MEDIUM: ssl: remove ssl-options from crt-list

ssl-options are link to the initial negotiation environnement worn
by default_ctx.
Remove it from crt-list to avoid any confusion.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index aaffa38cf31779ef992a0c42e1521f46ce9bb9cb..25e6bf4f803eb7d63d62ef6fb0d7941fddd7967b 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -10269,7 +10269,7 @@ crt-list <file>
         <crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]
 
   sslbindconf support "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe",
-  "curves", "ciphers" configuration and ssl options (see "ssl-default-bind-options").
+  "curves", "ciphers" configuration.
   It override the configuration set in bind line for the certificate.
 
   Wildcards are supported in the SNI filter. Negative filter are also supported,

diff --git a/include/types/listener.h b/include/types/listener.h
index d813deb354fd2ca702c4330449494f99efef105d..b8ddae8e49c67e529fac8218b642f3f6036e6098 100644 (file)
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -132,7 +132,6 @@ struct ssl_bind_conf {
        char *ciphers;             /* cipher suite to use if non-null */
        char *curves;              /* curves suite to use for ECDHE */
        char *ecdhe;               /* named curve to use for ECDHE */
-       int ssl_options;           /* ssl options */
 #endif
 };
 
@@ -145,6 +144,7 @@ struct bind_conf {
        SSL_CTX *default_ctx;      /* SSL context of first/default certificate */
        struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
        int strict_sni;            /* refuse negotiation if sni doesn't match a certificate */
+       int ssl_options;           /* ssl options */
        struct eb_root sni_ctx;    /* sni_ctx tree of all known certs full-names sorted by name */
        struct eb_root sni_w_ctx;  /* sni_ctx tree of all known certs wildcards sorted by name */
        struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 62870aaa76312f38e886706aa781edf9154c860e..0b03ee280151bf2fcd5fdd6e620b5f84d7df7d84 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -120,7 +120,7 @@
 #define HASH_FUNCT EVP_sha256
 #endif /* OPENSSL_NO_SHA256 */
 
-static SSL_CTX *ssl_sock_new_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf);
+static SSL_CTX *ssl_sock_new_ctx(struct bind_conf *bind_conf);
 
 /* server and bind verify method, it uses a global value as default */
 enum {
@@ -2536,7 +2536,7 @@ static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_con
 
                if (cur_ctx == NULL) {
                        /* need to create SSL_CTX */
-                       cur_ctx = ssl_sock_new_ctx(bind_conf, ssl_conf);
+                       cur_ctx = ssl_sock_new_ctx(bind_conf);
                        if (cur_ctx == NULL) {
                                memprintf(err, "%sunable to allocate SSL context.\n",
                                          err && *err ? *err : "");
@@ -2762,7 +2762,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
        int ret;
        SSL_CTX *ctx;
 
-       ctx = ssl_sock_new_ctx(bind_conf, ssl_conf);
+       ctx = ssl_sock_new_ctx(bind_conf);
        if (!ctx) {
                memprintf(err, "%sunable to allocate SSL context for cert '%s'.\n",
                          err && *err ? *err : "", path);
@@ -3178,7 +3178,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct
 
 /* create an SSL_CTX according method wanted */
 static SSL_CTX *
-ssl_sock_new_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf)
+ssl_sock_new_ctx(struct bind_conf *bind_conf)
 {
        SSL_CTX *ctx = NULL;
        long ssloptions =
@@ -3194,7 +3194,7 @@ ssl_sock_new_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf)
                SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
                SSL_MODE_RELEASE_BUFFERS |
                SSL_MODE_SMALL_BUFFERS;
-       int conf_ssl_options = bind_conf->ssl_conf.ssl_options | (ssl_conf ? ssl_conf->ssl_options : 0);
+       int conf_ssl_options = bind_conf->ssl_options;
 
 #if SSL_OP_NO_TLSv1_2
        if (!ctx && conf_ssl_options & BC_SSL_O_USE_TLSV12)
@@ -6105,7 +6105,7 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str
 }
 
 /* parse the "force-sslv3" bind keyword */
-static int ssl_bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+static int bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
 #ifndef OPENSSL_NO_SSL3
        conf->ssl_options |= BC_SSL_O_USE_SSLV3;
@@ -6116,24 +6116,16 @@ static int ssl_bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px
        return ERR_ALERT | ERR_FATAL;
 #endif
 }
-static int bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-{
-       return ssl_bind_parse_force_sslv3(args, cur_arg, px, &conf->ssl_conf, err);
-}
 
 /* parse the "force-tlsv10" bind keyword */
-static int ssl_bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+static int bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
        conf->ssl_options |= BC_SSL_O_USE_TLSV10;
        return 0;
 }
-static int bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-{
-       return ssl_bind_parse_force_tlsv10(args, cur_arg, px, &conf->ssl_conf, err);
-}
 
 /* parse the "force-tlsv11" bind keyword */
-static int ssl_bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+static int bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
 #if SSL_OP_NO_TLSv1_1
        conf->ssl_options |= BC_SSL_O_USE_TLSV11;
@@ -6144,13 +6136,9 @@ static int ssl_bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *p
        return ERR_ALERT | ERR_FATAL;
 #endif
 }
-static int bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-{
-       return ssl_bind_parse_force_tlsv11(args, cur_arg, px, &conf->ssl_conf, err);
-}
 
 /* parse the "force-tlsv12" bind keyword */
-static int ssl_bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+static int bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
 #if SSL_OP_NO_TLSv1_2
        conf->ssl_options |= BC_SSL_O_USE_TLSV12;
@@ -6161,65 +6149,41 @@ static int ssl_bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *p
        return ERR_ALERT | ERR_FATAL;
 #endif
 }
-static int bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-{
-       return ssl_bind_parse_force_tlsv12(args, cur_arg, px, &conf->ssl_conf, err);
-}
 
 /* parse the "no-tls-tickets" bind keyword */
-static int ssl_bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
        conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS;
        return 0;
 }
-static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-{
-       return ssl_bind_parse_no_tls_tickets(args, cur_arg, px, &conf->ssl_conf, err);
-}
 
 /* parse the "no-sslv3" bind keyword */
-static int ssl_bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
        conf->ssl_options |= BC_SSL_O_NO_SSLV3;
        return 0;
 }
-static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-{
-       return ssl_bind_parse_no_sslv3(args, cur_arg, px, &conf->ssl_conf, err);
-}
 
 /* parse the "no-tlsv10" bind keyword */
-static int ssl_bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
        conf->ssl_options |= BC_SSL_O_NO_TLSV10;
        return 0;
 }
-static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-{
-       return ssl_bind_parse_no_tlsv10(args, cur_arg, px, &conf->ssl_conf, err);
-}
 
 /* parse the "no-tlsv11" bind keyword */
-static int ssl_bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
        conf->ssl_options |= BC_SSL_O_NO_TLSV11;
        return 0;
 }
-static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-{
-       return ssl_bind_parse_no_tlsv11(args, cur_arg, px, &conf->ssl_conf, err);
-}
 
 /* parse the "no-tlsv12" bind keyword */
-static int ssl_bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
        conf->ssl_options |= BC_SSL_O_NO_TLSV12;
        return 0;
 }
-static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-{
-       return ssl_bind_parse_no_tlsv12(args, cur_arg, px, &conf->ssl_conf, err);
-}
 
 /* parse the "npn" bind keyword */
 static int ssl_bind_parse_npn(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
@@ -6341,7 +6305,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
 
        if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
                conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
-       conf->ssl_conf.ssl_options |= global_ssl.listen_default_ssloptions;
+       conf->ssl_options |= global_ssl.listen_default_ssloptions;
 
        return 0;
 }
@@ -7386,15 +7350,6 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
        { "crl-file",              ssl_bind_parse_crl_file,         1 }, /* set certificat revocation list file use on client cert verify */
        { "curves",                ssl_bind_parse_curves,           1 }, /* set SSL curve suite */
        { "ecdhe",                 ssl_bind_parse_ecdhe,            1 }, /* defines named curve for elliptic curve Diffie-Hellman */
-       { "force-sslv3",           ssl_bind_parse_force_sslv3,      0 }, /* force SSLv3 */
-       { "force-tlsv10",          ssl_bind_parse_force_tlsv10,     0 }, /* force TLSv10 */
-       { "force-tlsv11",          ssl_bind_parse_force_tlsv11,     0 }, /* force TLSv11 */
-       { "force-tlsv12",          ssl_bind_parse_force_tlsv12,     0 }, /* force TLSv12 */
-       { "no-sslv3",              ssl_bind_parse_no_sslv3,         0 }, /* disable SSLv3 */
-       { "no-tlsv10",             ssl_bind_parse_no_tlsv10,        0 }, /* disable TLSv10 */
-       { "no-tlsv11",             ssl_bind_parse_no_tlsv11,        0 }, /* disable TLSv11 */
-       { "no-tlsv12",             ssl_bind_parse_no_tlsv12,        0 }, /* disable TLSv12 */
-       { "no-tls-tickets",        ssl_bind_parse_no_tls_tickets,   0 }, /* disable session resumption tickets */
        { "npn",                   ssl_bind_parse_npn,              1 }, /* set NPN supported protocols */
        { "verify",                ssl_bind_parse_verify,           1 }, /* set SSL verify method */
        { NULL, NULL, 0 },