From: Emmanuel Hocdet Date: Mon, 15 May 2017 13:53:41 +0000 (+0200) Subject: MEDIUM: ssl: disable SSLv3 per default for bind X-Git-Tag: v1.8-dev3~307 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd695fe024e8028fc96a5222c26dadf84f05402d;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: disable SSLv3 per default for bind For security, disable SSLv3 on bind line must be the default configuration. SSLv3 can be enabled with "ssl-min-ver SSLv3". --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 19c11323cd..61376fc78b 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -10678,7 +10678,8 @@ ssl enables SSL deciphering on connections instantiated from this listener. A certificate is necessary (see "crt" above). All contents in the buffers will appear in clear text, so that ACLs and HTTP processing will only have access - to deciphered contents. + to deciphered contents. SSLv3 is disabled per default, use "ssl-min-ver SSLv3" + to enable it. ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ] This option enforces use of or lower on SSL connections instantiated diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 776140f49b..885aff9734 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3544,12 +3544,16 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) else flags = conf_ssl_methods->flags; + min = conf_ssl_methods->min; + max = conf_ssl_methods->max; + /* start with TLSv10 to remove SSLv3 per default */ + if (!min && (!max || max >= CONF_TLSV10)) + min = CONF_TLSV10; /* Real min and max should be determinate with configuration and openssl's capabilities */ - if (conf_ssl_methods->min) - flags |= (methodVersions[conf_ssl_methods->min].flag - 1); - if (conf_ssl_methods->max) - flags |= ~((methodVersions[conf_ssl_methods->max].flag << 1) - 1); - + if (min) + flags |= (methodVersions[min].flag - 1); + if (max) + flags |= ~((methodVersions[max].flag << 1) - 1); /* find min, max and holes */ min = max = CONF_TLSV_NONE; hole = 0;