From: Willy Tarreau Date: Mon, 3 Sep 2012 21:55:16 +0000 (+0200) Subject: MEDIUM: config: add "nosslv3" and "notlsv1" on bind and server lines X-Git-Tag: v1.5-dev12~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c230b8bfb65cbcf4028187dd5a3225f6b928d194;p=thirdparty%2Fhaproxy.git MEDIUM: config: add "nosslv3" and "notlsv1" on bind and server lines This is aimed at disabling SSLv3 and TLSv1 respectively. SSLv2 is always disabled. This can be used in some situations where one version looks more suitable than the other. --- diff --git a/include/types/protocols.h b/include/types/protocols.h index 4b4ef1672d..4e40a67266 100644 --- a/include/types/protocols.h +++ b/include/types/protocols.h @@ -135,6 +135,8 @@ struct listener { struct { SSL_CTX *ctx; char *ciphers; /* cipher suite to use if non-null */ + int nosslv3; /* disable SSLv3 */ + int notlsv1; /* disable TLSv1 */ } ssl_ctx; #endif /* warning: this struct is huge, keep it at the bottom */ diff --git a/include/types/server.h b/include/types/server.h index 327ad5eff3..25a01747a4 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -174,6 +174,8 @@ struct server { SSL_CTX *ctx; SSL_SESSION *reused_sess; char *ciphers; /* cipher suite to use if non-null */ + int nosslv3; /* disable SSLv3 */ + int notlsv1; /* disable TLSv1 */ } ssl_ctx; #endif struct { diff --git a/src/cfgparse.c b/src/cfgparse.c index 62a9bc9045..f5061b3173 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -1855,6 +1855,40 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) #endif } + if (!strcmp(args[cur_arg], "nosslv3")) { /* disable SSLv3 */ +#ifdef USE_OPENSSL + struct listener *l; + + for (l = curproxy->listen; l != last_listen; l = l->next) + l->ssl_ctx.nosslv3 = 1; + + cur_arg += 1; + continue; +#else + Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n", + file, linenum, args[0], args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif + } + + if (!strcmp(args[cur_arg], "notlsv1")) { /* disable TLSv1 */ +#ifdef USE_OPENSSL + struct listener *l; + + for (l = curproxy->listen; l != last_listen; l = l->next) + l->ssl_ctx.notlsv1 = 1; + + cur_arg += 1; + continue; +#else + Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n", + file, linenum, args[0], args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif + } + if (!strcmp(args[cur_arg], "accept-proxy")) { /* expect a 'PROXY' line first */ struct listener *l; @@ -4449,7 +4483,28 @@ stats_error_parsing: goto out; #endif } - + else if (!strcmp(args[cur_arg], "nosslv3")) { +#ifdef USE_OPENSSL + newsrv->ssl_ctx.nosslv3 = 1; + cur_arg += 1; +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } + else if (!strcmp(args[cur_arg], "notlsv1")) { +#ifdef USE_OPENSSL + newsrv->ssl_ctx.notlsv1 = 1; + cur_arg += 1; +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } else if (!defsrv && !strcmp(args[cur_arg], "observe")) { if (!strcmp(args[cur_arg + 1], "none")) newsrv->observe = HANA_OBS_NONE; @@ -6443,6 +6498,10 @@ out_uri_auth_compat: goto next_srv; } + if (newsrv->ssl_ctx.nosslv3) + ssloptions |= SSL_OP_NO_SSLv3; + if (newsrv->ssl_ctx.notlsv1) + ssloptions |= SSL_OP_NO_TLSv1; SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions); SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode); SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL); @@ -6764,6 +6823,10 @@ out_uri_auth_compat: cfgerr++; goto skip_ssl; } + if (listener->ssl_ctx.nosslv3) + ssloptions |= SSL_OP_NO_SSLv3; + if (listener->ssl_ctx.notlsv1) + ssloptions |= SSL_OP_NO_TLSv1; SSL_CTX_set_options(listener->ssl_ctx.ctx, ssloptions); SSL_CTX_set_mode(listener->ssl_ctx.ctx, sslmode); SSL_CTX_set_verify(listener->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);