MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind.

These options force the SSL lib to use the specified protocol. They are complentary to no-tlsv*/no-sslv3.
2025-02-06 21:50:17 +00:00 · 2012-10-05 14:14:21 +02:00 · 2012-10-05 14:14:21 +02:00 · 2cb7ae5302
commit 2cb7ae5302
parent 8967549d52
3 changed files with 93 additions and 10 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -6819,6 +6819,23 @@ defer-accept
  an established connection while the proxy will only see it in SYN_RECV. This
  option is only supported on TCPv4/TCPv6 sockets and ignored by other ones.

+force-sslv3
+  This option enforces use of SSLv3 only on SSL connections instanciated from
+  this listener. SSLv3 is generally less expensive than the TLS counterparts
+  for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*".
+
+force-tlsv10
+  This option enforces use of TLSv1.0 only on SSL connections instanciated from
+  this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+
+force-tlsv11
+  This option enforces use of TLSv1.1 only on SSL connections instanciated from
+  this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+
+force-tlsv12
+  This option enforces use of TLSv1.2 only on SSL connections instanciated from
+  this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+
 gid <gid>
  Sets the group of the UNIX sockets to the designated system gid. It can also
  be set by default in the global section's "unix-bind" statement. Note that
@ -6911,7 +6928,8 @@ no-sslv3
  This setting is only available when support for OpenSSL was built in. It
  disables support for SSLv3 on any sockets instanciated from the listener when
  SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
-  be enabled using any configuration option.
+  be enabled using any configuration option. See also "force-tls*",
+  and "force-sslv3".

 no-tls-tickets
  This setting is only available when support for OpenSSL was built in. It
@ -6921,21 +6939,24 @@ no-tls-tickets

 no-tlsv10
  This setting is only available when support for OpenSSL was built in. It
-  disables support for TLSv10 on any sockets instanciated from the listener when
-  SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
-  be enabled using any configuration option.
+  disables support for TLSv1.0 on any sockets instanciated from the listener
+  when SSL is supported. Note that SSLv2 is forced disabled in the code and
+  cannot be enabled using any configuration option. See also "force-tls*",
+  and "force-sslv3".

 no-tlsv11
  This setting is only available when support for OpenSSL was built in. It
-  disables support for TLSv11 on any sockets instanciated from the listener when
-  SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
-  be enabled using any configuration option.
+  disables support for TLSv1.1 on any sockets instanciated from the listener
+  when SSL is supported. Note that SSLv2 is forced disabled in the code and
+  cannot be enabled using any configuration option. See also "force-tls*",
+  and "force-sslv3".

 no-tlsv12
  This setting is only available when support for OpenSSL was built in. It
-  disables support for TLSv12 on any sockets instanciated from the listener when
-  SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
-  be enabled using any configuration option.
+  disables support for TLSv1.2 on any sockets instanciated from the listener
+  when SSL is supported. Note that SSLv2 is forced disabled in the code and
+  cannot be enabled using any configuration option. See also "force-tls*",
+  and "force-sslv3".

 prefer-server-ciphers
  This setting is only available when support for OpenSSL was built in. It
--- a/include/types/listener.h
+++ b/include/types/listener.h
@ -102,6 +102,11 @@ enum {
 #define BC_SSL_O_NO_TLSV11      0x0004	/* disable TLSv11 */
 #define BC_SSL_O_NO_TLSV12      0x0008	/* disable TLSv12 */
 /* 0x000F reserved for 'no' protocol version options */
+#define BC_SSL_O_USE_SSLV3      0x0010	/* force SSLv3 */
+#define BC_SSL_O_USE_TLSV10     0x0020	/* force TLSv10 */
+#define BC_SSL_O_USE_TLSV11     0x0040	/* force TLSv11 */
+#define BC_SSL_O_USE_TLSV12     0x0080	/* force TLSv12 */
+/* 0x00F0 reserved for 'force' protocol version options */
 #define BC_SSL_O_NO_TLS_TICKETS 0x0100	/* disable session resumption tickets */
 #endif

--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -494,6 +494,18 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
 		ssloptions |= SSL_OP_NO_TLSv1_2;
 	if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
 		ssloptions |= SSL_OP_NO_TICKET;
+	if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
+		SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
+	if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
+		SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
+#if SSL_OP_NO_TLSv1_1
+	if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV11)
+		SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method());
+#endif
+#if SSL_OP_NO_TLSv1_2
+	if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV12)
+		SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method());
+#endif

 	SSL_CTX_set_options(ctx, ssloptions);
 	SSL_CTX_set_mode(ctx, sslmode);
@ -1245,6 +1257,47 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str
 	return 0;
 }

+/* parse the "force-sslv3" bind keyword */
+static int bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	conf->ssl_options |= BC_SSL_O_USE_SSLV3;
+	return 0;
+}
+
+/* parse the "force-tlsv10" bind keyword */
+static int bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+	conf->ssl_options |= BC_SSL_O_USE_TLSV10;
+	return 0;
+}
+
+/* parse the "force-tlsv11" bind keyword */
+static int bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+#if SSL_OP_NO_TLSv1_1
+	conf->ssl_options |= BC_SSL_O_USE_TLSV11;
+	return 0;
+#else
+	if (err)
+		memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[cur_arg]);
+	return ERR_ALERT | ERR_FATAL;
+#endif
+}
+
+/* parse the "force-tlsv12" bind keyword */
+static int bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+#if SSL_OP_NO_TLSv1_2
+	conf->ssl_options |= BC_SSL_O_USE_TLSV12;
+	return 0;
+#else
+	if (err)
+		memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[cur_arg]);
+	return ERR_ALERT | ERR_FATAL;
+#endif
+}
+
+
 /* parse the "no-tls-tickets" bind keyword */
 static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
@ -1365,6 +1418,10 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
 	{ "crt",                   bind_parse_crt,            1 }, /* load SSL certificates from this location */
 	{ "crt-ignore-err",        bind_parse_ignore_err,     1 }, /* set error IDs to ingore on verify depth == 0 */
 	{ "ecdhe",                 bind_parse_ecdhe,          1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+	{ "force-sslv3",           bind_parse_force_sslv3,    0 }, /* force SSLv3 */
+	{ "force-tlsv10",          bind_parse_force_tlsv10,   0 }, /* force TLSv10 */
+	{ "force-tlsv11",          bind_parse_force_tlsv11,   0 }, /* force TLSv11 */
+	{ "force-tlsv12",          bind_parse_force_tlsv12,   0 }, /* force TLSv12 */
 	{ "no-sslv3",              bind_parse_no_sslv3,       0 }, /* disable SSLv3 */
 	{ "no-tlsv10",             bind_parse_no_tlsv10,      0 }, /* disable TLSv10 */
 	{ "no-tlsv11",             bind_parse_no_tlsv11,      0 }, /* disable TLSv11 */