BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0

In bug #676, it was reported that ssl-min-ver SSLv3 does not work in
Amazon environments with OpenSSL 1.0.2.

The reason for this is a patch of Amazon OpenSSL which sets
SSL_OP_NO_SSLv3 in SSL_CTX_new(). Which is kind of a problem with our
implementation of ssl-{min,max}-ver in old openSSL versions, because it
does not try to clear existing version flags.

This patch fixes the bug by cleaning versions flags known by HAProxy in
the SSL_CTX before applying the right ones.

Should be backported as far as 1.8.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 81a862d68cc97966da9dea53b520408d70a1cd40..322613c375089ca6c29eebb87478b0400d3e7edb 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3711,9 +3711,15 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
        if (min == max)
                methodVersions[min].ctx_set_version(ctx, SET_SERVER);
        else
-               for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
+               for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) {
+                       /* clear every version flags in case SSL_CTX_new()
+                        * returns an SSL_CTX with disabled versions */
+                       SSL_CTX_clear_options(ctx, methodVersions[i].option);
+
                        if (flags & methodVersions[i].flag)
                                options |= methodVersions[i].option;
+
+               }
 #else   /* openssl >= 1.1.0 */
        /* set the max_version is required to cap TLS version or activate new TLS (v1.3) */
         methodVersions[min].ctx_set_version(ctx, SET_MIN);