From: Emmanuel Hocdet Date: Thu, 30 Mar 2017 12:43:31 +0000 (+0200) Subject: MEDIUM: ssl: revert ssl/tls version settings relative to default-server. X-Git-Tag: v1.8-dev2~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6cb2d1e9638f22f080d1391e6bb8260b6a0b1f95;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: revert ssl/tls version settings relative to default-server. Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. min-tlsxx and max-tlsxx can be overwrite on local definition. This directives should be the only ones needed in default-server. To simplify next patches (rework of tls versions settings with min/max) all ssl/tls version settings relative to default-server are reverted first: remove: 'sslv3', 'tls*', 'no-force-sslv3', 'no-force-tls*'. remove from default-server: 'no-sslv3', 'no-tls*'. Note: . force-tlsxx == min-tlsxx + max-tlsxx : would be ok in default-server. . no-tlsxx is keep for compatibility: should not be propagated to default-server. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index fea06cb5c9..68cffd472d 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -10949,22 +10949,30 @@ force-sslv3 This option enforces use of SSLv3 only when SSL is used to communicate with the server. SSLv3 is generally less expensive than the TLS counterparts for high connection rates. This option is also available on global statement - "ssl-default-server-options". See also "no-force-sslv3", "no-tlsv*", "no-sslv3". + "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". + + Supported in default-server: No force-tlsv10 This option enforces use of TLSv1.0 only when SSL is used to communicate with the server. This option is also available on global statement - "ssl-default-server-options". See also "no-force-tlsv10", "no-tlsv*", "no-sslv3". + "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". + + Supported in default-server: No force-tlsv11 This option enforces use of TLSv1.1 only when SSL is used to communicate with the server. This option is also available on global statement - "ssl-default-server-options". See also "no-force-tlsv11", "no-tlsv*", "no-sslv3". + "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". + + Supported in default-server: No force-tlsv12 This option enforces use of TLSv1.2 only when SSL is used to communicate with the server. This option is also available on global statement - "ssl-default-server-options". See also "no-force-tlsv12", "no-tlsv*", "no-sslv3". + "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". + + Supported in default-server: No id Set a persistent ID for the server. This ID must be positive and unique for @@ -11091,34 +11099,6 @@ no-check-ssl It may also be used as "default-server" setting to reset any previous "default-server" "check-ssl" setting. -no-force-sslv3 - This option may be used as "server" setting to reset any "force-sslv3" - setting which would have been inherited from "default-server" directive as - default value. - It may also be used as "default-server" setting to reset any previous - "default-server" "force-sslv3" setting. - -no-force-tlsv10 - This option may be used as "server" setting to reset any "force-tlsv10" - setting which would have been inherited from "default-server" directive as - default value. - It may also be used as "default-server" setting to reset any previous - "default-server" "force-tlsv10" setting. - -no-force-tlsv11 - This option may be used as "server" setting to reset any "force-tlsv11" - setting which would have been inherited from "default-server" directive as - default value. - It may also be used as "default-server" setting to reset any previous - "default-server" "force-tlsv11" setting. - -no-force-tlsv12 - This option may be used as "server" setting to reset any "force-tlsv12" - setting which would have been inherited from "default-server" directive as - default value. - It may also be used as "default-server" setting to reset any previous - "default-server" "force-tlsv12" setting. - no-send-proxy This option may be used as "server" setting to reset any "send-proxy" setting which would have been inherited from "default-server" directive as @@ -11165,6 +11145,8 @@ no-sslv3 the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. See also "force-sslv3", "force-tlsv*". + Supported in default-server: No + no-tls-tickets This setting is only available when support for OpenSSL was built in. It disables the stateless session resumption (RFC 5077 TLS Ticket @@ -11181,6 +11163,8 @@ no-tlsv10 option is also available on global statement "ssl-default-server-options". See also "tlsv10", "force-sslv3", "force-tlsv*". + Supported in default-server: No + no-tlsv11 This option disables support for TLSv1.1 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled @@ -11189,6 +11173,8 @@ no-tlsv11 option is also available on global statement "ssl-default-server-options". See also "tlsv11", "force-sslv3", "force-tlsv*". + Supported in default-server: No + no-tlsv12 This option disables support for TLSv1.2 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled @@ -11197,6 +11183,8 @@ no-tlsv12 option is also available on global statement "ssl-default-server-options". See also "tlsv12", "force-sslv3", "force-tlsv*". + Supported in default-server: No + no-verifyhost This option may be used as "server" setting to reset any "verifyhost" setting which would have been inherited from "default-server" directive as @@ -11435,13 +11423,6 @@ ssl See the "no-ssl" to disable "ssl" option and "check-ssl" option to force SSL health checks. -sslv3 - This option may be used as "server" setting to reset any "no-sslv3" - setting which would have been inherited from "default-server" directive as - default value. - It may also be used as "default-server" setting to reset any previous - "default-server" "no-sslv3" setting. - ssl-reuse This option may be used as "server" setting to reset any "no-ssl-reuse" setting which would have been inherited from "default-server" directive as @@ -11478,27 +11459,6 @@ track [/] enabled. If is omitted the current one is used. If disable-on-404 is used, it has to be enabled on both proxies. -tlsv10 - This option may be used as "server" setting to reset any "no-tlsv10" - setting which would have been inherited from "default-server" directive as - default value. - It may also be used as "default-server" setting to reset any previous - "default-server" "no-tlsv10" setting. - -tlsv11 - This option may be used as "server" setting to reset any "no-tlsv11" - setting which would have been inherited from "default-server" directive as - default value. - It may also be used as "default-server" setting to reset any previous - "default-server" "no-tlsv11" setting. - -tlsv12 - This option may be used as "server" setting to reset any "no-tlsv12" - setting which would have been inherited from "default-server" directive as - default value. - It may also be used as "default-server" setting to reset any previous - "default-server" "no-tlsv12" setting. - tls-tickets This option may be used as "server" setting to reset any "no-tls-tickets" setting which would have been inherited from "default-server" directive as diff --git a/src/ssl_sock.c b/src/ssl_sock.c index acb7d283f5..a0f21cff16 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -6597,52 +6597,6 @@ static int srv_parse_no_check_ssl(char **args, int *cur_arg, struct proxy *px, s return 0; } -/* parse the "no-force-sslv3" server keyword */ -static int srv_parse_no_force_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) -{ -#ifndef OPENSSL_NO_SSL3 - newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_SSLV3; - return 0; -#else - if (err) - memprintf(err, "'%s' : library does not support protocol SSLv3", args[*cur_arg]); - return ERR_ALERT | ERR_FATAL; -#endif -} - -/* parse the "no-force-tlsv10" server keyword */ -static int srv_parse_no_force_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) -{ - newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV10; - return 0; -} - -/* parse the "no-force-tlsv11" server keyword */ -static int srv_parse_no_force_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) -{ -#if SSL_OP_NO_TLSv1_1 - newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV11; - return 0; -#else - if (err) - memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[*cur_arg]); - return ERR_ALERT | ERR_FATAL; -#endif -} - -/* parse the "no-force-tlsv12" server keyword */ -static int srv_parse_no_force_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) -{ -#if SSL_OP_NO_TLSv1_2 - newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV12; - return 0; -#else - if (err) - memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[*cur_arg]); - return ERR_ALERT | ERR_FATAL; -#endif -} - /* parse the "no-send-proxy-v2-ssl" server keyword */ static int srv_parse_no_send_proxy_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) { @@ -6765,34 +6719,6 @@ static int srv_parse_ssl_reuse(char **args, int *cur_arg, struct proxy *px, stru return 0; } -/* parse the "sslv3" server keyword */ -static int srv_parse_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) -{ - newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_SSLV3; - return 0; -} - -/* parse the "tlsv10" server keyword */ -static int srv_parse_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) -{ - newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV10; - return 0; -} - -/* parse the "tlsv11" server keyword */ -static int srv_parse_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) -{ - newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV11; - return 0; -} - -/* parse the "tlsv12" server keyword */ -static int srv_parse_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) -{ - newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV12; - return 0; -} - /* parse the "tls-tickets" server keyword */ static int srv_parse_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) { @@ -7538,28 +7464,20 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { "force-tlsv11", srv_parse_force_tlsv11, 0, 1 }, /* force TLSv11 */ { "force-tlsv12", srv_parse_force_tlsv12, 0, 1 }, /* force TLSv12 */ { "no-check-ssl", srv_parse_no_check_ssl, 0, 1 }, /* disable SSL for health checks */ - { "no-force-sslv3", srv_parse_no_force_sslv3, 0, 1 }, /* do not force SSLv3 */ - { "no-force-tlsv10", srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */ - { "no-force-tlsv11", srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */ - { "no-force-tlsv12", srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */ { "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */ { "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn, 0, 1 }, /* do not send PROXY protocol header v2 with CN */ { "no-ssl", srv_parse_no_ssl, 0, 1 }, /* disable SSL processing */ { "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 1 }, /* disable session reuse */ - { "no-sslv3", srv_parse_no_sslv3, 0, 1 }, /* disable SSLv3 */ - { "no-tlsv10", srv_parse_no_tlsv10, 0, 1 }, /* disable TLSv10 */ - { "no-tlsv11", srv_parse_no_tlsv11, 0, 1 }, /* disable TLSv11 */ - { "no-tlsv12", srv_parse_no_tlsv12, 0, 1 }, /* disable TLSv12 */ + { "no-sslv3", srv_parse_no_sslv3, 0, 0 }, /* disable SSLv3 */ + { "no-tlsv10", srv_parse_no_tlsv10, 0, 0 }, /* disable TLSv10 */ + { "no-tlsv11", srv_parse_no_tlsv11, 0, 0 }, /* disable TLSv11 */ + { "no-tlsv12", srv_parse_no_tlsv12, 0, 0 }, /* disable TLSv12 */ { "no-tls-tickets", srv_parse_no_tls_tickets, 0, 1 }, /* disable session resumption tickets */ { "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1 }, /* send PROXY protocol header v2 with SSL info */ { "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1 }, /* send PROXY protocol header v2 with CN */ { "sni", srv_parse_sni, 1, 1 }, /* send SNI extension */ { "ssl", srv_parse_ssl, 0, 1 }, /* enable SSL processing */ { "ssl-reuse", srv_parse_ssl_reuse, 0, 1 }, /* enable session reuse */ - { "sslv3", srv_parse_sslv3, 0, 1 }, /* enable SSLv3 */ - { "tlsv10", srv_parse_tlsv10, 0, 1 }, /* enable TLSv10 */ - { "tlsv11", srv_parse_tlsv11, 0, 1 }, /* enable TLSv11 */ - { "tlsv12", srv_parse_tlsv12, 0, 1 }, /* enable TLSv12 */ { "tls-tickets", srv_parse_tls_tickets, 0, 1 }, /* enable session resumption tickets */ { "verify", srv_parse_verify, 1, 1 }, /* set SSL verify method */ { "verifyhost", srv_parse_verifyhost, 1, 1 }, /* require that SSL cert verifies for hostname */