an established connection while the proxy will only see it in SYN_RECV. This
option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.
+force-sslv3
+ This option enforces use of SSLv3 only on SSL connections instanciated from
+ this listener. SSLv3 is generally less expensive than the TLS counterparts
+ for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*".
+
+force-tlsv10
+ This option enforces use of TLSv1.0 only on SSL connections instanciated from
+ this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+
+force-tlsv11
+ This option enforces use of TLSv1.1 only on SSL connections instanciated from
+ this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+
+force-tlsv12
+ This option enforces use of TLSv1.2 only on SSL connections instanciated from
+ this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+
gid <gid>
Sets the group of the UNIX sockets to the designated system gid. It can also
be set by default in the global section's "unix-bind" statement. Note that
This setting is only available when support for OpenSSL was built in. It
disables support for SSLv3 on any sockets instanciated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option.
+ be enabled using any configuration option. See also "force-tls*",
+ and "force-sslv3".
no-tls-tickets
This setting is only available when support for OpenSSL was built in. It
no-tlsv10
This setting is only available when support for OpenSSL was built in. It
- disables support for TLSv10 on any sockets instanciated from the listener when
- SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option.
+ disables support for TLSv1.0 on any sockets instanciated from the listener
+ when SSL is supported. Note that SSLv2 is forced disabled in the code and
+ cannot be enabled using any configuration option. See also "force-tls*",
+ and "force-sslv3".
no-tlsv11
This setting is only available when support for OpenSSL was built in. It
- disables support for TLSv11 on any sockets instanciated from the listener when
- SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option.
+ disables support for TLSv1.1 on any sockets instanciated from the listener
+ when SSL is supported. Note that SSLv2 is forced disabled in the code and
+ cannot be enabled using any configuration option. See also "force-tls*",
+ and "force-sslv3".
no-tlsv12
This setting is only available when support for OpenSSL was built in. It
- disables support for TLSv12 on any sockets instanciated from the listener when
- SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option.
+ disables support for TLSv1.2 on any sockets instanciated from the listener
+ when SSL is supported. Note that SSLv2 is forced disabled in the code and
+ cannot be enabled using any configuration option. See also "force-tls*",
+ and "force-sslv3".
prefer-server-ciphers
This setting is only available when support for OpenSSL was built in. It
ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
ssloptions |= SSL_OP_NO_TICKET;
+ if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
+ SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
+ if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
+ SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
+#if SSL_OP_NO_TLSv1_1
+ if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV11)
+ SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method());
+#endif
+#if SSL_OP_NO_TLSv1_2
+ if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV12)
+ SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method());
+#endif
SSL_CTX_set_options(ctx, ssloptions);
SSL_CTX_set_mode(ctx, sslmode);
return 0;
}
+/* parse the "force-sslv3" bind keyword */
+static int bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ conf->ssl_options |= BC_SSL_O_USE_SSLV3;
+ return 0;
+}
+
+/* parse the "force-tlsv10" bind keyword */
+static int bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ conf->ssl_options |= BC_SSL_O_USE_TLSV10;
+ return 0;
+}
+
+/* parse the "force-tlsv11" bind keyword */
+static int bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+#if SSL_OP_NO_TLSv1_1
+ conf->ssl_options |= BC_SSL_O_USE_TLSV11;
+ return 0;
+#else
+ if (err)
+ memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+#endif
+}
+
+/* parse the "force-tlsv12" bind keyword */
+static int bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+#if SSL_OP_NO_TLSv1_2
+ conf->ssl_options |= BC_SSL_O_USE_TLSV12;
+ return 0;
+#else
+ if (err)
+ memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+#endif
+}
+
+
/* parse the "no-tls-tickets" bind keyword */
static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
{ "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */
{ "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
{ "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+ { "force-sslv3", bind_parse_force_sslv3, 0 }, /* force SSLv3 */
+ { "force-tlsv10", bind_parse_force_tlsv10, 0 }, /* force TLSv10 */
+ { "force-tlsv11", bind_parse_force_tlsv11, 0 }, /* force TLSv11 */
+ { "force-tlsv12", bind_parse_force_tlsv12, 0 }, /* force TLSv12 */
{ "no-sslv3", bind_parse_no_sslv3, 0 }, /* disable SSLv3 */
{ "no-tlsv10", bind_parse_no_tlsv10, 0 }, /* disable TLSv10 */
{ "no-tlsv11", bind_parse_no_tlsv11, 0 }, /* disable TLSv11 */
projects / thirdparty / haproxy.git / commitdiff
