From: Emeric Brun <ebrun@exceliance.fr>
Date: Fri, 28 Sep 2012 17:37:02 +0000 (+0200)
Subject: MINOR: ssl : add statements 'notlsv11' and 'notlsv12' and rename 'notlsv1' to 'notlsv10'.
X-Git-Tag: v1.5-dev13~238
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0ff4924c0aedb9d91490b5ee52ee601ca9c2884;p=thirdparty%2Fhaproxy.git

MINOR: ssl : add statements 'notlsv11' and 'notlsv12' and rename 'notlsv1' to 'notlsv10'.

This is because "notlsv1" used to disable TLSv1.0 only and had no effect
on v1.1/v1.2. so better have an option for each version. This applies both
to "bind" and "server" statements.
---

diff --git a/include/types/listener.h b/include/types/listener.h
index 227bb4b751..b3d52a1862 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -103,7 +103,9 @@ struct bind_conf {
 	char *crlfile;             /* CRLfile to use on verify */
 	char *ecdhe;               /* named curve to use for ECDHE */
 	int nosslv3;               /* disable SSLv3 */
-	int notlsv1;               /* disable TLSv1 */
+	int notlsv10;              /* disable TLSv1.0 */
+	int notlsv11;              /* disable TLSv1.1 */
+	int notlsv12;              /* disable TLSv1.2 */
 	int prefer_server_ciphers; /* Prefer server ciphers */
 	int verify;                /* verify method (set of SSL_VERIFY_* flags) */
 	SSL_CTX *default_ctx;      /* SSL context of first/default certificate */
diff --git a/include/types/server.h b/include/types/server.h
index 25a01747a4..7c5dd873b0 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -175,7 +175,9 @@ struct server {
 		SSL_SESSION *reused_sess;
 		char *ciphers;			/* cipher suite to use if non-null */
 		int nosslv3;			/* disable SSLv3 */
-		int notlsv1;			/* disable TLSv1 */
+		int notlsv10;			/* disable TLSv1.0 */
+		int notlsv11;			/* disable TLSv1.1 */
+		int notlsv12;			/* disable TLSv1.2 */
 	} ssl_ctx;
 #endif
 	struct {
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 6fbcd5b106..c6260e1e88 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4253,9 +4253,31 @@ stats_error_parsing:
 				goto out;
 #endif /* USE_OPENSSL */
 			}
-			else if (!strcmp(args[cur_arg], "notlsv1")) {
+			else if (!strcmp(args[cur_arg], "notlsv10")) {
 #ifdef USE_OPENSSL
-				newsrv->ssl_ctx.notlsv1 = 1;
+				newsrv->ssl_ctx.notlsv10 = 1;
+				cur_arg += 1;
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif /* USE_OPENSSL */
+			}
+			else if (!strcmp(args[cur_arg], "notlsv11")) {
+#ifdef USE_OPENSSL
+				newsrv->ssl_ctx.notlsv11 = 1;
+				cur_arg += 1;
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif /* USE_OPENSSL */
+			}
+			else if (!strcmp(args[cur_arg], "notlsv12")) {
+#ifdef USE_OPENSSL
+				newsrv->ssl_ctx.notlsv12 = 1;
 				cur_arg += 1;
 #else /* USE_OPENSSL */
 				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@@ -6239,6 +6261,12 @@ out_uri_auth_compat:
 #endif
 #ifndef SSL_OP_NO_COMPRESSION     /* needs OpenSSL >= 0.9.9 */
 #define SSL_OP_NO_COMPRESSION 0
+#endif
+#ifndef SSL_OP_NO_TLSv1_1         /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_1 0
+#endif
+#ifndef SSL_OP_NO_TLSv1_2         /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_2 0
 #endif
 			if (newsrv->use_ssl) {
 				int ssloptions =
@@ -6265,8 +6293,12 @@ out_uri_auth_compat:
 
 				if (newsrv->ssl_ctx.nosslv3)
 					ssloptions |= SSL_OP_NO_SSLv3;
-				if (newsrv->ssl_ctx.notlsv1)
+				if (newsrv->ssl_ctx.notlsv10)
 					ssloptions |= SSL_OP_NO_TLSv1;
+				if (newsrv->ssl_ctx.notlsv11)
+					ssloptions |= SSL_OP_NO_TLSv1_1;
+				if (newsrv->ssl_ctx.notlsv12)
+					ssloptions |= SSL_OP_NO_TLSv1_2;
 				SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
 				SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
 				SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 18496d5e12..7baca58b08 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -450,6 +450,12 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *cu
 #ifndef SSL_OP_NO_COMPRESSION                           /* needs OpenSSL >= 0.9.9 */
 #define SSL_OP_NO_COMPRESSION 0
 #endif
+#ifndef SSL_OP_NO_TLSv1_1                               /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_1 0
+#endif
+#ifndef SSL_OP_NO_TLSv1_2                               /* needs OpenSSL >= 1.0.1 */
+#define SSL_OP_NO_TLSv1_2 0
+#endif
 #ifndef SSL_OP_SINGLE_DH_USE                            /* needs OpenSSL >= 0.9.6 */
 #define SSL_OP_SINGLE_DH_USE 0
 #endif
@@ -476,8 +482,12 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 
 	if (bind_conf->nosslv3)
 		ssloptions |= SSL_OP_NO_SSLv3;
-	if (bind_conf->notlsv1)
+	if (bind_conf->notlsv10)
 		ssloptions |= SSL_OP_NO_TLSv1;
+	if (bind_conf->notlsv11)
+		ssloptions |= SSL_OP_NO_TLSv1_1;
+	if (bind_conf->notlsv12)
+		ssloptions |= SSL_OP_NO_TLSv1_2;
 	if (bind_conf->prefer_server_ciphers)
 		ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 
@@ -1190,9 +1200,23 @@ static int bind_parse_nosslv3(char **args, int cur_arg, struct proxy *px, struct
 }
 
 /* parse the "notlsv1" bind keyword */
-static int bind_parse_notlsv1(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+static int bind_parse_notlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	conf->notlsv10 = 1;
+	return 0;
+}
+
+/* parse the "notlsv11" bind keyword */
+static int bind_parse_notlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	conf->notlsv11 = 1;
+	return 0;
+}
+
+/* parse the "notlsv12" bind keyword */
+static int bind_parse_notlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
-	conf->notlsv1 = 1;
+	conf->notlsv12 = 1;
 	return 0;
 }
 
@@ -1288,7 +1312,9 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
 	{ "crt-ignore-err",        bind_parse_ignore_err,    1 }, /* set error IDs to ingore on verify depth == 0 */
 	{ "ecdhe",                 bind_parse_ecdhe,         1 }, /* defines named curve for elliptic curve Diffie-Hellman */
 	{ "nosslv3",               bind_parse_nosslv3,       0 }, /* disable SSLv3 */
-	{ "notlsv1",               bind_parse_notlsv1,       0 }, /* disable TLSv1 */
+	{ "notlsv10",              bind_parse_notlsv10,      0 }, /* disable TLSv10 */
+	{ "notlsv11",              bind_parse_notlsv11,      0 }, /* disable TLSv11 */
+	{ "notlsv12",              bind_parse_notlsv12,      0 }, /* disable TLSv12 */
 	{ "prefer-server-ciphers", bind_parse_psc,           0 }, /* prefer server ciphers */
 	{ "ssl",                   bind_parse_ssl,           0 }, /* enable SSL processing */
 	{ "verify",                bind_parse_verify,        1 }, /* set SSL verify method */