MEDIUM: conf: rename 'nosslv3' and 'notlsvXX' statements 'no-sslv3' and 'no-tlsvXX'.
These ones were really not easy to read nor write, and become confusing
with the next ones to be added.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 60e2477..66ce224 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -6907,7 +6907,7 @@
it may make sense to use a positive value for an SMTP socket and a negative
one for an RDP socket.
-nosslv3
+no-sslv3
This setting is only available when support for OpenSSL was built in. It
disables support for SSLv3 on any sockets instanciated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
@@ -6919,19 +6919,19 @@
extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage.
-notlsv10
+no-tlsv10
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv10 on any sockets instanciated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
be enabled using any configuration option.
-notlsv11
+no-tlsv11
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv11 on any sockets instanciated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
be enabled using any configuration option.
-notlsv12
+no-tlsv12
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv12 on any sockets instanciated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
@@ -7192,14 +7192,14 @@
Supported in default-server: Yes
-nosslv3
+no-sslv3
This option disables support for SSLv3 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option.
Supported in default-server: No
-notlsv10
+no-tlsv10
This option disables support for TLSv10 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
@@ -7207,7 +7207,7 @@
Supported in default-server: No
-notlsv11
+no-tlsv11
This option disables support for TLSv11 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
@@ -7215,7 +7215,7 @@
Supported in default-server: No
-notlsv12
+no-tlsv12
This option disables support for TLSv12 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
diff --git a/include/types/listener.h b/include/types/listener.h
index 2f0f34d..53f9016 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -104,10 +104,10 @@
char *crlfile; /* CRLfile to use on verify */
char *ecdhe; /* named curve to use for ECDHE */
int no_tls_tickets; /* disable session resumption tickets */
- int nosslv3; /* disable SSLv3 */
- int notlsv10; /* disable TLSv1.0 */
- int notlsv11; /* disable TLSv1.1 */
- int notlsv12; /* disable TLSv1.2 */
+ int no_sslv3; /* disable SSLv3 */
+ int no_tlsv10; /* disable TLSv1.0 */
+ int no_tlsv11; /* disable TLSv1.1 */
+ int no_tlsv12; /* disable TLSv1.2 */
int verify; /* verify method (set of SSL_VERIFY_* flags) */
SSL_CTX *default_ctx; /* SSL context of first/default certificate */
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */
diff --git a/include/types/server.h b/include/types/server.h
index acfdeaf..a3156e4 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -178,10 +178,10 @@
SSL_CTX *ctx;
SSL_SESSION *reused_sess;
char *ciphers; /* cipher suite to use if non-null */
- int nosslv3; /* disable SSLv3 */
- int notlsv10; /* disable TLSv1.0 */
- int notlsv11; /* disable TLSv1.1 */
- int notlsv12; /* disable TLSv1.2 */
+ int no_sslv3; /* disable SSLv3 */
+ int no_tlsv10; /* disable TLSv1.0 */
+ int no_tlsv11; /* disable TLSv1.1 */
+ int no_tlsv12; /* disable TLSv1.2 */
} ssl_ctx;
#endif
struct {
diff --git a/src/cfgparse.c b/src/cfgparse.c
index ed3157b..151bda4 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4293,9 +4293,9 @@
goto out;
#endif
}
- else if (!strcmp(args[cur_arg], "nosslv3")) {
+ else if (!strcmp(args[cur_arg], "no-sslv3")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.nosslv3 = 1;
+ newsrv->ssl_ctx.no_sslv3 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@@ -4304,9 +4304,9 @@
goto out;
#endif /* USE_OPENSSL */
}
- else if (!strcmp(args[cur_arg], "notlsv10")) {
+ else if (!strcmp(args[cur_arg], "no-tlsv10")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.notlsv10 = 1;
+ newsrv->ssl_ctx.no_tlsv10 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@@ -4315,9 +4315,9 @@
goto out;
#endif /* USE_OPENSSL */
}
- else if (!strcmp(args[cur_arg], "notlsv11")) {
+ else if (!strcmp(args[cur_arg], "no-tlsv11")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.notlsv11 = 1;
+ newsrv->ssl_ctx.no_tlsv11 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@@ -4326,9 +4326,9 @@
goto out;
#endif /* USE_OPENSSL */
}
- else if (!strcmp(args[cur_arg], "notlsv12")) {
+ else if (!strcmp(args[cur_arg], "no-tlsv12")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.notlsv12 = 1;
+ newsrv->ssl_ctx.no_tlsv12 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@@ -6360,13 +6360,13 @@
goto next_srv;
}
- if (newsrv->ssl_ctx.nosslv3)
+ if (newsrv->ssl_ctx.no_sslv3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (newsrv->ssl_ctx.notlsv10)
+ if (newsrv->ssl_ctx.no_tlsv10)
ssloptions |= SSL_OP_NO_TLSv1;
- if (newsrv->ssl_ctx.notlsv11)
+ if (newsrv->ssl_ctx.no_tlsv11)
ssloptions |= SSL_OP_NO_TLSv1_1;
- if (newsrv->ssl_ctx.notlsv12)
+ if (newsrv->ssl_ctx.no_tlsv12)
ssloptions |= SSL_OP_NO_TLSv1_2;
SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index df09f9a..5fc5f16 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -484,13 +484,13 @@
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_RELEASE_BUFFERS;
- if (bind_conf->nosslv3)
+ if (bind_conf->no_sslv3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (bind_conf->notlsv10)
+ if (bind_conf->no_tlsv10)
ssloptions |= SSL_OP_NO_TLSv1;
- if (bind_conf->notlsv11)
+ if (bind_conf->no_tlsv11)
ssloptions |= SSL_OP_NO_TLSv1_1;
- if (bind_conf->notlsv12)
+ if (bind_conf->no_tlsv12)
ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->no_tls_tickets)
ssloptions |= SSL_OP_NO_TICKET;
@@ -1253,31 +1253,31 @@
}
-/* parse the "nosslv3" bind keyword */
-static int bind_parse_nosslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+/* parse the "no-sslv3" bind keyword */
+static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->nosslv3 = 1;
+ conf->no_sslv3 = 1;
return 0;
}
-/* parse the "notlsv1" bind keyword */
-static int bind_parse_notlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+/* parse the "no-tlsv10" bind keyword */
+static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->notlsv10 = 1;
+ conf->no_tlsv10 = 1;
return 0;
}
-/* parse the "notlsv11" bind keyword */
-static int bind_parse_notlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+/* parse the "no-tlsv11" bind keyword */
+static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->notlsv11 = 1;
+ conf->no_tlsv11 = 1;
return 0;
}
-/* parse the "notlsv12" bind keyword */
-static int bind_parse_notlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+/* parse the "no-tlsv12" bind keyword */
+static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->notlsv12 = 1;
+ conf->no_tlsv12 = 1;
return 0;
}
@@ -1365,11 +1365,11 @@
{ "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */
{ "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
{ "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+ { "no-sslv3", bind_parse_no_sslv3, 0 }, /* disable SSLv3 */
+ { "no-tlsv10", bind_parse_no_tlsv10, 0 }, /* disable TLSv10 */
+ { "no-tlsv11", bind_parse_no_tlsv11, 0 }, /* disable TLSv11 */
+ { "no-tlsv12", bind_parse_no_tlsv12, 0 }, /* disable TLSv12 */
{ "no-tls-tickets", bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */
- { "nosslv3", bind_parse_nosslv3, 0 }, /* disable SSLv3 */
- { "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */
- { "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */
- { "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */
{ "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */
{ "verify", bind_parse_verify, 1 }, /* set SSL verify method */
{ NULL, NULL, 0 },