MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c

commit: 94324a4c878a1ec49af4a6e229019e8a6ac69b78 [log] [tgz]
author: Emeric Brun <ebrun@exceliance.fr> Thu Oct 11 14:00:19 2012 +0200
committer: Willy Tarreau <w@1wt.eu> Fri Oct 12 11:37:36 2012 +0200
tree: 96089d5e7a7455489afe734a4a6f90d26a7a6a69
parent: 992adc9210c7667bfa5985c1ba0cb93c7687db61 [diff]
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index e504853..8246b35 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h

@@ -33,6 +33,7 @@
 int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy *proxy);
 void ssl_sock_free_certs(struct bind_conf *bind_conf);
 int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px);
+int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *px);
 void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
 
 #endif /* _PROTO_SSL_SOCK_H */

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 6e96898..3c77eed 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c

@@ -6258,82 +6258,10 @@
 			}
 
 #ifdef USE_OPENSSL
-#ifndef SSL_OP_NO_COMPRESSION     /* needs OpenSSL >= 0.9.9 */
-#define SSL_OP_NO_COMPRESSION 0
-#endif
-#ifndef SSL_MODE_RELEASE_BUFFERS  /* needs OpenSSL >= 1.0.0 */
-#define SSL_MODE_RELEASE_BUFFERS 0
-#endif
-#ifndef SSL_OP_NO_COMPRESSION     /* needs OpenSSL >= 0.9.9 */
-#define SSL_OP_NO_COMPRESSION 0
-#endif
-#ifndef SSL_OP_NO_TLSv1_1         /* needs OpenSSL >= 1.0.1 */
-#define SSL_OP_NO_TLSv1_1 0
-#endif
-#ifndef SSL_OP_NO_TLSv1_2         /* needs OpenSSL >= 1.0.1 */
-#define SSL_OP_NO_TLSv1_2 0
-#endif
-			if (newsrv->use_ssl || newsrv->check.use_ssl) {
-				int ssloptions =
-					SSL_OP_ALL | /* all known workarounds for bugs */
-					SSL_OP_NO_SSLv2 |
-					SSL_OP_NO_COMPRESSION;
-				int sslmode =
-					SSL_MODE_ENABLE_PARTIAL_WRITE |
-					SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
-					SSL_MODE_RELEASE_BUFFERS;
-
-				/* Initiate SSL context for current server */
-				newsrv->ssl_ctx.reused_sess = NULL;
-				if (newsrv->use_ssl)
-					newsrv->xprt = &ssl_sock;
-				if (newsrv->check.use_ssl)
-					newsrv->check.xprt = &ssl_sock;
-				newsrv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
-				if(!newsrv->ssl_ctx.ctx) {
-
-					Alert("config : %s '%s', server '%s': unable to allocate ssl context.\n",
-						proxy_type_str(curproxy), curproxy->id,
-						newsrv->id);
-						cfgerr++;
-						goto next_srv;
-				}
-
-				if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_SSLV3)
-					ssloptions |= SSL_OP_NO_SSLv3;
-				if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV10)
-					ssloptions |= SSL_OP_NO_TLSv1;
-				if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV11)
-					ssloptions |= SSL_OP_NO_TLSv1_1;
-				if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
-					ssloptions |= SSL_OP_NO_TLSv1_2;
-				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
-					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, SSLv3_client_method());
-				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
-					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_client_method());
-#if SSL_OP_NO_TLSv1_1
-				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV11)
-					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_1_client_method());
-#endif
-#if SSL_OP_NO_TLSv1_2
-				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV12)
-					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_2_client_method());
-#endif
-
-				SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
-				SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
-				SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);
-				SSL_CTX_set_session_cache_mode(newsrv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF);
-				if (newsrv->ssl_ctx.ciphers &&
-				    !SSL_CTX_set_cipher_list(newsrv->ssl_ctx.ctx, newsrv->ssl_ctx.ciphers)) {
-					Alert("Proxy '%s', server '%s' [%s:%d] : unable to set SSL cipher list to '%s'.\n",
-					      curproxy->id, newsrv->id,
-					      newsrv->conf.file, newsrv->conf.line, newsrv->ssl_ctx.ciphers);
-					cfgerr++;
-					goto next_srv;
-				}
-			}
+			if (newsrv->use_ssl || newsrv->check.use_ssl)
+				cfgerr += ssl_sock_prepare_srv_ctx(newsrv, curproxy);
 #endif /* USE_OPENSSL */
+
 			if (newsrv->trackit) {
 				struct proxy *px;
 				struct server *srv;

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 994b6f7..72eb883 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -67,6 +67,7 @@
 #include <proto/listener.h>
 #include <proto/server.h>
 #include <proto/log.h>
+#include <proto/proxy.h>
 #include <proto/shctx.h>
 #include <proto/ssl_sock.h>
 #include <proto/task.h>
@@ -572,6 +573,72 @@
 	return cfgerr;
 }
 
+/* prepare ssl context from servers options. Returns an error count */
+int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
+{
+	int cfgerr = 0;
+	int options =
+		SSL_OP_ALL | /* all known workarounds for bugs */
+		SSL_OP_NO_SSLv2 |
+		SSL_OP_NO_COMPRESSION;
+	int mode =
+		SSL_MODE_ENABLE_PARTIAL_WRITE |
+		SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
+		SSL_MODE_RELEASE_BUFFERS;
+
+	 /* Initiate SSL context for current server */
+	srv->ssl_ctx.reused_sess = NULL;
+	if (srv->use_ssl)
+		srv->xprt = &ssl_sock;
+	if (srv->check.use_ssl)
+		srv->check.xprt = &ssl_sock;
+
+	srv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method());
+	if (!srv->ssl_ctx.ctx) {
+		Alert("config : %s '%s', server '%s': unable to allocate ssl context.\n",
+		      proxy_type_str(curproxy), curproxy->id,
+		      srv->id);
+		cfgerr++;
+		return cfgerr;
+	}
+
+
+	if (srv->ssl_ctx.options & SRV_SSL_O_NO_SSLV3)
+		options |= SSL_OP_NO_SSLv3;
+	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV10)
+		options |= SSL_OP_NO_TLSv1;
+	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV11)
+		options |= SSL_OP_NO_TLSv1_1;
+	if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
+		options |= SSL_OP_NO_TLSv1_2;
+	if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
+		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
+	if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
+		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method());
+#if SSL_OP_NO_TLSv1_1
+	if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV11)
+		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_1_client_method());
+#endif
+#if SSL_OP_NO_TLSv1_2
+	if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV12)
+		SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_2_client_method());
+#endif
+
+	SSL_CTX_set_options(srv->ssl_ctx.ctx, options);
+	SSL_CTX_set_mode(srv->ssl_ctx.ctx, mode);
+	SSL_CTX_set_verify(srv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);
+	SSL_CTX_set_session_cache_mode(srv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF);
+	if (srv->ssl_ctx.ciphers &&
+		!SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphers)) {
+		Alert("Proxy '%s', server '%s' [%s:%d] : unable to set SSL cipher list to '%s'.\n",
+		      curproxy->id, srv->id,
+		      srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphers);
+		cfgerr++;
+	}
+
+	return cfgerr;
+}
+
 /* Walks down the two trees in bind_conf and prepares all certs. The pointer may
  * be NULL, in which case nothing is done. Returns the number of errors
  * encountered.
commit	94324a4c878a1ec49af4a6e229019e8a6ac69b78	[log] [tgz]
author	Emeric Brun <ebrun@exceliance.fr>	Thu Oct 11 14:00:19 2012 +0200
committer	Willy Tarreau <w@1wt.eu>	Fri Oct 12 11:37:36 2012 +0200
tree	96089d5e7a7455489afe734a4a6f90d26a7a6a69
parent	992adc9210c7667bfa5985c1ba0cb93c7687db61 [diff]