MEDIUM: ssl: revert ssl/tls version settings relative to default-server.

Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. min-tlsxx and max-tlsxx can be overwrite on local definition. This directives should be the only ones needed in default-server. To simplify next patches (rework of tls versions settings with min/max) all ssl/tls version settings relative to default-server are reverted first: remove: 'sslv3', 'tls*', 'no-force-sslv3', 'no-force-tls*'. remove from default-server: 'no-sslv3', 'no-tls*'. Note: . force-tlsxx == min-tlsxx + max-tlsxx : would be ok in default-server. . no-tlsxx is keep for compatibility: should not be propagated to default-server.
2025-04-11 03:31:36 +00:00 · 2017-03-30 14:43:31 +02:00 · 2017-03-30 14:43:31 +02:00 · 6cb2d1e963
commit 6cb2d1e963
parent 53ae85c38e
2 changed files with 24 additions and 146 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -10949,22 +10949,30 @@ force-sslv3
  This option enforces use of SSLv3 only when SSL is used to communicate with
  the server. SSLv3 is generally less expensive than the TLS counterparts for
  high connection rates. This option is also available on global statement
-  "ssl-default-server-options". See also "no-force-sslv3", "no-tlsv*", "no-sslv3".
+  "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+  Supported in default-server: No

 force-tlsv10
  This option enforces use of TLSv1.0 only when SSL is used to communicate with
  the server. This option is also available on global statement
-  "ssl-default-server-options". See also "no-force-tlsv10", "no-tlsv*", "no-sslv3".
+  "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+  Supported in default-server: No

 force-tlsv11
  This option enforces use of TLSv1.1 only when SSL is used to communicate with
  the server. This option is also available on global statement
-  "ssl-default-server-options". See also "no-force-tlsv11", "no-tlsv*", "no-sslv3".
+  "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+  Supported in default-server: No

 force-tlsv12
  This option enforces use of TLSv1.2 only when SSL is used to communicate with
  the server. This option is also available on global statement
-  "ssl-default-server-options". See also "no-force-tlsv12", "no-tlsv*", "no-sslv3".
+  "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
+
+  Supported in default-server: No

 id <value>
  Set a persistent ID for the server. This ID must be positive and unique for
@ -11091,34 +11099,6 @@ no-check-ssl
  It may also be used as "default-server" setting to reset any previous
  "default-server" "check-ssl" setting.

-no-force-sslv3
-  This option may be used as "server" setting to reset any "force-sslv3"
-  setting which would have been inherited from "default-server" directive as
-  default value.
-  It may also be used as "default-server" setting to reset any previous
-  "default-server" "force-sslv3" setting.
-
-no-force-tlsv10
-  This option may be used as "server" setting to reset any "force-tlsv10"
-  setting which would have been inherited from "default-server" directive as
-  default value.
-  It may also be used as "default-server" setting to reset any previous
-  "default-server" "force-tlsv10" setting.
-
-no-force-tlsv11
-  This option may be used as "server" setting to reset any "force-tlsv11"
-  setting which would have been inherited from "default-server" directive as
-  default value.
-  It may also be used as "default-server" setting to reset any previous
-  "default-server" "force-tlsv11" setting.
-
-no-force-tlsv12
-  This option may be used as "server" setting to reset any "force-tlsv12"
-  setting which would have been inherited from "default-server" directive as
-  default value.
-  It may also be used as "default-server" setting to reset any previous
-  "default-server" "force-tlsv12" setting.
-
 no-send-proxy
  This option may be used as "server" setting to reset any "send-proxy"
  setting which would have been inherited from "default-server" directive as
@ -11165,6 +11145,8 @@ no-sslv3
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
  using any configuration option. See also "force-sslv3", "force-tlsv*".

+  Supported in default-server: No
+
 no-tls-tickets
  This setting is only available when support for OpenSSL was built in. It
  disables the stateless session resumption (RFC 5077 TLS Ticket
@ -11181,6 +11163,8 @@ no-tlsv10
  option is also available on global statement "ssl-default-server-options".
  See also "tlsv10", "force-sslv3", "force-tlsv*".

+  Supported in default-server: No
+
 no-tlsv11
  This option disables support for TLSv1.1 when SSL is used to communicate with
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
@ -11189,6 +11173,8 @@ no-tlsv11
  option is also available on global statement "ssl-default-server-options".
  See also "tlsv11", "force-sslv3", "force-tlsv*".

+  Supported in default-server: No
+
 no-tlsv12
  This option disables support for TLSv1.2 when SSL is used to communicate with
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
@ -11197,6 +11183,8 @@ no-tlsv12
  option is also available on global statement "ssl-default-server-options".
  See also "tlsv12", "force-sslv3", "force-tlsv*".

+  Supported in default-server: No
+
 no-verifyhost
  This option may be used as "server" setting to reset any "verifyhost"
  setting which would have been inherited from "default-server" directive as
@ -11435,13 +11423,6 @@ ssl
  See the "no-ssl" to disable "ssl" option and "check-ssl" option to force
  SSL health checks.

-sslv3
-  This option may be used as "server" setting to reset any "no-sslv3"
-  setting which would have been inherited from "default-server" directive as
-  default value.
-  It may also be used as "default-server" setting to reset any previous
-  "default-server" "no-sslv3" setting.
-
 ssl-reuse
  This option may be used as "server" setting to reset any "no-ssl-reuse"
  setting which would have been inherited from "default-server" directive as
@ -11478,27 +11459,6 @@ track [<proxy>/]<server>
  enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
  used, it has to be enabled on both proxies.

-tlsv10
-  This option may be used as "server" setting to reset any "no-tlsv10"
-  setting which would have been inherited from "default-server" directive as
-  default value.
-  It may also be used as "default-server" setting to reset any previous
-  "default-server" "no-tlsv10" setting.
-
-tlsv11
-  This option may be used as "server" setting to reset any "no-tlsv11"
-  setting which would have been inherited from "default-server" directive as
-  default value.
-  It may also be used as "default-server" setting to reset any previous
-  "default-server" "no-tlsv11" setting.
-
-tlsv12
-  This option may be used as "server" setting to reset any "no-tlsv12"
-  setting which would have been inherited from "default-server" directive as
-  default value.
-  It may also be used as "default-server" setting to reset any previous
-  "default-server" "no-tlsv12" setting.
-
 tls-tickets
  This option may be used as "server" setting to reset any "no-tls-tickets"
  setting which would have been inherited from "default-server" directive as
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -6597,52 +6597,6 @@ static int srv_parse_no_check_ssl(char **args, int *cur_arg, struct proxy *px, s
 	return 0;
 }

-/* parse the "no-force-sslv3" server keyword */
-static int srv_parse_no_force_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-#ifndef OPENSSL_NO_SSL3
-	newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_SSLV3;
-	return 0;
-#else
-	if (err)
-		memprintf(err, "'%s' : library does not support protocol SSLv3", args[*cur_arg]);
-	return ERR_ALERT | ERR_FATAL;
-#endif
-}
-
-/* parse the "no-force-tlsv10" server keyword */
-static int srv_parse_no_force_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-	newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV10;
-	return 0;
-}
-
-/* parse the "no-force-tlsv11" server keyword */
-static int srv_parse_no_force_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-#if SSL_OP_NO_TLSv1_1
-	newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV11;
-	return 0;
-#else
-	if (err)
-		memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[*cur_arg]);
-	return ERR_ALERT | ERR_FATAL;
-#endif
-}
-
-/* parse the "no-force-tlsv12" server keyword */
-static int srv_parse_no_force_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-#if SSL_OP_NO_TLSv1_2
-	newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV12;
-	return 0;
-#else
-	if (err)
-		memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[*cur_arg]);
-	return ERR_ALERT | ERR_FATAL;
-#endif
-}
-
 /* parse the "no-send-proxy-v2-ssl" server keyword */
 static int srv_parse_no_send_proxy_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@ -6765,34 +6719,6 @@ static int srv_parse_ssl_reuse(char **args, int *cur_arg, struct proxy *px, stru
 	return 0;
 }

-/* parse the "sslv3" server keyword */
-static int srv_parse_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_SSLV3;
-	return 0;
-}
-
-/* parse the "tlsv10" server keyword */
-static int srv_parse_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV10;
-	return 0;
-}
-
-/* parse the "tlsv11" server keyword */
-static int srv_parse_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV11;
-	return 0;
-}
-
-/* parse the "tlsv12" server keyword */
-static int srv_parse_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-{
-	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV12;
-	return 0;
-}
-
 /* parse the "tls-tickets" server keyword */
 static int srv_parse_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@ -7538,28 +7464,20 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "force-tlsv11",            srv_parse_force_tlsv11,      0, 1 }, /* force TLSv11 */
 	{ "force-tlsv12",            srv_parse_force_tlsv12,      0, 1 }, /* force TLSv12 */
 	{ "no-check-ssl",            srv_parse_no_check_ssl,      0, 1 }, /* disable SSL for health checks */
-	{ "no-force-sslv3",          srv_parse_no_force_sslv3,    0, 1 }, /* do not force SSLv3 */
-	{ "no-force-tlsv10",         srv_parse_no_force_tlsv10,   0, 1 }, /* do not force TLSv10 */
-	{ "no-force-tlsv11",         srv_parse_no_force_tlsv11,   0, 1 }, /* do not force TLSv11 */
-	{ "no-force-tlsv12",         srv_parse_no_force_tlsv12,   0, 1 }, /* do not force TLSv12 */
 	{ "no-send-proxy-v2-ssl",    srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */
 	{ "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn,  0, 1 }, /* do not send PROXY protocol header v2 with CN */
 	{ "no-ssl",                  srv_parse_no_ssl,            0, 1 }, /* disable SSL processing */
 	{ "no-ssl-reuse",            srv_parse_no_ssl_reuse,      0, 1 }, /* disable session reuse */
-	{ "no-sslv3",                srv_parse_no_sslv3,          0, 1 }, /* disable SSLv3 */
-	{ "no-tlsv10",               srv_parse_no_tlsv10,         0, 1 }, /* disable TLSv10 */
-	{ "no-tlsv11",               srv_parse_no_tlsv11,         0, 1 }, /* disable TLSv11 */
-	{ "no-tlsv12",               srv_parse_no_tlsv12,         0, 1 }, /* disable TLSv12 */
+	{ "no-sslv3",                srv_parse_no_sslv3,          0, 0 }, /* disable SSLv3 */
+	{ "no-tlsv10",               srv_parse_no_tlsv10,         0, 0 }, /* disable TLSv10 */
+	{ "no-tlsv11",               srv_parse_no_tlsv11,         0, 0 }, /* disable TLSv11 */
+	{ "no-tlsv12",               srv_parse_no_tlsv12,         0, 0 }, /* disable TLSv12 */
 	{ "no-tls-tickets",          srv_parse_no_tls_tickets,    0, 1 }, /* disable session resumption tickets */
 	{ "send-proxy-v2-ssl",       srv_parse_send_proxy_ssl,    0, 1 }, /* send PROXY protocol header v2 with SSL info */
 	{ "send-proxy-v2-ssl-cn",    srv_parse_send_proxy_cn,     0, 1 }, /* send PROXY protocol header v2 with CN */
 	{ "sni",                     srv_parse_sni,               1, 1 }, /* send SNI extension */
 	{ "ssl",                     srv_parse_ssl,               0, 1 }, /* enable SSL processing */
 	{ "ssl-reuse",               srv_parse_ssl_reuse,         0, 1 }, /* enable session reuse */
-	{ "sslv3",                   srv_parse_sslv3,             0, 1 }, /* enable SSLv3 */
-	{ "tlsv10",                  srv_parse_tlsv10,            0, 1 }, /* enable TLSv10 */
-	{ "tlsv11",                  srv_parse_tlsv11,            0, 1 }, /* enable TLSv11 */
-	{ "tlsv12",                  srv_parse_tlsv12,            0, 1 }, /* enable TLSv12 */
 	{ "tls-tickets",             srv_parse_tls_tickets,       0, 1 }, /* enable session resumption tickets */
 	{ "verify",                  srv_parse_verify,            1, 1 }, /* set SSL verify method */
 	{ "verifyhost",              srv_parse_verifyhost,        1, 1 }, /* require that SSL cert verifies for hostname */