commit 8694b9a6823612bef50d0ad514aba1a7594ab2a8
author Emeric Brun <ebrun@exceliance.fr> Fri Oct 05 14:39:07 2012 +0200
committer Willy Tarreau <w@1wt.eu> Fri Oct 05 22:05:04 2012 +0200
tree 65ad2a3b98db0271c18c6c769802ee970d962d5e
parent 2cb7ae53029a7045b200043549bf58e4da3fe422

MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on server

These options force the SSL lib to use the specified protocol when
connecting to a server. They are complentary to no-tlsv*/no-sslv3.

src/cfgparse.c

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 9b1ac46..88c6300 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4138,6 +4138,64 @@
 				newsrv->fastinter = val;
 				cur_arg += 2;
 			}
+			else if (!strcmp(args[cur_arg], "force-sslv3")) {
+#ifdef USE_OPENSSL
+				newsrv->ssl_ctx.options |= SRV_SSL_O_USE_SSLV3;
+				cur_arg += 1;
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif /* USE_OPENSSL */
+			}
+			else if (!strcmp(args[cur_arg], "force-tlsv10")) {
+#ifdef USE_OPENSSL
+				newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV10;
+				cur_arg += 1;
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif /* USE_OPENSSL */
+			}
+			else if (!strcmp(args[cur_arg], "force-tlsv11")) {
+#ifdef USE_OPENSSL
+#if SSL_OP_NO_TLSv1_1
+				newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV11;
+				cur_arg += 1;
+#else
+				Alert("parsing [%s:%d]: '%s' library does not support protocol TLSv1.1.\n",
+                                      file, linenum, args[cur_arg]);
+                                err_code |= ERR_ALERT | ERR_FATAL;
+                                goto out;
+#endif
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif /* USE_OPENSSL */
+			}
+			else if (!strcmp(args[cur_arg], "force-tlsv12")) {
+#ifdef USE_OPENSSL
+#if SSL_OP_NO_TLSv1_2
+				newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV12;
+				cur_arg += 1;
+#else
+				Alert("parsing [%s:%d]: '%s' library does not support protocol TLSv1.2.\n",
+                                      file, linenum, args[cur_arg]);
+                                err_code |= ERR_ALERT | ERR_FATAL;
+                                goto out;
+#endif
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif /* USE_OPENSSL */
+			}
 			else if (!strcmp(args[cur_arg], "downinter")) {
 				const char *err = parse_time_err(args[cur_arg + 1], &val, TIME_UNIT_MS);
 				if (err) {
@@ -6368,6 +6426,19 @@
 					ssloptions |= SSL_OP_NO_TLSv1_1;
 				if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
 					ssloptions |= SSL_OP_NO_TLSv1_2;
+				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
+					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, SSLv3_client_method());
+				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
+					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_client_method());
+#if SSL_OP_NO_TLSv1_1
+				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV11)
+					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_1_client_method());
+#endif
+#if SSL_OP_NO_TLSv1_2
+				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV12)
+					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_2_client_method());
+#endif
+
 				SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
 				SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
 				SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);