MINOR: ssl: Remove the global allow-0rtt option.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 786e5c3c1eb695de39c84430dc0e3428c3443c86..8ee56e417efe13936496ccc789afbd82f194ac23 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -856,10 +856,6 @@ resetenv [<name> ...]
   next line in the configuration file sees the new environment. See also
   "setenv", "presetenv", and "unsetenv".
 
-ssl-allow-0rtt
-  Allow using 0RTT on every listener. 0RTT is prone to various attacks, so be
-  sure to know the security implications before activating it.
-
 stats bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
   Limits the stats socket to a certain set of processes numbers. By default the
   stats socket is bound to all processes, causing a warning to be emitted when

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index fbfd27bad04d4b2df0dcf084ce6e83a2d492c1c0..b1d39dbbd6262ac2b950cafd14c3b11842b7f60e 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -166,7 +166,6 @@ static struct {
        char *crt_base;             /* base directory path for certificates */
        char *ca_base;              /* base directory path for CAs and CRLs */
        int  async;                 /* whether we use ssl async mode */
-       int default_early_data;     /* Shall we default to allow early data */
 
        char *listen_default_ciphers;
        char *connect_default_ciphers;
@@ -7403,7 +7402,6 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
                conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
        conf->ssl_options |= global_ssl.listen_default_ssloptions;
        conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags;
-       conf->ssl_conf.early_data = global_ssl.default_early_data;
        if (!conf->ssl_conf.ssl_methods.min)
                conf->ssl_conf.ssl_methods.min = global_ssl.listen_default_sslmethods.min;
        if (!conf->ssl_conf.ssl_methods.max)
@@ -7897,23 +7895,6 @@ static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct pr
        return 0;
 }
 
-/* parse the "ssl-allow-0rtt" keyword in global section.
- * Returns <0 on alert, >0 on warning, 0 on success.
- */
-static int ssl_parse_global_ssl_allow_0rtt(char **args, int section_type,
-    struct proxy *curpx, struct proxy *defpx, const char *file, int line,
-    char **err)
-{
-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
-        global_ssl.default_early_data = 1;
-        return 0;
-#else
-        memprintf(err, "'%s': openssl library does not early data", args[0]);
-        return -1;
-#endif
-
-}
-
 /* parse the "ssl-mode-async" keyword in global section.
  * Returns <0 on alert, >0 on warning, 0 on success.
  */
@@ -8604,7 +8585,6 @@ static struct cfg_kw_list cfg_kws = {ILH, {
        { CFG_GLOBAL, "ca-base",  ssl_parse_global_ca_crt_base },
        { CFG_GLOBAL, "crt-base", ssl_parse_global_ca_crt_base },
        { CFG_GLOBAL, "maxsslconn", ssl_parse_global_int },
-       { CFG_GLOBAL, "ssl-allow-0rtt", ssl_parse_global_ssl_allow_0rtt },
        { CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options },
        { CFG_GLOBAL, "ssl-default-server-options", ssl_parse_default_server_options },
 #ifndef OPENSSL_NO_DH