b74c78 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3997,9 +3997,15 @@
if (min == max)
methodVersions[min].ctx_set_version(ctx, SET_SERVER);
else
- for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
+ for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) {
+ /* clear every version flags in case SSL_CTX_new()
+ * returns an SSL_CTX with disabled versions */
+ SSL_CTX_clear_options(ctx, methodVersions[i].option);
+
if (flags & methodVersions[i].flag)
options |= methodVersions[i].option;
+
+ }
#else /* openssl >= 1.1.0 */
/* set the max_version is required to cap TLS version or activate new TLS (v1.3) */
methodVersions[min].ctx_set_version(ctx, SET_MIN);