From: Emeric Brun Date: Fri, 5 Oct 2012 09:55:06 +0000 (+0200) Subject: MEDIUM: conf: rename 'nosslv3' and 'notlsvXX' statements 'no-sslv3' and 'no-tlsvXX'. X-Git-Tag: v1.5-dev13~188 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b3009b440b9be283560b6d210f1ab2676736213;p=thirdparty%2Fhaproxy.git MEDIUM: conf: rename 'nosslv3' and 'notlsvXX' statements 'no-sslv3' and 'no-tlsvXX'. These ones were really not easy to read nor write, and become confusing with the next ones to be added. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 60e2477a59..66ce224a08 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -6907,7 +6907,7 @@ nice it may make sense to use a positive value for an SMTP socket and a negative one for an RDP socket. -nosslv3 +no-sslv3 This setting is only available when support for OpenSSL was built in. It disables support for SSLv3 on any sockets instanciated from the listener when SSL is supported. Note that SSLv2 is forced disabled in the code and cannot @@ -6919,19 +6919,19 @@ no-tls-tickets extension) and force to use stateful session resumption. Stateless session resumption is more expensive in CPU usage. -notlsv10 +no-tlsv10 This setting is only available when support for OpenSSL was built in. It disables support for TLSv10 on any sockets instanciated from the listener when SSL is supported. Note that SSLv2 is forced disabled in the code and cannot be enabled using any configuration option. -notlsv11 +no-tlsv11 This setting is only available when support for OpenSSL was built in. It disables support for TLSv11 on any sockets instanciated from the listener when SSL is supported. Note that SSLv2 is forced disabled in the code and cannot be enabled using any configuration option. -notlsv12 +no-tlsv12 This setting is only available when support for OpenSSL was built in. It disables support for TLSv12 on any sockets instanciated from the listener when SSL is supported. Note that SSLv2 is forced disabled in the code and cannot @@ -7192,14 +7192,14 @@ minconn Supported in default-server: Yes -nosslv3 +no-sslv3 This option disables support for SSLv3 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. Supported in default-server: No -notlsv10 +no-tlsv10 This option disables support for TLSv10 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. TLSv1 is more expensive than SSLv3 so it @@ -7207,7 +7207,7 @@ notlsv10 Supported in default-server: No -notlsv11 +no-tlsv11 This option disables support for TLSv11 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. TLSv1 is more expensive than SSLv3 so it @@ -7215,7 +7215,7 @@ notlsv11 Supported in default-server: No -notlsv12 +no-tlsv12 This option disables support for TLSv12 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. TLSv1 is more expensive than SSLv3 so it diff --git a/include/types/listener.h b/include/types/listener.h index 2f0f34db4b..53f9016077 100644 --- a/include/types/listener.h +++ b/include/types/listener.h @@ -104,10 +104,10 @@ struct bind_conf { char *crlfile; /* CRLfile to use on verify */ char *ecdhe; /* named curve to use for ECDHE */ int no_tls_tickets; /* disable session resumption tickets */ - int nosslv3; /* disable SSLv3 */ - int notlsv10; /* disable TLSv1.0 */ - int notlsv11; /* disable TLSv1.1 */ - int notlsv12; /* disable TLSv1.2 */ + int no_sslv3; /* disable SSLv3 */ + int no_tlsv10; /* disable TLSv1.0 */ + int no_tlsv11; /* disable TLSv1.1 */ + int no_tlsv12; /* disable TLSv1.2 */ int verify; /* verify method (set of SSL_VERIFY_* flags) */ SSL_CTX *default_ctx; /* SSL context of first/default certificate */ struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */ diff --git a/include/types/server.h b/include/types/server.h index acfdeafc4f..a3156e4851 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -178,10 +178,10 @@ struct server { SSL_CTX *ctx; SSL_SESSION *reused_sess; char *ciphers; /* cipher suite to use if non-null */ - int nosslv3; /* disable SSLv3 */ - int notlsv10; /* disable TLSv1.0 */ - int notlsv11; /* disable TLSv1.1 */ - int notlsv12; /* disable TLSv1.2 */ + int no_sslv3; /* disable SSLv3 */ + int no_tlsv10; /* disable TLSv1.0 */ + int no_tlsv11; /* disable TLSv1.1 */ + int no_tlsv12; /* disable TLSv1.2 */ } ssl_ctx; #endif struct { diff --git a/src/cfgparse.c b/src/cfgparse.c index ed3157b30e..151bda49c4 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -4293,9 +4293,9 @@ stats_error_parsing: goto out; #endif } - else if (!strcmp(args[cur_arg], "nosslv3")) { + else if (!strcmp(args[cur_arg], "no-sslv3")) { #ifdef USE_OPENSSL - newsrv->ssl_ctx.nosslv3 = 1; + newsrv->ssl_ctx.no_sslv3 = 1; cur_arg += 1; #else /* USE_OPENSSL */ Alert("parsing [%s:%d]: '%s' option not implemented.\n", @@ -4304,9 +4304,9 @@ stats_error_parsing: goto out; #endif /* USE_OPENSSL */ } - else if (!strcmp(args[cur_arg], "notlsv10")) { + else if (!strcmp(args[cur_arg], "no-tlsv10")) { #ifdef USE_OPENSSL - newsrv->ssl_ctx.notlsv10 = 1; + newsrv->ssl_ctx.no_tlsv10 = 1; cur_arg += 1; #else /* USE_OPENSSL */ Alert("parsing [%s:%d]: '%s' option not implemented.\n", @@ -4315,9 +4315,9 @@ stats_error_parsing: goto out; #endif /* USE_OPENSSL */ } - else if (!strcmp(args[cur_arg], "notlsv11")) { + else if (!strcmp(args[cur_arg], "no-tlsv11")) { #ifdef USE_OPENSSL - newsrv->ssl_ctx.notlsv11 = 1; + newsrv->ssl_ctx.no_tlsv11 = 1; cur_arg += 1; #else /* USE_OPENSSL */ Alert("parsing [%s:%d]: '%s' option not implemented.\n", @@ -4326,9 +4326,9 @@ stats_error_parsing: goto out; #endif /* USE_OPENSSL */ } - else if (!strcmp(args[cur_arg], "notlsv12")) { + else if (!strcmp(args[cur_arg], "no-tlsv12")) { #ifdef USE_OPENSSL - newsrv->ssl_ctx.notlsv12 = 1; + newsrv->ssl_ctx.no_tlsv12 = 1; cur_arg += 1; #else /* USE_OPENSSL */ Alert("parsing [%s:%d]: '%s' option not implemented.\n", @@ -6360,13 +6360,13 @@ out_uri_auth_compat: goto next_srv; } - if (newsrv->ssl_ctx.nosslv3) + if (newsrv->ssl_ctx.no_sslv3) ssloptions |= SSL_OP_NO_SSLv3; - if (newsrv->ssl_ctx.notlsv10) + if (newsrv->ssl_ctx.no_tlsv10) ssloptions |= SSL_OP_NO_TLSv1; - if (newsrv->ssl_ctx.notlsv11) + if (newsrv->ssl_ctx.no_tlsv11) ssloptions |= SSL_OP_NO_TLSv1_1; - if (newsrv->ssl_ctx.notlsv12) + if (newsrv->ssl_ctx.no_tlsv12) ssloptions |= SSL_OP_NO_TLSv1_2; SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions); SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index df09f9ad5d..5fc5f1660a 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -484,13 +484,13 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_RELEASE_BUFFERS; - if (bind_conf->nosslv3) + if (bind_conf->no_sslv3) ssloptions |= SSL_OP_NO_SSLv3; - if (bind_conf->notlsv10) + if (bind_conf->no_tlsv10) ssloptions |= SSL_OP_NO_TLSv1; - if (bind_conf->notlsv11) + if (bind_conf->no_tlsv11) ssloptions |= SSL_OP_NO_TLSv1_1; - if (bind_conf->notlsv12) + if (bind_conf->no_tlsv12) ssloptions |= SSL_OP_NO_TLSv1_2; if (bind_conf->no_tls_tickets) ssloptions |= SSL_OP_NO_TICKET; @@ -1253,31 +1253,31 @@ static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, } -/* parse the "nosslv3" bind keyword */ -static int bind_parse_nosslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) +/* parse the "no-sslv3" bind keyword */ +static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->nosslv3 = 1; + conf->no_sslv3 = 1; return 0; } -/* parse the "notlsv1" bind keyword */ -static int bind_parse_notlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) +/* parse the "no-tlsv10" bind keyword */ +static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->notlsv10 = 1; + conf->no_tlsv10 = 1; return 0; } -/* parse the "notlsv11" bind keyword */ -static int bind_parse_notlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) +/* parse the "no-tlsv11" bind keyword */ +static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->notlsv11 = 1; + conf->no_tlsv11 = 1; return 0; } -/* parse the "notlsv12" bind keyword */ -static int bind_parse_notlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) +/* parse the "no-tlsv12" bind keyword */ +static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->notlsv12 = 1; + conf->no_tlsv12 = 1; return 0; } @@ -1365,11 +1365,11 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { { "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */ { "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */ { "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */ + { "no-sslv3", bind_parse_no_sslv3, 0 }, /* disable SSLv3 */ + { "no-tlsv10", bind_parse_no_tlsv10, 0 }, /* disable TLSv10 */ + { "no-tlsv11", bind_parse_no_tlsv11, 0 }, /* disable TLSv11 */ + { "no-tlsv12", bind_parse_no_tlsv12, 0 }, /* disable TLSv12 */ { "no-tls-tickets", bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */ - { "nosslv3", bind_parse_nosslv3, 0 }, /* disable SSLv3 */ - { "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */ - { "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */ - { "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */ { "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */ { "verify", bind_parse_verify, 1 }, /* set SSL verify method */ { NULL, NULL, 0 },