mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-09 00:27:08 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: remove prefer-server-ciphers statement and set it as the default on ssl listeners.

Browse Source
This commit is contained in:
Emeric Brun 2012-10-04 18:44:19 +02:00 committed by Willy Tarreau
parent ce08baa36d
commit 3c4bc6e10a
2 changed files with 2 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/types/listener.h
View File

@ -108,7 +108,6 @@ struct bind_conf {
int notlsv10; /* disable TLSv1.0 */ int notlsv10; /* disable TLSv1.0 */
int notlsv11; /* disable TLSv1.1 */ int notlsv11; /* disable TLSv1.1 */
int notlsv12; /* disable TLSv1.2 */ int notlsv12; /* disable TLSv1.2 */
int prefer_server_ciphers; /* Prefer server ciphers */
int verify; /* verify method (set of SSL_VERIFY_* flags) */ int verify; /* verify method (set of SSL_VERIFY_* flags) */
SSL_CTX *default_ctx; /* SSL context of first/default certificate */ SSL_CTX *default_ctx; /* SSL context of first/default certificate */
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */ struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */

13
src/ssl_sock.c
View File

@ -477,7 +477,8 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
SSL_OP_NO_COMPRESSION | SSL_OP_NO_COMPRESSION |
SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_DH_USE |
SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_ECDH_USE |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_CIPHER_SERVER_PREFERENCE;
int sslmode = int sslmode =
SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
@ -493,8 +494,6 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
ssloptions |= SSL_OP_NO_TLSv1_2; ssloptions |= SSL_OP_NO_TLSv1_2;
if (bind_conf->no_tls_tickets) if (bind_conf->no_tls_tickets)
ssloptions |= SSL_OP_NO_TICKET; ssloptions |= SSL_OP_NO_TICKET;
if (bind_conf->prefer_server_ciphers)
ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
SSL_CTX_set_options(ctx, ssloptions); SSL_CTX_set_options(ctx, ssloptions);
SSL_CTX_set_mode(ctx, sslmode); SSL_CTX_set_mode(ctx, sslmode);
@ -1249,13 +1248,6 @@ static int bind_parse_notlsv12(char **args, int cur_arg, struct proxy *px, struc
return 0; return 0;
} }
/* parse the "prefer-server-ciphers" bind keyword */
static int bind_parse_psc(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
conf->prefer_server_ciphers = 1;
return 0;
}
/* parse the "ssl" bind keyword */ /* parse the "ssl" bind keyword */
static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{ {
@ -1345,7 +1337,6 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
{ "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */ { "notlsv10", bind_parse_notlsv10, 0 }, /* disable TLSv10 */
{ "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */ { "notlsv11", bind_parse_notlsv11, 0 }, /* disable TLSv11 */
{ "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */ { "notlsv12", bind_parse_notlsv12, 0 }, /* disable TLSv12 */
{ "prefer-server-ciphers", bind_parse_psc, 0 }, /* prefer server ciphers */
{ "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */ { "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */
{ "verify", bind_parse_verify, 1 }, /* set SSL verify method */ { "verify", bind_parse_verify, 1 }, /* set SSL verify method */
{ NULL, NULL, 0 }, { NULL, NULL, 0 },