From c230b8bfb65cbcf4028187dd5a3225f6b928d194 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Mon, 3 Sep 2012 23:55:16 +0200 Subject: [PATCH] MEDIUM: config: add "nosslv3" and "notlsv1" on bind and server lines This is aimed at disabling SSLv3 and TLSv1 respectively. SSLv2 is always disabled. This can be used in some situations where one version looks more suitable than the other. --- include/types/protocols.h | 2 ++ include/types/server.h | 2 ++ src/cfgparse.c | 65 ++++++++++++++++++++++++++++++++++++++- 3 files changed, 68 insertions(+), 1 deletion(-) diff --git a/include/types/protocols.h b/include/types/protocols.h index 4b4ef1672..4e40a6726 100644 --- a/include/types/protocols.h +++ b/include/types/protocols.h @@ -135,6 +135,8 @@ struct listener { struct { SSL_CTX *ctx; char *ciphers; /* cipher suite to use if non-null */ + int nosslv3; /* disable SSLv3 */ + int notlsv1; /* disable TLSv1 */ } ssl_ctx; #endif /* warning: this struct is huge, keep it at the bottom */ diff --git a/include/types/server.h b/include/types/server.h index 327ad5eff..25a01747a 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -174,6 +174,8 @@ struct server { SSL_CTX *ctx; SSL_SESSION *reused_sess; char *ciphers; /* cipher suite to use if non-null */ + int nosslv3; /* disable SSLv3 */ + int notlsv1; /* disable TLSv1 */ } ssl_ctx; #endif struct { diff --git a/src/cfgparse.c b/src/cfgparse.c index 62a9bc904..f5061b317 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -1855,6 +1855,40 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) #endif } + if (!strcmp(args[cur_arg], "nosslv3")) { /* disable SSLv3 */ +#ifdef USE_OPENSSL + struct listener *l; + + for (l = curproxy->listen; l != last_listen; l = l->next) + l->ssl_ctx.nosslv3 = 1; + + cur_arg += 1; + continue; +#else + Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n", + file, linenum, args[0], args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif + } + + if (!strcmp(args[cur_arg], "notlsv1")) { /* disable TLSv1 */ +#ifdef USE_OPENSSL + struct listener *l; + + for (l = curproxy->listen; l != last_listen; l = l->next) + l->ssl_ctx.notlsv1 = 1; + + cur_arg += 1; + continue; +#else + Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n", + file, linenum, args[0], args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif + } + if (!strcmp(args[cur_arg], "accept-proxy")) { /* expect a 'PROXY' line first */ struct listener *l; @@ -4449,7 +4483,28 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) goto out; #endif } - + else if (!strcmp(args[cur_arg], "nosslv3")) { +#ifdef USE_OPENSSL + newsrv->ssl_ctx.nosslv3 = 1; + cur_arg += 1; +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } + else if (!strcmp(args[cur_arg], "notlsv1")) { +#ifdef USE_OPENSSL + newsrv->ssl_ctx.notlsv1 = 1; + cur_arg += 1; +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } else if (!defsrv && !strcmp(args[cur_arg], "observe")) { if (!strcmp(args[cur_arg + 1], "none")) newsrv->observe = HANA_OBS_NONE; @@ -6443,6 +6498,10 @@ int check_config_validity() goto next_srv; } + if (newsrv->ssl_ctx.nosslv3) + ssloptions |= SSL_OP_NO_SSLv3; + if (newsrv->ssl_ctx.notlsv1) + ssloptions |= SSL_OP_NO_TLSv1; SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions); SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode); SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL); @@ -6764,6 +6823,10 @@ int check_config_validity() cfgerr++; goto skip_ssl; } + if (listener->ssl_ctx.nosslv3) + ssloptions |= SSL_OP_NO_SSLv3; + if (listener->ssl_ctx.notlsv1) + ssloptions |= SSL_OP_NO_TLSv1; SSL_CTX_set_options(listener->ssl_ctx.ctx, ssloptions); SSL_CTX_set_mode(listener->ssl_ctx.ctx, sslmode); SSL_CTX_set_verify(listener->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);