CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c
Historically a lot of SSL global settings were stored into the global
struct, but we've reached a point where there are 3 ifdefs in it just
for this, and others in haproxy.c to initialize it.
This patch moves all the private fields to a new struct "global_ssl"
stored in ssl_sock.c. This includes :
char *crt_base;
char *ca_base;
char *listen_default_ciphers;
char *connect_default_ciphers;
int listen_default_ssloptions;
int connect_default_ssloptions;
int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */
unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */
unsigned int tune.ssl_max_record; /* SSL max record size */
unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */
int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */
The "tune" part was removed (useless here) and the occasional "ssl"
prefixes were removed as well. Thus for example instead of
global.tune.ssl_default_dh_param
we now have :
global_ssl.default_dh_param
A few initializers were present in the constructor, they could be brought
back to the structure declaration.
A few other entries had to stay in global for now. They concern memory
calculationn (used in haproxy.c) and stats (used in stats.c).
The code is already much cleaner now, especially for global.h and haproxy.c
which become readable.
diff --git a/include/types/global.h b/include/types/global.h
index 0b6d439..e14a2ad 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -76,10 +76,6 @@
/* FIXME : this will have to be redefined correctly */
struct global {
-#ifdef USE_OPENSSL
- char *crt_base; /* base directory path for certificates */
- char *ca_base; /* base directory path for CAs and CRLs */
-#endif
int uid;
int gid;
int external_check;
@@ -90,12 +86,6 @@
int ssl_handshake_max_cost; /* how many bytes an SSL handshake may use */
int ssl_used_frontend; /* non-zero if SSL is used in a frontend */
int ssl_used_backend; /* non-zero if SSL is used in a backend */
-#ifdef USE_OPENSSL
- char *listen_default_ciphers;
- char *connect_default_ciphers;
- int listen_default_ssloptions;
- int connect_default_ssloptions;
-#endif
unsigned int ssl_server_verify; /* default verify mode on servers side */
struct freq_ctr conn_per_sec;
struct freq_ctr sess_per_sec;
@@ -149,13 +139,6 @@
int cookie_len; /* max length of cookie captures */
int pattern_cache; /* max number of entries in the pattern cache. */
int sslcachesize; /* SSL cache size in session, defaults to 20000 */
-#ifdef USE_OPENSSL
- int sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */
- unsigned int ssllifetime; /* SSL session lifetime in seconds */
- unsigned int ssl_max_record; /* SSL max record size */
- unsigned int ssl_default_dh_param; /* SSL maximum DH parameter size */
- int ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */
-#endif
int comp_maxlevel; /* max HTTP compression level */
unsigned short idle_timer; /* how long before an empty buffer is considered idle (ms) */
} tune;
diff --git a/src/haproxy.c b/src/haproxy.c
index 30991a9..bb9f0cf 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -138,11 +138,6 @@
.pattern_cache = DEFAULT_PAT_LRU_SIZE,
#ifdef USE_OPENSSL
.sslcachesize = SSLCACHESIZE,
- .ssl_default_dh_param = SSL_DEFAULT_DH_PARAM,
-#ifdef DEFAULT_SSL_MAX_RECORD
- .ssl_max_record = DEFAULT_SSL_MAX_RECORD,
-#endif
- .ssl_ctx_cache = DEFAULT_SSL_CTX_CACHE,
#endif
.comp_maxlevel = 1,
#ifdef DEFAULT_IDLE_TIMER
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0228dd5..c5905f9 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -132,6 +132,38 @@
int totalsslconns = 0;
static struct xprt_ops ssl_sock;
+static struct {
+ char *crt_base; /* base directory path for certificates */
+ char *ca_base; /* base directory path for CAs and CRLs */
+
+ char *listen_default_ciphers;
+ char *connect_default_ciphers;
+ int listen_default_ssloptions;
+ int connect_default_ssloptions;
+
+ int private_cache; /* Force to use a private session cache even if nbproc > 1 */
+ unsigned int life_time; /* SSL session lifetime in seconds */
+ unsigned int max_record; /* SSL max record size */
+ unsigned int default_dh_param; /* SSL maximum DH parameter size */
+ int ctx_cache; /* max number of entries in the ssl_ctx cache. */
+} global_ssl = {
+#ifdef LISTEN_DEFAULT_CIPHERS
+ .listen_default_ciphers = LISTEN_DEFAULT_CIPHERS,
+#endif
+#ifdef CONNECT_DEFAULT_CIPHERS
+ .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
+#endif
+ .listen_default_ssloptions = BC_SSL_O_NONE,
+ .connect_default_ssloptions = SRV_SSL_O_NONE,
+
+#ifdef DEFAULT_SSL_MAX_RECORD
+ .max_record = DEFAULT_SSL_MAX_RECORD,
+#endif
+ .default_dh_param = SSL_DEFAULT_DH_PARAM,
+ .ctx_cache = DEFAULT_SSL_CTX_CACHE,
+};
+
+
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
struct list tlskeys_reference = LIST_HEAD_INIT(tlskeys_reference);
#endif
@@ -1623,7 +1655,7 @@
}
/* Returns Diffie-Hellman parameters matching the private key length
- but not exceeding global.tune.ssl_default_dh_param */
+ but not exceeding global_ssl.default_dh_param */
static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
{
DH *dh = NULL;
@@ -1639,8 +1671,8 @@
keylen = EVP_PKEY_bits(pkey);
}
- if (keylen > global.tune.ssl_default_dh_param) {
- keylen = global.tune.ssl_default_dh_param;
+ if (keylen > global_ssl.default_dh_param) {
+ keylen = global_ssl.default_dh_param;
}
if (keylen >= 4096) {
@@ -1712,7 +1744,7 @@
/* Clear openssl global errors stack */
ERR_clear_error();
- if (global.tune.ssl_default_dh_param <= 1024) {
+ if (global_ssl.default_dh_param <= 1024) {
/* we are limited to DH parameter of 1024 bits anyway */
if (local_dh_1024 == NULL)
local_dh_1024 = ssl_get_dh_1024();
@@ -2795,8 +2827,8 @@
}
#endif
- if (global.tune.ssllifetime)
- SSL_CTX_set_timeout(ctx, global.tune.ssllifetime);
+ if (global_ssl.life_time)
+ SSL_CTX_set_timeout(ctx, global_ssl.life_time);
shared_context_set_cache(ctx);
if (bind_conf->ciphers &&
@@ -2809,7 +2841,7 @@
/* If tune.ssl.default-dh-param has not been set,
neither has ssl-default-dh-file and no static DH
params were in the certificate file. */
- if (global.tune.ssl_default_dh_param == 0 &&
+ if (global_ssl.default_dh_param == 0 &&
global_dh == NULL &&
(ssl_dh_ptr_index == -1 ||
SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {
@@ -2839,19 +2871,19 @@
Warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n");
}
- global.tune.ssl_default_dh_param = 1024;
+ global_ssl.default_dh_param = 1024;
}
#ifndef OPENSSL_NO_DH
- if (global.tune.ssl_default_dh_param >= 1024) {
+ if (global_ssl.default_dh_param >= 1024) {
if (local_dh_1024 == NULL) {
local_dh_1024 = ssl_get_dh_1024();
}
- if (global.tune.ssl_default_dh_param >= 2048) {
+ if (global_ssl.default_dh_param >= 2048) {
if (local_dh_2048 == NULL) {
local_dh_2048 = ssl_get_dh_2048();
}
- if (global.tune.ssl_default_dh_param >= 4096) {
+ if (global_ssl.default_dh_param >= 4096) {
if (local_dh_4096 == NULL) {
local_dh_4096 = ssl_get_dh_4096();
}
@@ -3170,8 +3202,8 @@
#endif
}
- if (global.tune.ssllifetime)
- SSL_CTX_set_timeout(srv->ssl_ctx.ctx, global.tune.ssllifetime);
+ if (global_ssl.life_time)
+ SSL_CTX_set_timeout(srv->ssl_ctx.ctx, global_ssl.life_time);
SSL_CTX_set_session_cache_mode(srv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF);
if (srv->ssl_ctx.ciphers &&
@@ -3249,7 +3281,7 @@
return -1;
}
- alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global.tune.sslprivatecache && (global.nbproc > 1)) ? 1 : 0);
+ alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0);
if (alloc_ctx < 0) {
if (alloc_ctx == SHCTX_E_INIT_LOCK)
Alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n");
@@ -3351,8 +3383,8 @@
return err;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
- if (global.tune.ssl_ctx_cache)
- ssl_ctx_lru_tree = lru64_new(global.tune.ssl_ctx_cache);
+ if (global_ssl.ctx_cache)
+ ssl_ctx_lru_tree = lru64_new(global_ssl.ctx_cache);
ssl_ctx_lru_seed = (unsigned int)time(NULL);
#endif
@@ -3903,8 +3935,8 @@
if (!(flags & CO_SFL_STREAMER) &&
!(conn->xprt_st & SSL_SOCK_SEND_UNLIMITED) &&
- global.tune.ssl_max_record && try > global.tune.ssl_max_record) {
- try = global.tune.ssl_max_record;
+ global_ssl.max_record && try > global_ssl.max_record) {
+ try = global_ssl.max_record;
}
else {
/* we need to keep the information about the fact that
@@ -5203,8 +5235,8 @@
return ERR_ALERT | ERR_FATAL;
}
- if ((*args[cur_arg + 1] != '/') && global.ca_base)
- memprintf(&conf->ca_file, "%s/%s", global.ca_base, args[cur_arg + 1]);
+ if ((*args[cur_arg + 1] != '/') && global_ssl.ca_base)
+ memprintf(&conf->ca_file, "%s/%s", global_ssl.ca_base, args[cur_arg + 1]);
else
memprintf(&conf->ca_file, "%s", args[cur_arg + 1]);
@@ -5220,8 +5252,8 @@
return ERR_ALERT | ERR_FATAL;
}
- if ((*args[cur_arg + 1] != '/') && global.ca_base)
- memprintf(&conf->ca_sign_file, "%s/%s", global.ca_base, args[cur_arg + 1]);
+ if ((*args[cur_arg + 1] != '/') && global_ssl.ca_base)
+ memprintf(&conf->ca_sign_file, "%s/%s", global_ssl.ca_base, args[cur_arg + 1]);
else
memprintf(&conf->ca_sign_file, "%s", args[cur_arg + 1]);
@@ -5263,12 +5295,12 @@
return ERR_ALERT | ERR_FATAL;
}
- if ((*args[cur_arg + 1] != '/' ) && global.crt_base) {
- if ((strlen(global.crt_base) + 1 + strlen(args[cur_arg + 1]) + 1) > MAXPATHLEN) {
+ if ((*args[cur_arg + 1] != '/' ) && global_ssl.crt_base) {
+ if ((strlen(global_ssl.crt_base) + 1 + strlen(args[cur_arg + 1]) + 1) > MAXPATHLEN) {
memprintf(err, "'%s' : path too long", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
- snprintf(path, sizeof(path), "%s/%s", global.crt_base, args[cur_arg + 1]);
+ snprintf(path, sizeof(path), "%s/%s", global_ssl.crt_base, args[cur_arg + 1]);
if (ssl_sock_load_cert(path, conf, err) > 0)
return ERR_ALERT | ERR_FATAL;
@@ -5311,8 +5343,8 @@
return ERR_ALERT | ERR_FATAL;
}
- if ((*args[cur_arg + 1] != '/') && global.ca_base)
- memprintf(&conf->crl_file, "%s/%s", global.ca_base, args[cur_arg + 1]);
+ if ((*args[cur_arg + 1] != '/') && global_ssl.ca_base)
+ memprintf(&conf->crl_file, "%s/%s", global_ssl.ca_base, args[cur_arg + 1]);
else
memprintf(&conf->crl_file, "%s", args[cur_arg + 1]);
@@ -5567,9 +5599,9 @@
conf->xprt = &ssl_sock;
conf->is_ssl = 1;
- if (global.listen_default_ciphers && !conf->ciphers)
- conf->ciphers = strdup(global.listen_default_ciphers);
- conf->ssl_options |= global.listen_default_ssloptions;
+ if (global_ssl.listen_default_ciphers && !conf->ciphers)
+ conf->ciphers = strdup(global_ssl.listen_default_ciphers);
+ conf->ssl_options |= global_ssl.listen_default_ssloptions;
return 0;
}
@@ -5704,8 +5736,8 @@
return ERR_ALERT | ERR_FATAL;
}
- if ((*args[*cur_arg + 1] != '/') && global.ca_base)
- memprintf(&newsrv->ssl_ctx.ca_file, "%s/%s", global.ca_base, args[*cur_arg + 1]);
+ if ((*args[*cur_arg + 1] != '/') && global_ssl.ca_base)
+ memprintf(&newsrv->ssl_ctx.ca_file, "%s/%s", global_ssl.ca_base, args[*cur_arg + 1]);
else
memprintf(&newsrv->ssl_ctx.ca_file, "%s", args[*cur_arg + 1]);
@@ -5716,9 +5748,9 @@
static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->check.use_ssl = 1;
- if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
- newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
- newsrv->ssl_ctx.options |= global.connect_default_ssloptions;
+ if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
+ newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
+ newsrv->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
return 0;
}
@@ -5749,8 +5781,8 @@
return ERR_ALERT | ERR_FATAL;
}
- if ((*args[*cur_arg + 1] != '/') && global.ca_base)
- memprintf(&newsrv->ssl_ctx.crl_file, "%s/%s", global.ca_base, args[*cur_arg + 1]);
+ if ((*args[*cur_arg + 1] != '/') && global_ssl.ca_base)
+ memprintf(&newsrv->ssl_ctx.crl_file, "%s/%s", global_ssl.ca_base, args[*cur_arg + 1]);
else
memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]);
@@ -5767,8 +5799,8 @@
return ERR_ALERT | ERR_FATAL;
}
- if ((*args[*cur_arg + 1] != '/') && global.crt_base)
- memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global.ca_base, args[*cur_arg + 1]);
+ if ((*args[*cur_arg + 1] != '/') && global_ssl.crt_base)
+ memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global_ssl.ca_base, args[*cur_arg + 1]);
else
memprintf(&newsrv->ssl_ctx.client_crt, "%s", args[*cur_arg + 1]);
@@ -5914,8 +5946,8 @@
static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->use_ssl = 1;
- if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
- newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
+ if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
+ newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
return 0;
}
@@ -5968,20 +6000,20 @@
}
while (*(args[i])) {
if (!strcmp(args[i], "no-sslv3"))
- global.listen_default_ssloptions |= BC_SSL_O_NO_SSLV3;
+ global_ssl.listen_default_ssloptions |= BC_SSL_O_NO_SSLV3;
else if (!strcmp(args[i], "no-tlsv10"))
- global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV10;
+ global_ssl.listen_default_ssloptions |= BC_SSL_O_NO_TLSV10;
else if (!strcmp(args[i], "no-tlsv11"))
- global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV11;
+ global_ssl.listen_default_ssloptions |= BC_SSL_O_NO_TLSV11;
else if (!strcmp(args[i], "no-tlsv12"))
- global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV12;
+ global_ssl.listen_default_ssloptions |= BC_SSL_O_NO_TLSV12;
else if (!strcmp(args[i], "force-sslv3"))
- global.listen_default_ssloptions |= BC_SSL_O_USE_SSLV3;
+ global_ssl.listen_default_ssloptions |= BC_SSL_O_USE_SSLV3;
else if (!strcmp(args[i], "force-tlsv10"))
- global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV10;
+ global_ssl.listen_default_ssloptions |= BC_SSL_O_USE_TLSV10;
else if (!strcmp(args[i], "force-tlsv11")) {
#if SSL_OP_NO_TLSv1_1
- global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV11;
+ global_ssl.listen_default_ssloptions |= BC_SSL_O_USE_TLSV11;
#else
memprintf(err, "'%s' '%s': library does not support protocol TLSv1.1", args[0], args[i]);
return -1;
@@ -5989,14 +6021,14 @@
}
else if (!strcmp(args[i], "force-tlsv12")) {
#if SSL_OP_NO_TLSv1_2
- global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV12;
+ global_ssl.listen_default_ssloptions |= BC_SSL_O_USE_TLSV12;
#else
memprintf(err, "'%s' '%s': library does not support protocol TLSv1.2", args[0], args[i]);
return -1;
#endif
}
else if (!strcmp(args[i], "no-tls-tickets"))
- global.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS;
+ global_ssl.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS;
else {
memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
return -1;
@@ -6018,20 +6050,20 @@
}
while (*(args[i])) {
if (!strcmp(args[i], "no-sslv3"))
- global.connect_default_ssloptions |= SRV_SSL_O_NO_SSLV3;
+ global_ssl.connect_default_ssloptions |= SRV_SSL_O_NO_SSLV3;
else if (!strcmp(args[i], "no-tlsv10"))
- global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV10;
+ global_ssl.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV10;
else if (!strcmp(args[i], "no-tlsv11"))
- global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV11;
+ global_ssl.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV11;
else if (!strcmp(args[i], "no-tlsv12"))
- global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV12;
+ global_ssl.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV12;
else if (!strcmp(args[i], "force-sslv3"))
- global.connect_default_ssloptions |= SRV_SSL_O_USE_SSLV3;
+ global_ssl.connect_default_ssloptions |= SRV_SSL_O_USE_SSLV3;
else if (!strcmp(args[i], "force-tlsv10"))
- global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV10;
+ global_ssl.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV10;
else if (!strcmp(args[i], "force-tlsv11")) {
#if SSL_OP_NO_TLSv1_1
- global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV11;
+ global_ssl.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV11;
#else
memprintf(err, "'%s' '%s': library does not support protocol TLSv1.1", args[0], args[i]);
return -1;
@@ -6039,14 +6071,14 @@
}
else if (!strcmp(args[i], "force-tlsv12")) {
#if SSL_OP_NO_TLSv1_2
- global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV12;
+ global_ssl.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV12;
#else
memprintf(err, "'%s' '%s': library does not support protocol TLSv1.2", args[0], args[i]);
return -1;
#endif
}
else if (!strcmp(args[i], "no-tls-tickets"))
- global.connect_default_ssloptions |= SRV_SSL_O_NO_TLS_TICKETS;
+ global_ssl.connect_default_ssloptions |= SRV_SSL_O_NO_TLS_TICKETS;
else {
memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
return -1;
@@ -6065,7 +6097,7 @@
{
char **target;
- target = (args[0][1] == 'a') ? &global.ca_base : &global.crt_base;
+ target = (args[0][1] == 'a') ? &global_ssl.ca_base : &global_ssl.crt_base;
if (too_many_args(1, args, err, NULL))
return -1;
@@ -6092,7 +6124,7 @@
{
char **target;
- target = (args[0][12] == 'b') ? &global.listen_default_ciphers : &global.connect_default_ciphers;
+ target = (args[0][12] == 'b') ? &global_ssl.listen_default_ciphers : &global_ssl.connect_default_ciphers;
if (too_many_args(1, args, err, NULL))
return -1;
@@ -6119,9 +6151,9 @@
if (strcmp(args[0], "tune.ssl.cachesize") == 0)
target = &global.tune.sslcachesize;
else if (strcmp(args[0], "tune.ssl.maxrecord") == 0)
- target = (int *)&global.tune.ssl_max_record;
+ target = (int *)&global_ssl.max_record;
else if (strcmp(args[0], "tune.ssl.ssl-ctx-cache-size") == 0)
- target = &global.tune.ssl_ctx_cache;
+ target = &global_ssl.ctx_cache;
else if (strcmp(args[0], "maxsslconn") == 0)
target = &global.maxsslconn;
else {
@@ -6155,7 +6187,7 @@
if (too_many_args(0, args, err, NULL))
return -1;
- global.tune.sslprivatecache = 1;
+ global_ssl.private_cache = 1;
return 0;
}
@@ -6176,7 +6208,7 @@
return -1;
}
- res = parse_time_err(args[1], &global.tune.ssllifetime, TIME_UNIT_S);
+ res = parse_time_err(args[1], &global_ssl.life_time, TIME_UNIT_S);
if (res) {
memprintf(err, "unexpected character '%c' in argument to <%s>.", *res, args[0]);
return -1;
@@ -6222,8 +6254,8 @@
return -1;
}
- global.tune.ssl_default_dh_param = atoi(args[1]);
- if (global.tune.ssl_default_dh_param < 1024) {
+ global_ssl.default_dh_param = atoi(args[1]);
+ if (global_ssl.default_dh_param < 1024) {
memprintf(err, "'%s' expects a value >= 1024.", args[0]);
return -1;
}
@@ -6686,18 +6718,10 @@
STACK_OF(SSL_COMP)* cm;
-#ifdef LISTEN_DEFAULT_CIPHERS
- global.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS;
-#endif
-#ifdef CONNECT_DEFAULT_CIPHERS
- global.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS;
-#endif
- if (global.listen_default_ciphers)
- global.listen_default_ciphers = strdup(global.listen_default_ciphers);
- if (global.connect_default_ciphers)
- global.connect_default_ciphers = strdup(global.connect_default_ciphers);
- global.listen_default_ssloptions = BC_SSL_O_NONE;
- global.connect_default_ssloptions = SRV_SSL_O_NONE;
+ if (global_ssl.listen_default_ciphers)
+ global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers);
+ if (global_ssl.connect_default_ciphers)
+ global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers);
xprt_register(XPRT_SSL, &ssl_sock);
SSL_library_init();