mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 06:11:32 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0

Browse Source 
In bug #676, it was reported that ssl-min-ver SSLv3 does not work in
Amazon environments with OpenSSL 1.0.2.

The reason for this is a patch of Amazon OpenSSL which sets
SSL_OP_NO_SSLv3 in SSL_CTX_new(). Which is kind of a problem with our
implementation of ssl-{min,max}-ver in old openSSL versions, because it
does not try to clear existing version flags.

This patch fixes the bug by cleaning versions flags known by HAProxy in
the SSL_CTX before applying the right ones.

Should be backported as far as 1.8.
This commit is contained in:
William Lallemand 2020-06-11 17:34:00 +02:00 committed by William Lallemand
parent 588b3148d9
commit d0712f3873
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/ssl_sock.c
View File

@ -3711,9 +3711,15 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
if (min == max) if (min == max)
methodVersions[min].ctx_set_version(ctx, SET_SERVER); methodVersions[min].ctx_set_version(ctx, SET_SERVER);
else else
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) {
/* clear every version flags in case SSL_CTX_new()
* returns an SSL_CTX with disabled versions */
SSL_CTX_clear_options(ctx, methodVersions[i].option);
if (flags & methodVersions[i].flag) if (flags & methodVersions[i].flag)
options |= methodVersions[i].option; options |= methodVersions[i].option;
}
#else /* openssl >= 1.1.0 */ #else /* openssl >= 1.1.0 */
/* set the max_version is required to cap TLS version or activate new TLS (v1.3) */ /* set the max_version is required to cap TLS version or activate new TLS (v1.3) */
methodVersions[min].ctx_set_version(ctx, SET_MIN); methodVersions[min].ctx_set_version(ctx, SET_MIN);