goto out;
#endif /* USE_OPENSSL */
}
- else if (!strcmp(args[cur_arg], "notlsv1")) {
+ else if (!strcmp(args[cur_arg], "notlsv10")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.notlsv1 = 1;
+ newsrv->ssl_ctx.notlsv10 = 1;
+ cur_arg += 1;
+#else /* USE_OPENSSL */
+ Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+ file, linenum, args[cur_arg]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+#endif /* USE_OPENSSL */
+ }
+ else if (!strcmp(args[cur_arg], "notlsv11")) {
+#ifdef USE_OPENSSL
+ newsrv->ssl_ctx.notlsv11 = 1;
+ cur_arg += 1;
+#else /* USE_OPENSSL */
+ Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+ file, linenum, args[cur_arg]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+#endif /* USE_OPENSSL */
+ }
+ else if (!strcmp(args[cur_arg], "notlsv12")) {
+#ifdef USE_OPENSSL
+ newsrv->ssl_ctx.notlsv12 = 1;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
#endif
#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
#define SSL_OP_NO_COMPRESSION 0
+#endif
+#ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_1 0
+#endif
+#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_2 0
#endif
if (newsrv->use_ssl) {
int ssloptions =
if (newsrv->ssl_ctx.nosslv3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (newsrv->ssl_ctx.notlsv1)
+ if (newsrv->ssl_ctx.notlsv10)
ssloptions |= SSL_OP_NO_TLSv1;
+ if (newsrv->ssl_ctx.notlsv11)
+ ssloptions |= SSL_OP_NO_TLSv1_1;
+ if (newsrv->ssl_ctx.notlsv12)
+ ssloptions |= SSL_OP_NO_TLSv1_2;
SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);
#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
#define SSL_OP_NO_COMPRESSION 0
#endif
+#ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_1 0
+#endif
+#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_2 0
+#endif
#ifndef SSL_OP_SINGLE_DH_USE /* needs OpenSSL >= 0.9.6 */
#define SSL_OP_SINGLE_DH_USE 0
#endif
if (bind_conf->nosslv3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (bind_conf->notlsv1)
+ if (bind_conf->notlsv10)
ssloptions |= SSL_OP_NO_TLSv1;
+ if (bind_conf->notlsv11)
+ ssloptions |= SSL_OP_NO_TLSv1_1;
+ if (bind_conf->notlsv12)
+ ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->prefer_server_ciphers)
ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
}
/* parse the "notlsv1" bind keyword */
-static int bind_parse_notlsv1(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+static int bind_parse_notlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ conf->notlsv10 = 1;
+ return 0;
+}
+
+/* parse the "notlsv11" bind keyword */
+static int bind_parse_notlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ conf->notlsv11 = 1;
+ return 0;
+}
+
+/* parse the "notlsv12" bind keyword */
+static int bind_parse_notlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->notlsv1 = 1;
+ conf->notlsv12 = 1;
return 0;
}
{ "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
{ "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
{ "nosslv3", bind_parse_nosslv3, 0 }, /* disable SSLv3 */
- { "notlsv1", bind_parse_notlsv1, 0 }, /* disable TLSv1 */
+ { "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */
+ { "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */
+ { "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */
{ "prefer-server-ciphers", bind_parse_psc, 0 }, /* prefer server ciphers */
{ "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */
{ "verify", bind_parse_verify, 1 }, /* set SSL verify method */
projects / thirdparty / haproxy.git / commitdiff
