* maxconn setting to the global.maxsock value so that its resources are reserved.
*/
+#ifdef USE_OPENSSL
+/* bind_conf ssl options */
+#define BC_SSL_O_NONE 0x0000
+#define BC_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */
+#define BC_SSL_O_NO_TLSV10 0x0002 /* disable TLSv10 */
+#define BC_SSL_O_NO_TLSV11 0x0004 /* disable TLSv11 */
+#define BC_SSL_O_NO_TLSV12 0x0008 /* disable TLSv12 */
+/* 0x000F reserved for 'no' protocol version options */
+#define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
+#endif
+
/* "bind" line settings */
struct bind_conf {
#ifdef USE_OPENSSL
char *ciphers; /* cipher suite to use if non-null */
char *crl_file; /* CRLfile to use on verify */
char *ecdhe; /* named curve to use for ECDHE */
- int no_tls_tickets; /* disable session resumption tickets */
- int no_sslv3; /* disable SSLv3 */
- int no_tlsv10; /* disable TLSv1.0 */
- int no_tlsv11; /* disable TLSv1.1 */
- int no_tlsv12; /* disable TLSv1.2 */
+ int ssl_options; /* ssl options */
int verify; /* verify method (set of SSL_VERIFY_* flags) */
SSL_CTX *default_ctx; /* SSL context of first/default certificate */
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */
#define SRV_EWGHT_RANGE (SRV_UWGHT_RANGE * BE_WEIGHT_SCALE)
#define SRV_EWGHT_MAX (SRV_UWGHT_MAX * BE_WEIGHT_SCALE)
+#ifdef USE_OPENSSL
+/* server ssl options */
+#define SRV_SSL_O_NONE 0x0000
+#define SRV_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */
+#define SRV_SSL_O_NO_TLSV10 0x0002 /* disable TLSv1.0 */
+#define SRV_SSL_O_NO_TLSV11 0x0004 /* disable TLSv1.1 */
+#define SRV_SSL_O_NO_TLSV12 0x0008 /* disable TLSv1.2 */
+/* 0x000F reserved for 'no' protocol version options */
+#endif
+
/* A tree occurrence is a descriptor of a place in a tree, with a pointer back
* to the server itself.
*/
SSL_CTX *ctx;
SSL_SESSION *reused_sess;
char *ciphers; /* cipher suite to use if non-null */
- int no_sslv3; /* disable SSLv3 */
- int no_tlsv10; /* disable TLSv1.0 */
- int no_tlsv11; /* disable TLSv1.1 */
- int no_tlsv12; /* disable TLSv1.2 */
+ int options; /* ssl options */
} ssl_ctx;
#endif
struct {
}
else if (!strcmp(args[cur_arg], "no-sslv3")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.no_sslv3 = 1;
+ newsrv->ssl_ctx.options |= SRV_SSL_O_NO_SSLV3;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
}
else if (!strcmp(args[cur_arg], "no-tlsv10")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.no_tlsv10 = 1;
+ newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV10;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
}
else if (!strcmp(args[cur_arg], "no-tlsv11")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.no_tlsv11 = 1;
+ newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV11;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
}
else if (!strcmp(args[cur_arg], "no-tlsv12")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.no_tlsv12 = 1;
+ newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV12;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
goto next_srv;
}
- if (newsrv->ssl_ctx.no_sslv3)
+ if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_SSLV3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (newsrv->ssl_ctx.no_tlsv10)
+ if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV10)
ssloptions |= SSL_OP_NO_TLSv1;
- if (newsrv->ssl_ctx.no_tlsv11)
+ if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV11)
ssloptions |= SSL_OP_NO_TLSv1_1;
- if (newsrv->ssl_ctx.no_tlsv12)
+ if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
ssloptions |= SSL_OP_NO_TLSv1_2;
SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_RELEASE_BUFFERS;
- if (bind_conf->no_sslv3)
+ if (bind_conf->ssl_options & BC_SSL_O_NO_SSLV3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (bind_conf->no_tlsv10)
+ if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV10)
ssloptions |= SSL_OP_NO_TLSv1;
- if (bind_conf->no_tlsv11)
+ if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV11)
ssloptions |= SSL_OP_NO_TLSv1_1;
- if (bind_conf->no_tlsv12)
+ if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV12)
ssloptions |= SSL_OP_NO_TLSv1_2;
- if (bind_conf->no_tls_tickets)
+ if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
ssloptions |= SSL_OP_NO_TICKET;
SSL_CTX_set_options(ctx, ssloptions);
/* parse the "no-tls-tickets" bind keyword */
static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->no_tls_tickets = 1;
+ conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS;
return 0;
}
/* parse the "no-sslv3" bind keyword */
static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->no_sslv3 = 1;
+ conf->ssl_options |= BC_SSL_O_NO_SSLV3;
return 0;
}
/* parse the "no-tlsv10" bind keyword */
static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->no_tlsv10 = 1;
+ conf->ssl_options |= BC_SSL_O_NO_TLSV10;
return 0;
}
/* parse the "no-tlsv11" bind keyword */
static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->no_tlsv11 = 1;
+ conf->ssl_options |= BC_SSL_O_NO_TLSV11;
return 0;
}
/* parse the "no-tlsv12" bind keyword */
static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->no_tlsv12 = 1;
+ conf->ssl_options |= BC_SSL_O_NO_TLSV12;
return 0;
}
projects / thirdparty / haproxy.git / commitdiff
