This option enforces use of SSLv3 only when SSL is used to communicate with
the server. SSLv3 is generally less expensive than the TLS counterparts for
high connection rates. This option is also available on global statement
- "ssl-default-server-options". See also "no-force-sslv3", "no-tlsv*", "no-sslv3".
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+ Supported in default-server: No
force-tlsv10
This option enforces use of TLSv1.0 only when SSL is used to communicate with
the server. This option is also available on global statement
- "ssl-default-server-options". See also "no-force-tlsv10", "no-tlsv*", "no-sslv3".
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+ Supported in default-server: No
force-tlsv11
This option enforces use of TLSv1.1 only when SSL is used to communicate with
the server. This option is also available on global statement
- "ssl-default-server-options". See also "no-force-tlsv11", "no-tlsv*", "no-sslv3".
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+ Supported in default-server: No
force-tlsv12
This option enforces use of TLSv1.2 only when SSL is used to communicate with
the server. This option is also available on global statement
- "ssl-default-server-options". See also "no-force-tlsv12", "no-tlsv*", "no-sslv3".
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+ Supported in default-server: No
id <value>
Set a persistent ID for the server. This ID must be positive and unique for
It may also be used as "default-server" setting to reset any previous
"default-server" "check-ssl" setting.
-no-force-sslv3
- This option may be used as "server" setting to reset any "force-sslv3"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "force-sslv3" setting.
-
-no-force-tlsv10
- This option may be used as "server" setting to reset any "force-tlsv10"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "force-tlsv10" setting.
-
-no-force-tlsv11
- This option may be used as "server" setting to reset any "force-tlsv11"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "force-tlsv11" setting.
-
-no-force-tlsv12
- This option may be used as "server" setting to reset any "force-tlsv12"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "force-tlsv12" setting.
-
no-send-proxy
This option may be used as "server" setting to reset any "send-proxy"
setting which would have been inherited from "default-server" directive as
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. See also "force-sslv3", "force-tlsv*".
+ Supported in default-server: No
+
no-tls-tickets
This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket
option is also available on global statement "ssl-default-server-options".
See also "tlsv10", "force-sslv3", "force-tlsv*".
+ Supported in default-server: No
+
no-tlsv11
This option disables support for TLSv1.1 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
option is also available on global statement "ssl-default-server-options".
See also "tlsv11", "force-sslv3", "force-tlsv*".
+ Supported in default-server: No
+
no-tlsv12
This option disables support for TLSv1.2 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
option is also available on global statement "ssl-default-server-options".
See also "tlsv12", "force-sslv3", "force-tlsv*".
+ Supported in default-server: No
+
no-verifyhost
This option may be used as "server" setting to reset any "verifyhost"
setting which would have been inherited from "default-server" directive as
See the "no-ssl" to disable "ssl" option and "check-ssl" option to force
SSL health checks.
-sslv3
- This option may be used as "server" setting to reset any "no-sslv3"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "no-sslv3" setting.
-
ssl-reuse
This option may be used as "server" setting to reset any "no-ssl-reuse"
setting which would have been inherited from "default-server" directive as
enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
used, it has to be enabled on both proxies.
-tlsv10
- This option may be used as "server" setting to reset any "no-tlsv10"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "no-tlsv10" setting.
-
-tlsv11
- This option may be used as "server" setting to reset any "no-tlsv11"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "no-tlsv11" setting.
-
-tlsv12
- This option may be used as "server" setting to reset any "no-tlsv12"
- setting which would have been inherited from "default-server" directive as
- default value.
- It may also be used as "default-server" setting to reset any previous
- "default-server" "no-tlsv12" setting.
-
tls-tickets
This option may be used as "server" setting to reset any "no-tls-tickets"
setting which would have been inherited from "default-server" directive as
return 0;
}
-/* parse the "no-force-sslv3" server keyword */
-static int srv_parse_no_force_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-#ifndef OPENSSL_NO_SSL3
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_SSLV3;
- return 0;
-#else
- if (err)
- memprintf(err, "'%s' : library does not support protocol SSLv3", args[*cur_arg]);
- return ERR_ALERT | ERR_FATAL;
-#endif
-}
-
-/* parse the "no-force-tlsv10" server keyword */
-static int srv_parse_no_force_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV10;
- return 0;
-}
-
-/* parse the "no-force-tlsv11" server keyword */
-static int srv_parse_no_force_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-#if SSL_OP_NO_TLSv1_1
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV11;
- return 0;
-#else
- if (err)
- memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[*cur_arg]);
- return ERR_ALERT | ERR_FATAL;
-#endif
-}
-
-/* parse the "no-force-tlsv12" server keyword */
-static int srv_parse_no_force_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-#if SSL_OP_NO_TLSv1_2
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV12;
- return 0;
-#else
- if (err)
- memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[*cur_arg]);
- return ERR_ALERT | ERR_FATAL;
-#endif
-}
-
/* parse the "no-send-proxy-v2-ssl" server keyword */
static int srv_parse_no_send_proxy_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
return 0;
}
-/* parse the "sslv3" server keyword */
-static int srv_parse_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_SSLV3;
- return 0;
-}
-
-/* parse the "tlsv10" server keyword */
-static int srv_parse_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV10;
- return 0;
-}
-
-/* parse the "tlsv11" server keyword */
-static int srv_parse_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV11;
- return 0;
-}
-
-/* parse the "tlsv12" server keyword */
-static int srv_parse_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
- newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV12;
- return 0;
-}
-
/* parse the "tls-tickets" server keyword */
static int srv_parse_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
{ "force-tlsv11", srv_parse_force_tlsv11, 0, 1 }, /* force TLSv11 */
{ "force-tlsv12", srv_parse_force_tlsv12, 0, 1 }, /* force TLSv12 */
{ "no-check-ssl", srv_parse_no_check_ssl, 0, 1 }, /* disable SSL for health checks */
- { "no-force-sslv3", srv_parse_no_force_sslv3, 0, 1 }, /* do not force SSLv3 */
- { "no-force-tlsv10", srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
- { "no-force-tlsv11", srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
- { "no-force-tlsv12", srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
{ "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */
{ "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn, 0, 1 }, /* do not send PROXY protocol header v2 with CN */
{ "no-ssl", srv_parse_no_ssl, 0, 1 }, /* disable SSL processing */
{ "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 1 }, /* disable session reuse */
- { "no-sslv3", srv_parse_no_sslv3, 0, 1 }, /* disable SSLv3 */
- { "no-tlsv10", srv_parse_no_tlsv10, 0, 1 }, /* disable TLSv10 */
- { "no-tlsv11", srv_parse_no_tlsv11, 0, 1 }, /* disable TLSv11 */
- { "no-tlsv12", srv_parse_no_tlsv12, 0, 1 }, /* disable TLSv12 */
+ { "no-sslv3", srv_parse_no_sslv3, 0, 0 }, /* disable SSLv3 */
+ { "no-tlsv10", srv_parse_no_tlsv10, 0, 0 }, /* disable TLSv10 */
+ { "no-tlsv11", srv_parse_no_tlsv11, 0, 0 }, /* disable TLSv11 */
+ { "no-tlsv12", srv_parse_no_tlsv12, 0, 0 }, /* disable TLSv12 */
{ "no-tls-tickets", srv_parse_no_tls_tickets, 0, 1 }, /* disable session resumption tickets */
{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1 }, /* send PROXY protocol header v2 with SSL info */
{ "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1 }, /* send PROXY protocol header v2 with CN */
{ "sni", srv_parse_sni, 1, 1 }, /* send SNI extension */
{ "ssl", srv_parse_ssl, 0, 1 }, /* enable SSL processing */
{ "ssl-reuse", srv_parse_ssl_reuse, 0, 1 }, /* enable session reuse */
- { "sslv3", srv_parse_sslv3, 0, 1 }, /* enable SSLv3 */
- { "tlsv10", srv_parse_tlsv10, 0, 1 }, /* enable TLSv10 */
- { "tlsv11", srv_parse_tlsv11, 0, 1 }, /* enable TLSv11 */
- { "tlsv12", srv_parse_tlsv12, 0, 1 }, /* enable TLSv12 */
{ "tls-tickets", srv_parse_tls_tickets, 0, 1 }, /* enable session resumption tickets */
{ "verify", srv_parse_verify, 1, 1 }, /* set SSL verify method */
{ "verifyhost", srv_parse_verifyhost, 1, 1 }, /* require that SSL cert verifies for hostname */
projects / thirdparty / haproxy.git / commitdiff
