diff --git a/include/types/protocols.h b/include/types/protocols.h index 4b4ef1672..4e40a6726 100644 --- a/include/types/protocols.h +++ b/include/types/protocols.h @@ -135,6 +135,8 @@ struct listener { struct { SSL_CTX *ctx; char *ciphers; /* cipher suite to use if non-null */ + int nosslv3; /* disable SSLv3 */ + int notlsv1; /* disable TLSv1 */ } ssl_ctx; #endif /* warning: this struct is huge, keep it at the bottom */ diff --git a/include/types/server.h b/include/types/server.h index 327ad5eff..25a01747a 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -174,6 +174,8 @@ struct server { SSL_CTX *ctx; SSL_SESSION *reused_sess; char *ciphers; /* cipher suite to use if non-null */ + int nosslv3; /* disable SSLv3 */ + int notlsv1; /* disable TLSv1 */ } ssl_ctx; #endif struct { diff --git a/src/cfgparse.c b/src/cfgparse.c index 62a9bc904..f5061b317 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -1855,6 +1855,40 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) #endif } + if (!strcmp(args[cur_arg], "nosslv3")) { /* disable SSLv3 */ +#ifdef USE_OPENSSL + struct listener *l; + + for (l = curproxy->listen; l != last_listen; l = l->next) + l->ssl_ctx.nosslv3 = 1; + + cur_arg += 1; + continue; +#else + Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n", + file, linenum, args[0], args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif + } + + if (!strcmp(args[cur_arg], "notlsv1")) { /* disable TLSv1 */ +#ifdef USE_OPENSSL + struct listener *l; + + for (l = curproxy->listen; l != last_listen; l = l->next) + l->ssl_ctx.notlsv1 = 1; + + cur_arg += 1; + continue; +#else + Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n", + file, linenum, args[0], args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif + } + if (!strcmp(args[cur_arg], "accept-proxy")) { /* expect a 'PROXY' line first */ struct listener *l; @@ -4449,7 +4483,28 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) goto out; #endif } - + else if (!strcmp(args[cur_arg], "nosslv3")) { +#ifdef USE_OPENSSL + newsrv->ssl_ctx.nosslv3 = 1; + cur_arg += 1; +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } + else if (!strcmp(args[cur_arg], "notlsv1")) { +#ifdef USE_OPENSSL + newsrv->ssl_ctx.notlsv1 = 1; + cur_arg += 1; +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } else if (!defsrv && !strcmp(args[cur_arg], "observe")) { if (!strcmp(args[cur_arg + 1], "none")) newsrv->observe = HANA_OBS_NONE; @@ -6443,6 +6498,10 @@ int check_config_validity() goto next_srv; } + if (newsrv->ssl_ctx.nosslv3) + ssloptions |= SSL_OP_NO_SSLv3; + if (newsrv->ssl_ctx.notlsv1) + ssloptions |= SSL_OP_NO_TLSv1; SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions); SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode); SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL); @@ -6764,6 +6823,10 @@ int check_config_validity() cfgerr++; goto skip_ssl; } + if (listener->ssl_ctx.nosslv3) + ssloptions |= SSL_OP_NO_SSLv3; + if (listener->ssl_ctx.notlsv1) + ssloptions |= SSL_OP_NO_TLSv1; SSL_CTX_set_options(listener->ssl_ctx.ctx, ssloptions); SSL_CTX_set_mode(listener->ssl_ctx.ctx, sslmode); SSL_CTX_set_verify(listener->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);