mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-11-27 13:51:00 +01:00
CLEANUP: ssl: remove 57 occurrences of useless tests on LIBRESSL_VERSION_NUMBER
They were all check to comply with the advertised openssl version. Now that libressl doesn't pretend to be a more recent openssl anymore, we can simply rely on the regular openssl version tests without having to deal with exceptions for libressl.
This commit is contained in:
Willy Tarreau
parent
1d158ab12d
commit
5db847ab65
@ -1582,8 +1582,7 @@ int connect_server(struct stream *s)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#if USE_OPENSSL && (defined(OPENSSL_IS_BORINGSSL) || \
|
#if USE_OPENSSL && (defined(OPENSSL_IS_BORINGSSL) || (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L))
|
||||||
((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)))
|
|
||||||
|
|
||||||
if (!reuse && cli_conn && srv &&
|
if (!reuse && cli_conn && srv &&
|
||||||
(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
|
(srv->ssl_ctx.options & SRV_SSL_O_EARLY_DATA) &&
|
||||||
|
|||||||
@ -1002,7 +1002,7 @@ static int cli_io_handler_show_fd(struct appctx *appctx)
|
|||||||
(fdt.iocb == poller_pipe_io_handler) ? "poller_pipe_io_handler" :
|
(fdt.iocb == poller_pipe_io_handler) ? "poller_pipe_io_handler" :
|
||||||
(fdt.iocb == mworker_accept_wrapper) ? "mworker_accept_wrapper" :
|
(fdt.iocb == mworker_accept_wrapper) ? "mworker_accept_wrapper" :
|
||||||
#ifdef USE_OPENSSL
|
#ifdef USE_OPENSSL
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
(fdt.iocb == ssl_async_fd_free) ? "ssl_async_fd_free" :
|
(fdt.iocb == ssl_async_fd_free) ? "ssl_async_fd_free" :
|
||||||
(fdt.iocb == ssl_async_fd_handler) ? "ssl_async_fd_handler" :
|
(fdt.iocb == ssl_async_fd_handler) ? "ssl_async_fd_handler" :
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -590,7 +590,7 @@ void mworker_reload()
|
|||||||
ptdf->fct();
|
ptdf->fct();
|
||||||
if (fdtab)
|
if (fdtab)
|
||||||
deinit_pollers();
|
deinit_pollers();
|
||||||
#if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
||||||
if (global.ssl_used_frontend || global.ssl_used_backend)
|
if (global.ssl_used_frontend || global.ssl_used_backend)
|
||||||
/* close random device FDs */
|
/* close random device FDs */
|
||||||
RAND_keep_random_devices_open(0);
|
RAND_keep_random_devices_open(0);
|
||||||
|
|||||||
@ -1544,7 +1544,7 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src)
|
|||||||
srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);
|
srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);
|
||||||
if (src->ssl_ctx.ciphers != NULL)
|
if (src->ssl_ctx.ciphers != NULL)
|
||||||
srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers);
|
srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers);
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
if (src->ssl_ctx.ciphersuites != NULL)
|
if (src->ssl_ctx.ciphersuites != NULL)
|
||||||
srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites);
|
srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites);
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
101
src/ssl_sock.c
101
src/ssl_sock.c
@ -190,7 +190,7 @@ static struct {
|
|||||||
|
|
||||||
char *listen_default_ciphers;
|
char *listen_default_ciphers;
|
||||||
char *connect_default_ciphers;
|
char *connect_default_ciphers;
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
char *listen_default_ciphersuites;
|
char *listen_default_ciphersuites;
|
||||||
char *connect_default_ciphersuites;
|
char *connect_default_ciphersuites;
|
||||||
#endif
|
#endif
|
||||||
@ -212,7 +212,7 @@ static struct {
|
|||||||
#ifdef CONNECT_DEFAULT_CIPHERS
|
#ifdef CONNECT_DEFAULT_CIPHERS
|
||||||
.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
|
.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
|
||||||
#endif
|
#endif
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
#ifdef LISTEN_DEFAULT_CIPHERSUITES
|
#ifdef LISTEN_DEFAULT_CIPHERSUITES
|
||||||
.listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES,
|
.listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES,
|
||||||
#endif
|
#endif
|
||||||
@ -348,7 +348,7 @@ static int ha_ssl_free(BIO *data)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#if defined(USE_THREAD) && ((HA_OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
|
#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)
|
||||||
|
|
||||||
static HA_RWLOCK_T *ssl_rwlocks;
|
static HA_RWLOCK_T *ssl_rwlocks;
|
||||||
|
|
||||||
@ -575,7 +575,7 @@ fail_get:
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
/*
|
/*
|
||||||
* openssl async fd handler
|
* openssl async fd handler
|
||||||
*/
|
*/
|
||||||
@ -1442,7 +1442,7 @@ static int ssl_sock_set_ocsp_response_from_file(SSL_CTX *ctx, const char *cert_p
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
|
||||||
|
|
||||||
#define CT_EXTENSION_TYPE 18
|
#define CT_EXTENSION_TYPE 18
|
||||||
|
|
||||||
@ -1893,7 +1893,7 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
|
|||||||
int key_type;
|
int key_type;
|
||||||
|
|
||||||
/* Get the private key of the default certificate and use it */
|
/* Get the private key of the default certificate and use it */
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
||||||
pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx);
|
pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx);
|
||||||
#else
|
#else
|
||||||
tmp_ssl = SSL_new(bind_conf->default_ctx);
|
tmp_ssl = SSL_new(bind_conf->default_ctx);
|
||||||
@ -2297,7 +2297,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
|
|||||||
SSL_set_SSL_CTX(ssl, ctx);
|
SSL_set_SSL_CTX(ssl, ctx);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if ((HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL))
|
||||||
|
|
||||||
static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
|
static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
|
||||||
{
|
{
|
||||||
@ -2948,7 +2948,7 @@ static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, struct ssl_b
|
|||||||
/* The following code is used for loading multiple crt files into
|
/* The following code is used for loading multiple crt files into
|
||||||
* SSL_CTX's based on CN/SAN
|
* SSL_CTX's based on CN/SAN
|
||||||
*/
|
*/
|
||||||
#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(LIBRESSL_VERSION_NUMBER)
|
#if HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL
|
||||||
/* This is used to preload the certifcate, private key
|
/* This is used to preload the certifcate, private key
|
||||||
* and Cert Chain of a file passed in via the crt
|
* and Cert Chain of a file passed in via the crt
|
||||||
* argument
|
* argument
|
||||||
@ -3603,7 +3603,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
|
|||||||
ssl_sock_set_ocsp_response_from_file(ctx, path);
|
ssl_sock_set_ocsp_response_from_file(ctx, path);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
|
||||||
if (sctl_ex_index >= 0) {
|
if (sctl_ex_index >= 0) {
|
||||||
ret = ssl_sock_load_sctl(ctx, path);
|
ret = ssl_sock_load_sctl(ctx, path);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
@ -3764,7 +3764,7 @@ void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf)
|
|||||||
conf->crl_file = NULL;
|
conf->crl_file = NULL;
|
||||||
free(conf->ciphers);
|
free(conf->ciphers);
|
||||||
conf->ciphers = NULL;
|
conf->ciphers = NULL;
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
free(conf->ciphersuites);
|
free(conf->ciphersuites);
|
||||||
conf->ciphersuites = NULL;
|
conf->ciphersuites = NULL;
|
||||||
#endif
|
#endif
|
||||||
@ -4029,7 +4029,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
|
|||||||
|
|
||||||
SSL_CTX_set_options(ctx, options);
|
SSL_CTX_set_options(ctx, options);
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
if (global_ssl.async)
|
if (global_ssl.async)
|
||||||
mode |= SSL_MODE_ASYNC;
|
mode |= SSL_MODE_ASYNC;
|
||||||
#endif
|
#endif
|
||||||
@ -4041,7 +4041,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
|
|||||||
#ifdef OPENSSL_IS_BORINGSSL
|
#ifdef OPENSSL_IS_BORINGSSL
|
||||||
SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
|
SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
|
||||||
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
|
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
|
||||||
#elif (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
|
#elif (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
||||||
if (bind_conf->ssl_conf.early_data) {
|
if (bind_conf->ssl_conf.early_data) {
|
||||||
SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
|
SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
|
||||||
SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
|
SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
|
||||||
@ -4311,7 +4311,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
|
|||||||
int verify = SSL_VERIFY_NONE;
|
int verify = SSL_VERIFY_NONE;
|
||||||
struct ssl_bind_conf __maybe_unused *ssl_conf_cur;
|
struct ssl_bind_conf __maybe_unused *ssl_conf_cur;
|
||||||
const char *conf_ciphers;
|
const char *conf_ciphers;
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
const char *conf_ciphersuites;
|
const char *conf_ciphersuites;
|
||||||
#endif
|
#endif
|
||||||
const char *conf_curves = NULL;
|
const char *conf_curves = NULL;
|
||||||
@ -4413,7 +4413,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
|
|||||||
cfgerr++;
|
cfgerr++;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites;
|
conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites;
|
||||||
if (conf_ciphersuites &&
|
if (conf_ciphersuites &&
|
||||||
!SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) {
|
!SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) {
|
||||||
@ -4817,7 +4817,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
|
|||||||
options |= SSL_OP_NO_TICKET;
|
options |= SSL_OP_NO_TICKET;
|
||||||
SSL_CTX_set_options(ctx, options);
|
SSL_CTX_set_options(ctx, options);
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
if (global_ssl.async)
|
if (global_ssl.async)
|
||||||
mode |= SSL_MODE_ASYNC;
|
mode |= SSL_MODE_ASYNC;
|
||||||
#endif
|
#endif
|
||||||
@ -4907,7 +4907,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
|
|||||||
cfgerr++;
|
cfgerr++;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
if (srv->ssl_ctx.ciphersuites &&
|
if (srv->ssl_ctx.ciphersuites &&
|
||||||
!SSL_CTX_set_ciphersuites(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) {
|
!SSL_CTX_set_ciphersuites(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) {
|
||||||
ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n",
|
ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n",
|
||||||
@ -5336,8 +5336,7 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
|
|||||||
|
|
||||||
/* leave init state and start handshake */
|
/* leave init state and start handshake */
|
||||||
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
|
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)) || \
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)
|
||||||
defined(OPENSSL_IS_BORINGSSL)
|
|
||||||
conn->flags |= CO_FL_EARLY_SSL_HS;
|
conn->flags |= CO_FL_EARLY_SSL_HS;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -5371,7 +5370,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
|
|||||||
if (!conn->xprt_ctx)
|
if (!conn->xprt_ctx)
|
||||||
goto out_error;
|
goto out_error;
|
||||||
|
|
||||||
#if HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined (LIBRESSL_VERSION_NUMBER)
|
#if HA_OPENSSL_VERSION_NUMBER >= 0x10101000L
|
||||||
/*
|
/*
|
||||||
* Check if we have early data. If we do, we have to read them
|
* Check if we have early data. If we do, we have to read them
|
||||||
* before SSL_do_handshake() is called, And there's no way to
|
* before SSL_do_handshake() is called, And there's no way to
|
||||||
@ -5428,7 +5427,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
|
|||||||
fd_cant_recv(conn->handle.fd);
|
fd_cant_recv(conn->handle.fd);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
else if (ret == SSL_ERROR_WANT_ASYNC) {
|
else if (ret == SSL_ERROR_WANT_ASYNC) {
|
||||||
ssl_async_process_fds(conn, ctx->ssl);
|
ssl_async_process_fds(conn, ctx->ssl);
|
||||||
return 0;
|
return 0;
|
||||||
@ -5443,7 +5442,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
|
|||||||
conn->err_code = CO_ER_SSL_HANDSHAKE;
|
conn->err_code = CO_ER_SSL_HANDSHAKE;
|
||||||
#else
|
#else
|
||||||
int empty_handshake;
|
int empty_handshake;
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL)
|
||||||
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)ctx->ssl);
|
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)ctx->ssl);
|
||||||
empty_handshake = state == TLS_ST_BEFORE;
|
empty_handshake = state == TLS_ST_BEFORE;
|
||||||
#else
|
#else
|
||||||
@ -5512,7 +5511,7 @@ check_error:
|
|||||||
fd_cant_recv(conn->handle.fd);
|
fd_cant_recv(conn->handle.fd);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
else if (ret == SSL_ERROR_WANT_ASYNC) {
|
else if (ret == SSL_ERROR_WANT_ASYNC) {
|
||||||
ssl_async_process_fds(conn, ctx->ssl);
|
ssl_async_process_fds(conn, ctx->ssl);
|
||||||
return 0;
|
return 0;
|
||||||
@ -5527,7 +5526,7 @@ check_error:
|
|||||||
conn->err_code = CO_ER_SSL_HANDSHAKE;
|
conn->err_code = CO_ER_SSL_HANDSHAKE;
|
||||||
#else
|
#else
|
||||||
int empty_handshake;
|
int empty_handshake;
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL)
|
||||||
OSSL_HANDSHAKE_STATE state = SSL_get_state(ctx->ssl);
|
OSSL_HANDSHAKE_STATE state = SSL_get_state(ctx->ssl);
|
||||||
empty_handshake = state == TLS_ST_BEFORE;
|
empty_handshake = state == TLS_ST_BEFORE;
|
||||||
#else
|
#else
|
||||||
@ -5571,7 +5570,7 @@ check_error:
|
|||||||
goto out_error;
|
goto out_error;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
||||||
else {
|
else {
|
||||||
/*
|
/*
|
||||||
* If the server refused the early data, we have to send a
|
* If the server refused the early data, we have to send a
|
||||||
@ -5590,7 +5589,7 @@ check_error:
|
|||||||
|
|
||||||
reneg_ok:
|
reneg_ok:
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
/* ASYNC engine API doesn't support moving read/write
|
/* ASYNC engine API doesn't support moving read/write
|
||||||
* buffers. So we disable ASYNC mode right after
|
* buffers. So we disable ASYNC mode right after
|
||||||
* the handshake to avoid buffer oveflows.
|
* the handshake to avoid buffer oveflows.
|
||||||
@ -5699,7 +5698,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
||||||
if (conn->flags & CO_FL_EARLY_SSL_HS) {
|
if (conn->flags & CO_FL_EARLY_SSL_HS) {
|
||||||
size_t read_length;
|
size_t read_length;
|
||||||
|
|
||||||
@ -5751,7 +5750,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
|
|||||||
/* handshake is running, and it needs to enable write */
|
/* handshake is running, and it needs to enable write */
|
||||||
conn->flags |= CO_FL_SSL_WAIT_HS;
|
conn->flags |= CO_FL_SSL_WAIT_HS;
|
||||||
__conn_sock_want_send(conn);
|
__conn_sock_want_send(conn);
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
/* Async mode can be re-enabled, because we're leaving data state.*/
|
/* Async mode can be re-enabled, because we're leaving data state.*/
|
||||||
if (global_ssl.async)
|
if (global_ssl.async)
|
||||||
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
|
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
|
||||||
@ -5763,7 +5762,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
|
|||||||
/* handshake is running, and it may need to re-enable read */
|
/* handshake is running, and it may need to re-enable read */
|
||||||
conn->flags |= CO_FL_SSL_WAIT_HS;
|
conn->flags |= CO_FL_SSL_WAIT_HS;
|
||||||
__conn_sock_want_recv(conn);
|
__conn_sock_want_recv(conn);
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
/* Async mode can be re-enabled, because we're leaving data state.*/
|
/* Async mode can be re-enabled, because we're leaving data state.*/
|
||||||
if (global_ssl.async)
|
if (global_ssl.async)
|
||||||
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
|
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
|
||||||
@ -5840,7 +5839,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
|
|||||||
* in which case we accept to do it once again.
|
* in which case we accept to do it once again.
|
||||||
*/
|
*/
|
||||||
while (count) {
|
while (count) {
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined (LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
||||||
size_t written_data;
|
size_t written_data;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -5861,7 +5860,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
|
|||||||
ctx->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
|
ctx->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined (LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
||||||
if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) {
|
if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) {
|
||||||
unsigned int max_early;
|
unsigned int max_early;
|
||||||
|
|
||||||
@ -5913,7 +5912,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
|
|||||||
/* handshake is running, and it may need to re-enable write */
|
/* handshake is running, and it may need to re-enable write */
|
||||||
conn->flags |= CO_FL_SSL_WAIT_HS;
|
conn->flags |= CO_FL_SSL_WAIT_HS;
|
||||||
__conn_sock_want_send(conn);
|
__conn_sock_want_send(conn);
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
/* Async mode can be re-enabled, because we're leaving data state.*/
|
/* Async mode can be re-enabled, because we're leaving data state.*/
|
||||||
if (global_ssl.async)
|
if (global_ssl.async)
|
||||||
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
|
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
|
||||||
@ -5928,7 +5927,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
|
|||||||
/* handshake is running, and it needs to enable read */
|
/* handshake is running, and it needs to enable read */
|
||||||
conn->flags |= CO_FL_SSL_WAIT_HS;
|
conn->flags |= CO_FL_SSL_WAIT_HS;
|
||||||
__conn_sock_want_recv(conn);
|
__conn_sock_want_recv(conn);
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
/* Async mode can be re-enabled, because we're leaving data state.*/
|
/* Async mode can be re-enabled, because we're leaving data state.*/
|
||||||
if (global_ssl.async)
|
if (global_ssl.async)
|
||||||
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
|
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
|
||||||
@ -5956,7 +5955,7 @@ static void ssl_sock_close(struct connection *conn, void *xprt_ctx) {
|
|||||||
struct ssl_sock_ctx *ctx = xprt_ctx;
|
struct ssl_sock_ctx *ctx = xprt_ctx;
|
||||||
|
|
||||||
if (ctx) {
|
if (ctx) {
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
if (global_ssl.async) {
|
if (global_ssl.async) {
|
||||||
OSSL_ASYNC_FD all_fd[32], afd;
|
OSSL_ASYNC_FD all_fd[32], afd;
|
||||||
size_t num_all_fds = 0;
|
size_t num_all_fds = 0;
|
||||||
@ -7413,7 +7412,7 @@ smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char
|
|||||||
static int
|
static int
|
||||||
smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
|
||||||
{
|
{
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL)
|
||||||
struct buffer *data;
|
struct buffer *data;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
@ -7655,7 +7654,7 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct
|
|||||||
return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err);
|
return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
/* parse the "ciphersuites" bind keyword */
|
/* parse the "ciphersuites" bind keyword */
|
||||||
static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||||
{
|
{
|
||||||
@ -8065,7 +8064,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
|
|||||||
|
|
||||||
if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
|
if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
|
||||||
conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
|
conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites)
|
if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites)
|
||||||
conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
|
conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
|
||||||
#endif
|
#endif
|
||||||
@ -8428,7 +8427,7 @@ static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, stru
|
|||||||
newsrv->check.use_ssl = 1;
|
newsrv->check.use_ssl = 1;
|
||||||
if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
|
if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
|
||||||
newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
|
newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
|
if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
|
||||||
newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
|
newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
|
||||||
#endif
|
#endif
|
||||||
@ -8455,7 +8454,7 @@ static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
/* parse the "ciphersuites" server keyword */
|
/* parse the "ciphersuites" server keyword */
|
||||||
static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
||||||
{
|
{
|
||||||
@ -8611,7 +8610,7 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser
|
|||||||
newsrv->use_ssl = 1;
|
newsrv->use_ssl = 1;
|
||||||
if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
|
if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
|
||||||
newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
|
newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
|
if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
|
||||||
newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
|
newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
|
||||||
#endif
|
#endif
|
||||||
@ -8766,7 +8765,7 @@ static int ssl_parse_global_ssl_async(char **args, int section_type, struct prox
|
|||||||
struct proxy *defpx, const char *file, int line,
|
struct proxy *defpx, const char *file, int line,
|
||||||
char **err)
|
char **err)
|
||||||
{
|
{
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
|
||||||
global_ssl.async = 1;
|
global_ssl.async = 1;
|
||||||
global.ssl_used_async_engines = nb_engines;
|
global.ssl_used_async_engines = nb_engines;
|
||||||
return 0;
|
return 0;
|
||||||
@ -8854,7 +8853,7 @@ static int ssl_parse_global_ciphers(char **args, int section_type, struct proxy
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
/* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords
|
/* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords
|
||||||
* in global section. Returns <0 on alert, >0 on warning, 0 on success.
|
* in global section. Returns <0 on alert, >0 on warning, 0 on success.
|
||||||
*/
|
*/
|
||||||
@ -9581,7 +9580,7 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
|
|||||||
{ "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */
|
{ "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */
|
||||||
{ "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */
|
{ "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */
|
||||||
{ "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */
|
{ "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
{ "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
|
{ "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
|
||||||
#endif
|
#endif
|
||||||
{ "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
|
{ "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
|
||||||
@ -9605,7 +9604,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
|
|||||||
{ "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */
|
{ "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */
|
||||||
{ "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */
|
{ "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */
|
||||||
{ "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */
|
{ "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
{ "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
|
{ "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
|
||||||
#endif
|
#endif
|
||||||
{ "crl-file", bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
|
{ "crl-file", bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
|
||||||
@ -9655,7 +9654,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
|
|||||||
{ "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */
|
{ "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */
|
||||||
{ "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */
|
{ "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */
|
||||||
{ "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */
|
{ "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
{ "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */
|
{ "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */
|
||||||
#endif
|
#endif
|
||||||
{ "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */
|
{ "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */
|
||||||
@ -9716,7 +9715,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
|
|||||||
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
|
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
|
||||||
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
|
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
|
||||||
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
|
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
{ CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },
|
{ CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },
|
||||||
{ CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites },
|
{ CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites },
|
||||||
#endif
|
#endif
|
||||||
@ -9788,7 +9787,7 @@ static struct action_kw_list http_req_actions = {ILH, {
|
|||||||
|
|
||||||
INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions);
|
INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions);
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
|
||||||
|
|
||||||
static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
|
static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
|
||||||
{
|
{
|
||||||
@ -9813,7 +9812,7 @@ static void __ssl_sock_init(void)
|
|||||||
global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers);
|
global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers);
|
||||||
if (global_ssl.connect_default_ciphers)
|
if (global_ssl.connect_default_ciphers)
|
||||||
global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers);
|
global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers);
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
|
||||||
if (global_ssl.listen_default_ciphersuites)
|
if (global_ssl.listen_default_ciphersuites)
|
||||||
global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
|
global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
|
||||||
if (global_ssl.connect_default_ciphersuites)
|
if (global_ssl.connect_default_ciphersuites)
|
||||||
@ -9826,10 +9825,10 @@ static void __ssl_sock_init(void)
|
|||||||
#endif
|
#endif
|
||||||
cm = SSL_COMP_get_compression_methods();
|
cm = SSL_COMP_get_compression_methods();
|
||||||
sk_SSL_COMP_zero(cm);
|
sk_SSL_COMP_zero(cm);
|
||||||
#if defined(USE_THREAD) && ((HA_OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
|
#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)
|
||||||
ssl_locking_init();
|
ssl_locking_init();
|
||||||
#endif
|
#endif
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
|
||||||
sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func);
|
sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func);
|
||||||
#endif
|
#endif
|
||||||
ssl_app_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
|
ssl_app_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
|
||||||
@ -9969,14 +9968,14 @@ static void __ssl_sock_deinit(void)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)
|
||||||
ERR_remove_state(0);
|
ERR_remove_state(0);
|
||||||
ERR_free_strings();
|
ERR_free_strings();
|
||||||
|
|
||||||
EVP_cleanup();
|
EVP_cleanup();
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if ((HA_OPENSSL_VERSION_NUMBER >= 0x00907000L) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)) || defined(LIBRESSL_VERSION_NUMBER)
|
#if (HA_OPENSSL_VERSION_NUMBER >= 0x00907000L) && (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)
|
||||||
CRYPTO_cleanup_all_ex_data();
|
CRYPTO_cleanup_all_ex_data();
|
||||||
#endif
|
#endif
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)
|
#if (HA_OPENSSL_VERSION_NUMBER < 0x10100000L)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user