it may make sense to use a positive value for an SMTP socket and a negative
one for an RDP socket.
-nosslv3
+no-sslv3
This setting is only available when support for OpenSSL was built in. It
disables support for SSLv3 on any sockets instanciated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage.
-notlsv10
+no-tlsv10
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv10 on any sockets instanciated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
be enabled using any configuration option.
-notlsv11
+no-tlsv11
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv11 on any sockets instanciated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
be enabled using any configuration option.
-notlsv12
+no-tlsv12
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv12 on any sockets instanciated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
Supported in default-server: Yes
-nosslv3
+no-sslv3
This option disables support for SSLv3 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option.
Supported in default-server: No
-notlsv10
+no-tlsv10
This option disables support for TLSv10 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
Supported in default-server: No
-notlsv11
+no-tlsv11
This option disables support for TLSv11 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
Supported in default-server: No
-notlsv12
+no-tlsv12
This option disables support for TLSv12 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
char *crlfile; /* CRLfile to use on verify */
char *ecdhe; /* named curve to use for ECDHE */
int no_tls_tickets; /* disable session resumption tickets */
- int nosslv3; /* disable SSLv3 */
- int notlsv10; /* disable TLSv1.0 */
- int notlsv11; /* disable TLSv1.1 */
- int notlsv12; /* disable TLSv1.2 */
+ int no_sslv3; /* disable SSLv3 */
+ int no_tlsv10; /* disable TLSv1.0 */
+ int no_tlsv11; /* disable TLSv1.1 */
+ int no_tlsv12; /* disable TLSv1.2 */
int verify; /* verify method (set of SSL_VERIFY_* flags) */
SSL_CTX *default_ctx; /* SSL context of first/default certificate */
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */
SSL_CTX *ctx;
SSL_SESSION *reused_sess;
char *ciphers; /* cipher suite to use if non-null */
- int nosslv3; /* disable SSLv3 */
- int notlsv10; /* disable TLSv1.0 */
- int notlsv11; /* disable TLSv1.1 */
- int notlsv12; /* disable TLSv1.2 */
+ int no_sslv3; /* disable SSLv3 */
+ int no_tlsv10; /* disable TLSv1.0 */
+ int no_tlsv11; /* disable TLSv1.1 */
+ int no_tlsv12; /* disable TLSv1.2 */
} ssl_ctx;
#endif
struct {
goto out;
#endif
}
- else if (!strcmp(args[cur_arg], "nosslv3")) {
+ else if (!strcmp(args[cur_arg], "no-sslv3")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.nosslv3 = 1;
+ newsrv->ssl_ctx.no_sslv3 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
goto out;
#endif /* USE_OPENSSL */
}
- else if (!strcmp(args[cur_arg], "notlsv10")) {
+ else if (!strcmp(args[cur_arg], "no-tlsv10")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.notlsv10 = 1;
+ newsrv->ssl_ctx.no_tlsv10 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
goto out;
#endif /* USE_OPENSSL */
}
- else if (!strcmp(args[cur_arg], "notlsv11")) {
+ else if (!strcmp(args[cur_arg], "no-tlsv11")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.notlsv11 = 1;
+ newsrv->ssl_ctx.no_tlsv11 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
goto out;
#endif /* USE_OPENSSL */
}
- else if (!strcmp(args[cur_arg], "notlsv12")) {
+ else if (!strcmp(args[cur_arg], "no-tlsv12")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.notlsv12 = 1;
+ newsrv->ssl_ctx.no_tlsv12 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
goto next_srv;
}
- if (newsrv->ssl_ctx.nosslv3)
+ if (newsrv->ssl_ctx.no_sslv3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (newsrv->ssl_ctx.notlsv10)
+ if (newsrv->ssl_ctx.no_tlsv10)
ssloptions |= SSL_OP_NO_TLSv1;
- if (newsrv->ssl_ctx.notlsv11)
+ if (newsrv->ssl_ctx.no_tlsv11)
ssloptions |= SSL_OP_NO_TLSv1_1;
- if (newsrv->ssl_ctx.notlsv12)
+ if (newsrv->ssl_ctx.no_tlsv12)
ssloptions |= SSL_OP_NO_TLSv1_2;
SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_RELEASE_BUFFERS;
- if (bind_conf->nosslv3)
+ if (bind_conf->no_sslv3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (bind_conf->notlsv10)
+ if (bind_conf->no_tlsv10)
ssloptions |= SSL_OP_NO_TLSv1;
- if (bind_conf->notlsv11)
+ if (bind_conf->no_tlsv11)
ssloptions |= SSL_OP_NO_TLSv1_1;
- if (bind_conf->notlsv12)
+ if (bind_conf->no_tlsv12)
ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->no_tls_tickets)
ssloptions |= SSL_OP_NO_TICKET;
}
-/* parse the "nosslv3" bind keyword */
-static int bind_parse_nosslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+/* parse the "no-sslv3" bind keyword */
+static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->nosslv3 = 1;
+ conf->no_sslv3 = 1;
return 0;
}
-/* parse the "notlsv1" bind keyword */
-static int bind_parse_notlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+/* parse the "no-tlsv10" bind keyword */
+static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->notlsv10 = 1;
+ conf->no_tlsv10 = 1;
return 0;
}
-/* parse the "notlsv11" bind keyword */
-static int bind_parse_notlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+/* parse the "no-tlsv11" bind keyword */
+static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->notlsv11 = 1;
+ conf->no_tlsv11 = 1;
return 0;
}
-/* parse the "notlsv12" bind keyword */
-static int bind_parse_notlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+/* parse the "no-tlsv12" bind keyword */
+static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->notlsv12 = 1;
+ conf->no_tlsv12 = 1;
return 0;
}
{ "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */
{ "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
{ "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+ { "no-sslv3", bind_parse_no_sslv3, 0 }, /* disable SSLv3 */
+ { "no-tlsv10", bind_parse_no_tlsv10, 0 }, /* disable TLSv10 */
+ { "no-tlsv11", bind_parse_no_tlsv11, 0 }, /* disable TLSv11 */
+ { "no-tlsv12", bind_parse_no_tlsv12, 0 }, /* disable TLSv12 */
{ "no-tls-tickets", bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */
- { "nosslv3", bind_parse_nosslv3, 0 }, /* disable SSLv3 */
- { "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */
- { "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */
- { "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */
{ "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */
{ "verify", bind_parse_verify, 1 }, /* set SSL verify method */
{ NULL, NULL, 0 },
projects / thirdparty / haproxy.git / commitdiff
