diff --git a/doc/configuration.txt b/doc/configuration.txt index 66ce224a0..ea89e9969 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -6819,6 +6819,23 @@ defer-accept an established connection while the proxy will only see it in SYN_RECV. This option is only supported on TCPv4/TCPv6 sockets and ignored by other ones. +force-sslv3 + This option enforces use of SSLv3 only on SSL connections instanciated from + this listener. SSLv3 is generally less expensive than the TLS counterparts + for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*". + +force-tlsv10 + This option enforces use of TLSv1.0 only on SSL connections instanciated from + this listener. See also "force-tls*", "no-sslv3", and "no-tls*". + +force-tlsv11 + This option enforces use of TLSv1.1 only on SSL connections instanciated from + this listener. See also "force-tls*", "no-sslv3", and "no-tls*". + +force-tlsv12 + This option enforces use of TLSv1.2 only on SSL connections instanciated from + this listener. See also "force-tls*", "no-sslv3", and "no-tls*". + gid Sets the group of the UNIX sockets to the designated system gid. It can also be set by default in the global section's "unix-bind" statement. Note that @@ -6911,7 +6928,8 @@ no-sslv3 This setting is only available when support for OpenSSL was built in. It disables support for SSLv3 on any sockets instanciated from the listener when SSL is supported. Note that SSLv2 is forced disabled in the code and cannot - be enabled using any configuration option. + be enabled using any configuration option. See also "force-tls*", + and "force-sslv3". no-tls-tickets This setting is only available when support for OpenSSL was built in. It @@ -6921,21 +6939,24 @@ no-tls-tickets no-tlsv10 This setting is only available when support for OpenSSL was built in. It - disables support for TLSv10 on any sockets instanciated from the listener when - SSL is supported. Note that SSLv2 is forced disabled in the code and cannot - be enabled using any configuration option. + disables support for TLSv1.0 on any sockets instanciated from the listener + when SSL is supported. Note that SSLv2 is forced disabled in the code and + cannot be enabled using any configuration option. See also "force-tls*", + and "force-sslv3". no-tlsv11 This setting is only available when support for OpenSSL was built in. It - disables support for TLSv11 on any sockets instanciated from the listener when - SSL is supported. Note that SSLv2 is forced disabled in the code and cannot - be enabled using any configuration option. + disables support for TLSv1.1 on any sockets instanciated from the listener + when SSL is supported. Note that SSLv2 is forced disabled in the code and + cannot be enabled using any configuration option. See also "force-tls*", + and "force-sslv3". no-tlsv12 This setting is only available when support for OpenSSL was built in. It - disables support for TLSv12 on any sockets instanciated from the listener when - SSL is supported. Note that SSLv2 is forced disabled in the code and cannot - be enabled using any configuration option. + disables support for TLSv1.2 on any sockets instanciated from the listener + when SSL is supported. Note that SSLv2 is forced disabled in the code and + cannot be enabled using any configuration option. See also "force-tls*", + and "force-sslv3". prefer-server-ciphers This setting is only available when support for OpenSSL was built in. It diff --git a/include/types/listener.h b/include/types/listener.h index aba864c7b..6a0e0602e 100644 --- a/include/types/listener.h +++ b/include/types/listener.h @@ -102,6 +102,11 @@ enum { #define BC_SSL_O_NO_TLSV11 0x0004 /* disable TLSv11 */ #define BC_SSL_O_NO_TLSV12 0x0008 /* disable TLSv12 */ /* 0x000F reserved for 'no' protocol version options */ +#define BC_SSL_O_USE_SSLV3 0x0010 /* force SSLv3 */ +#define BC_SSL_O_USE_TLSV10 0x0020 /* force TLSv10 */ +#define BC_SSL_O_USE_TLSV11 0x0040 /* force TLSv11 */ +#define BC_SSL_O_USE_TLSV12 0x0080 /* force TLSv12 */ +/* 0x00F0 reserved for 'force' protocol version options */ #define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */ #endif diff --git a/src/ssl_sock.c b/src/ssl_sock.c index af02a6986..af90018a5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -494,6 +494,18 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy ssloptions |= SSL_OP_NO_TLSv1_2; if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS) ssloptions |= SSL_OP_NO_TICKET; + if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) + SSL_CTX_set_ssl_version(ctx, SSLv3_server_method()); + if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10) + SSL_CTX_set_ssl_version(ctx, TLSv1_server_method()); +#if SSL_OP_NO_TLSv1_1 + if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV11) + SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method()); +#endif +#if SSL_OP_NO_TLSv1_2 + if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV12) + SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method()); +#endif SSL_CTX_set_options(ctx, ssloptions); SSL_CTX_set_mode(ctx, sslmode); @@ -1245,6 +1257,47 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str return 0; } +/* parse the "force-sslv3" bind keyword */ +static int bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) +{ + conf->ssl_options |= BC_SSL_O_USE_SSLV3; + return 0; +} + +/* parse the "force-tlsv10" bind keyword */ +static int bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) +{ + conf->ssl_options |= BC_SSL_O_USE_TLSV10; + return 0; +} + +/* parse the "force-tlsv11" bind keyword */ +static int bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) +{ +#if SSL_OP_NO_TLSv1_1 + conf->ssl_options |= BC_SSL_O_USE_TLSV11; + return 0; +#else + if (err) + memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[cur_arg]); + return ERR_ALERT | ERR_FATAL; +#endif +} + +/* parse the "force-tlsv12" bind keyword */ +static int bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) +{ +#if SSL_OP_NO_TLSv1_2 + conf->ssl_options |= BC_SSL_O_USE_TLSV12; + return 0; +#else + if (err) + memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[cur_arg]); + return ERR_ALERT | ERR_FATAL; +#endif +} + + /* parse the "no-tls-tickets" bind keyword */ static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { @@ -1365,6 +1418,10 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { { "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */ { "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */ { "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */ + { "force-sslv3", bind_parse_force_sslv3, 0 }, /* force SSLv3 */ + { "force-tlsv10", bind_parse_force_tlsv10, 0 }, /* force TLSv10 */ + { "force-tlsv11", bind_parse_force_tlsv11, 0 }, /* force TLSv11 */ + { "force-tlsv12", bind_parse_force_tlsv12, 0 }, /* force TLSv12 */ { "no-sslv3", bind_parse_no_sslv3, 0 }, /* disable SSLv3 */ { "no-tlsv10", bind_parse_no_tlsv10, 0 }, /* disable TLSv10 */ { "no-tlsv11", bind_parse_no_tlsv11, 0 }, /* disable TLSv11 */