From: Amos Jeffries Date: Mon, 29 Jun 2015 14:36:31 +0000 (-0700) Subject: Merged from trunk rev.14127 X-Git-Tag: merge-candidate-3-v1~38^2~21^2~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e4ccb08bd5c0964cac424a7155b678c033f2255b;p=thirdparty%2Fsquid.git Merged from trunk rev.14127 --- e4ccb08bd5c0964cac424a7155b678c033f2255b diff --cc src/anyp/PortCfg.cc index c3ea4e263f,31ab284e5d..f607abc428 --- a/src/anyp/PortCfg.cc +++ b/src/anyp/PortCfg.cc @@@ -60,8 -68,9 +60,7 @@@ AnyP::PortCfg::PortCfg() clientVerifyCrls(), clientCA(), dhParams(), -- eecdhCurve(NULL), - contextMethod() - sslContextFlags(0), - sslOptions(0) ++ eecdhCurve(NULL) #endif { memset(&tcp_keepalive, 0, sizeof(tcp_keepalive)); @@@ -161,12 -194,37 +160,7 @@@ AnyP::PortCfg::configureSslServerContex } } - // backward compatibility hack for sslversion= configuration - if (version > 2) { - const char *add = NULL; - switch (version) { - case 3: - add = "NO_TLSv1,NO_TLSv1_1,NO_TLSv1_2"; - break; - case 4: - add = "NO_SSLv3,NO_TLSv1_1,NO_TLSv1_2"; - break; - case 5: - add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_2"; - break; - case 6: - add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_1"; - break; - default: // nothing - break; - } - if (add) { - SBuf tmpOpts; - if (options) { - tmpOpts.append(options, strlen(options)); - tmpOpts.append(",",1); - } - tmpOpts.append(add, strlen(add)); - xfree(options); - options = xstrdup(tmpOpts.c_str()); - } - version = 0; // prevent options being repeatedly appended - } + secure.updateTlsVersionLimits(); - #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) - contextMethod = TLS_server_method(); - #else - contextMethod = SSLv23_server_method(); - #endif const char *dhParamsFile = dhfile; // backward compatibility for dhparams= configuration safe_free(eecdhCurve); // clear any previous EECDH configuration diff --cc src/anyp/PortCfg.h index 7886f4748c,fd3226e83b..f1e195117e --- a/src/anyp/PortCfg.h +++ b/src/anyp/PortCfg.h @@@ -91,7 -95,8 +91,6 @@@ public Ssl::X509_NAME_STACK_Pointer clientCA; ///< CA certificates to use when verifying client certificates Ssl::DH_Pointer dhParams; ///< DH parameters for temporary/ephemeral DH key exchanges char *eecdhCurve; ///< Elliptic curve for ephemeral EC-based DH key exchanges - Ssl::ContextMethod contextMethod; ///< The context method (SSL_METHOD) to use when creating certificates - long sslContextFlags; ///< flags modifying the use of SSL - long sslOptions; ///< SSL engine options #endif }; diff --cc src/ssl/support.cc index a7aaaa9479,967ff3a5d6..aab44000f3 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@@ -702,11 -977,27 +702,16 @@@ configureSslContext(SSL_CTX *sslContext SSL_CTX * sslCreateServerContext(AnyP::PortCfg &port) { - int ssl_error; - const char *keyfile, *certfile; - certfile = port.cert; - keyfile = port.key; - ssl_initialize(); - SSL_CTX *sslContext = SSL_CTX_new(port.contextMethod); + - if (!keyfile) - keyfile = certfile; - - if (!certfile) - certfile = keyfile; - + #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + SSL_CTX *sslContext = SSL_CTX_new(TLS_server_method()); + #else + SSL_CTX *sslContext = SSL_CTX_new(SSLv23_server_method()); + #endif if (sslContext == NULL) { - ssl_error = ERR_get_error(); + int ssl_error = ERR_get_error(); debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate SSL context: " << ERR_error_string(ssl_error, NULL)); return NULL; }