From d0712f3873546a0c24f3204ad75dd7eacd689602 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Thu, 11 Jun 2020 17:34:00 +0200 Subject: [PATCH] BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0 In bug #676, it was reported that ssl-min-ver SSLv3 does not work in Amazon environments with OpenSSL 1.0.2. The reason for this is a patch of Amazon OpenSSL which sets SSL_OP_NO_SSLv3 in SSL_CTX_new(). Which is kind of a problem with our implementation of ssl-{min,max}-ver in old openSSL versions, because it does not try to clear existing version flags. This patch fixes the bug by cleaning versions flags known by HAProxy in the SSL_CTX before applying the right ones. Should be backported as far as 1.8. --- src/ssl_sock.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 81a862d68..322613c37 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3711,9 +3711,15 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) if (min == max) methodVersions[min].ctx_set_version(ctx, SET_SERVER); else - for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) + for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) { + /* clear every version flags in case SSL_CTX_new() + * returns an SSL_CTX with disabled versions */ + SSL_CTX_clear_options(ctx, methodVersions[i].option); + if (flags & methodVersions[i].flag) options |= methodVersions[i].option; + + } #else /* openssl >= 1.1.0 */ /* set the max_version is required to cap TLS version or activate new TLS (v1.3) */ methodVersions[min].ctx_set_version(ctx, SET_MIN);