mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-25 21:01:09 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Remove the global allow-0rtt option.

Browse Source
This commit is contained in:
Olivier Houchard 2017-10-31 13:32:10 +01:00 committed by Willy Tarreau
parent d16bfe6c01
commit 79a481ddde
2 changed files with 0 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/configuration.txt
View File

@ -856,10 +856,6 @@ resetenv [<name> ...]
next line in the configuration file sees the new environment. See also next line in the configuration file sees the new environment. See also
"setenv", "presetenv", and "unsetenv". "setenv", "presetenv", and "unsetenv".
ssl-allow-0rtt
Allow using 0RTT on every listener. 0RTT is prone to various attacks, so be
sure to know the security implications before activating it.
stats bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ... stats bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ...
Limits the stats socket to a certain set of processes numbers. By default the Limits the stats socket to a certain set of processes numbers. By default the
stats socket is bound to all processes, causing a warning to be emitted when stats socket is bound to all processes, causing a warning to be emitted when

20
src/ssl_sock.c
View File

@ -166,7 +166,6 @@ static struct {
char *crt_base; /* base directory path for certificates */ char *crt_base; /* base directory path for certificates */
char *ca_base; /* base directory path for CAs and CRLs */ char *ca_base; /* base directory path for CAs and CRLs */
int async; /* whether we use ssl async mode */ int async; /* whether we use ssl async mode */
int default_early_data; /* Shall we default to allow early data */
char *listen_default_ciphers; char *listen_default_ciphers;
char *connect_default_ciphers; char *connect_default_ciphers;
@ -7403,7 +7402,6 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers); conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
conf->ssl_options |= global_ssl.listen_default_ssloptions; conf->ssl_options |= global_ssl.listen_default_ssloptions;
conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags; conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags;
conf->ssl_conf.early_data = global_ssl.default_early_data;
if (!conf->ssl_conf.ssl_methods.min) if (!conf->ssl_conf.ssl_methods.min)
conf->ssl_conf.ssl_methods.min = global_ssl.listen_default_sslmethods.min; conf->ssl_conf.ssl_methods.min = global_ssl.listen_default_sslmethods.min;
if (!conf->ssl_conf.ssl_methods.max) if (!conf->ssl_conf.ssl_methods.max)
@ -7897,23 +7895,6 @@ static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct pr
return 0; return 0;
} }
/* parse the "ssl-allow-0rtt" keyword in global section.
* Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_ssl_allow_0rtt(char **args, int section_type,
struct proxy *curpx, struct proxy *defpx, const char *file, int line,
char **err)
{
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
global_ssl.default_early_data = 1;
return 0;
#else
memprintf(err, "'%s': openssl library does not early data", args[0]);
return -1;
#endif
}
/* parse the "ssl-mode-async" keyword in global section. /* parse the "ssl-mode-async" keyword in global section.
* Returns <0 on alert, >0 on warning, 0 on success. * Returns <0 on alert, >0 on warning, 0 on success.
*/ */
@ -8604,7 +8585,6 @@ static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "ca-base", ssl_parse_global_ca_crt_base }, { CFG_GLOBAL, "ca-base", ssl_parse_global_ca_crt_base },
{ CFG_GLOBAL, "crt-base", ssl_parse_global_ca_crt_base }, { CFG_GLOBAL, "crt-base", ssl_parse_global_ca_crt_base },
{ CFG_GLOBAL, "maxsslconn", ssl_parse_global_int }, { CFG_GLOBAL, "maxsslconn", ssl_parse_global_int },
{ CFG_GLOBAL, "ssl-allow-0rtt", ssl_parse_global_ssl_allow_0rtt },
{ CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options }, { CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options },
{ CFG_GLOBAL, "ssl-default-server-options", ssl_parse_default_server_options }, { CFG_GLOBAL, "ssl-default-server-options", ssl_parse_default_server_options },
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH