MINOR: ssl : add statements 'notlsv11' and 'notlsv12' and rename 'notlsv1' to 'notlsv10'.
This is because "notlsv1" used to disable TLSv1.0 only and had no effect
on v1.1/v1.2. so better have an option for each version. This applies both
to "bind" and "server" statements.
diff --git a/include/types/listener.h b/include/types/listener.h
index 227bb4b..b3d52a1 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -103,7 +103,9 @@
char *crlfile; /* CRLfile to use on verify */
char *ecdhe; /* named curve to use for ECDHE */
int nosslv3; /* disable SSLv3 */
- int notlsv1; /* disable TLSv1 */
+ int notlsv10; /* disable TLSv1.0 */
+ int notlsv11; /* disable TLSv1.1 */
+ int notlsv12; /* disable TLSv1.2 */
int prefer_server_ciphers; /* Prefer server ciphers */
int verify; /* verify method (set of SSL_VERIFY_* flags) */
SSL_CTX *default_ctx; /* SSL context of first/default certificate */
diff --git a/include/types/server.h b/include/types/server.h
index 25a0174..7c5dd87 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -175,7 +175,9 @@
SSL_SESSION *reused_sess;
char *ciphers; /* cipher suite to use if non-null */
int nosslv3; /* disable SSLv3 */
- int notlsv1; /* disable TLSv1 */
+ int notlsv10; /* disable TLSv1.0 */
+ int notlsv11; /* disable TLSv1.1 */
+ int notlsv12; /* disable TLSv1.2 */
} ssl_ctx;
#endif
struct {
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 6fbcd5b..c6260e1 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4253,9 +4253,9 @@
goto out;
#endif /* USE_OPENSSL */
}
- else if (!strcmp(args[cur_arg], "notlsv1")) {
+ else if (!strcmp(args[cur_arg], "notlsv10")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.notlsv1 = 1;
+ newsrv->ssl_ctx.notlsv10 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@@ -4264,6 +4264,28 @@
goto out;
#endif /* USE_OPENSSL */
}
+ else if (!strcmp(args[cur_arg], "notlsv11")) {
+#ifdef USE_OPENSSL
+ newsrv->ssl_ctx.notlsv11 = 1;
+ cur_arg += 1;
+#else /* USE_OPENSSL */
+ Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+ file, linenum, args[cur_arg]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+#endif /* USE_OPENSSL */
+ }
+ else if (!strcmp(args[cur_arg], "notlsv12")) {
+#ifdef USE_OPENSSL
+ newsrv->ssl_ctx.notlsv12 = 1;
+ cur_arg += 1;
+#else /* USE_OPENSSL */
+ Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+ file, linenum, args[cur_arg]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+#endif /* USE_OPENSSL */
+ }
else if (!defsrv && !strcmp(args[cur_arg], "observe")) {
if (!strcmp(args[cur_arg + 1], "none"))
newsrv->observe = HANA_OBS_NONE;
@@ -6240,6 +6262,12 @@
#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
#define SSL_OP_NO_COMPRESSION 0
#endif
+#ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_1 0
+#endif
+#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_2 0
+#endif
if (newsrv->use_ssl) {
int ssloptions =
SSL_OP_ALL | /* all known workarounds for bugs */
@@ -6265,8 +6293,12 @@
if (newsrv->ssl_ctx.nosslv3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (newsrv->ssl_ctx.notlsv1)
+ if (newsrv->ssl_ctx.notlsv10)
ssloptions |= SSL_OP_NO_TLSv1;
+ if (newsrv->ssl_ctx.notlsv11)
+ ssloptions |= SSL_OP_NO_TLSv1_1;
+ if (newsrv->ssl_ctx.notlsv12)
+ ssloptions |= SSL_OP_NO_TLSv1_2;
SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 18496d5..7baca58 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -450,6 +450,12 @@
#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
#define SSL_OP_NO_COMPRESSION 0
#endif
+#ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_1 0
+#endif
+#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_2 0
+#endif
#ifndef SSL_OP_SINGLE_DH_USE /* needs OpenSSL >= 0.9.6 */
#define SSL_OP_SINGLE_DH_USE 0
#endif
@@ -476,8 +482,12 @@
if (bind_conf->nosslv3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (bind_conf->notlsv1)
+ if (bind_conf->notlsv10)
ssloptions |= SSL_OP_NO_TLSv1;
+ if (bind_conf->notlsv11)
+ ssloptions |= SSL_OP_NO_TLSv1_1;
+ if (bind_conf->notlsv12)
+ ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->prefer_server_ciphers)
ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
@@ -1190,9 +1200,23 @@
}
/* parse the "notlsv1" bind keyword */
-static int bind_parse_notlsv1(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+static int bind_parse_notlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ conf->notlsv10 = 1;
+ return 0;
+}
+
+/* parse the "notlsv11" bind keyword */
+static int bind_parse_notlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ conf->notlsv11 = 1;
+ return 0;
+}
+
+/* parse the "notlsv12" bind keyword */
+static int bind_parse_notlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->notlsv1 = 1;
+ conf->notlsv12 = 1;
return 0;
}
@@ -1288,7 +1312,9 @@
{ "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
{ "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
{ "nosslv3", bind_parse_nosslv3, 0 }, /* disable SSLv3 */
- { "notlsv1", bind_parse_notlsv1, 0 }, /* disable TLSv1 */
+ { "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */
+ { "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */
+ { "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */
{ "prefer-server-ciphers", bind_parse_psc, 0 }, /* prefer server ciphers */
{ "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */
{ "verify", bind_parse_verify, 1 }, /* set SSL verify method */