MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on server

These options force the SSL lib to use the specified protocol when connecting to a server. They are complentary to no-tlsv*/no-sslv3.
2024-12-13 15:04:42 +00:00 · 2012-10-05 14:39:07 +02:00 · 2012-10-05 14:39:07 +02:00 · 8694b9a682
commit 8694b9a682
parent 2cb7ae5302
3 changed files with 111 additions and 7 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -7140,6 +7140,31 @@ fall <count>

  Supported in default-server: Yes

+force-sslv3
+  This option enforces use of SSLv3 only when SSL is used to communicate with
+  the server. SSLv3 is generally less expensive than the TLS counterparts for
+  high connection rates. See also "no-tlsv*", "no-sslv3".
+
+  Supported in default-server: No
+
+force-tlsv10
+  This option enforces use of TLSv1.0 only when SSL is used to communicate with
+  the server. See also "no-tlsv*", "no-sslv3".
+
+  Supported in default-server: No
+
+force-tlsv11
+  This option enforces use of TLSv1.1 only when SSL is used to communicate with
+  the server. See also "no-tlsv*", "no-sslv3".
+
+  Supported in default-server: No
+
+force-tlsv12
+  This option enforces use of TLSv1.2 only when SSL is used to communicate with
+  the server. See also "no-tlsv*", "no-sslv3".
+
+  Supported in default-server: No
+
 id <value>
  Set a persistent ID for the server. This ID must be positive and unique for
  the proxy. An unused ID will automatically be assigned if unset. The first
@ -7216,31 +7241,34 @@ minconn <minconn>
 no-sslv3
  This option disables support for SSLv3 when SSL is used to communicate with
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
-  using any configuration option.
+  using any configuration option. See also "force-sslv3", "force-tlsv*".

  Supported in default-server: No

 no-tlsv10
-  This option disables support for TLSv10 when SSL is used to communicate with
+  This option disables support for TLSv1.0 when SSL is used to communicate with
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
  using any configuration option. TLSv1 is more expensive than SSLv3 so it
-  often makes sense to disable it when communicating with local servers.
+  often makes sense to disable it when communicating with local servers. See
+  also "force-sslv3", "force-tlsv*".

  Supported in default-server: No

 no-tlsv11
-  This option disables support for TLSv11 when SSL is used to communicate with
+  This option disables support for TLSv1.1 when SSL is used to communicate with
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
  using any configuration option. TLSv1 is more expensive than SSLv3 so it
-  often makes sense to disable it when communicating with local servers.
+  often makes sense to disable it when communicating with local servers. See
+  also "force-sslv3", "force-tlsv*".

  Supported in default-server: No

 no-tlsv12
-  This option disables support for TLSv12 when SSL is used to communicate with
+  This option disables support for TLSv1.2 when SSL is used to communicate with
  the server. Note that SSLv2 is disabled in the code and cannot be enabled
  using any configuration option. TLSv1 is more expensive than SSLv3 so it
-  often makes sense to disable it when communicating with local servers.
+  often makes sense to disable it when communicating with local servers. See
+  also "force-sslv3", "force-tlsv*".

  Supported in default-server: No

--- a/include/types/server.h
+++ b/include/types/server.h
@ -87,6 +87,11 @@
 #define SRV_SSL_O_NO_TLSV11    0x0004 /* disable TLSv1.1 */
 #define SRV_SSL_O_NO_TLSV12    0x0008 /* disable TLSv1.2 */
 /* 0x000F reserved for 'no' protocol version options */
+#define SRV_SSL_O_USE_SSLV3    0x0001 /* force SSLv3 */
+#define SRV_SSL_O_USE_TLSV10   0x0002 /* force TLSv1.0 */
+#define SRV_SSL_O_USE_TLSV11   0x0004 /* force TLSv1.1 */
+#define SRV_SSL_O_USE_TLSV12   0x0008 /* force TLSv1.2 */
+/* 0x00F0 reserved for 'force' protocol version options */
 #endif

 /* A tree occurrence is a descriptor of a place in a tree, with a pointer back
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -4138,6 +4138,64 @@ stats_error_parsing:
 				newsrv->fastinter = val;
 				cur_arg += 2;
 			}
+			else if (!strcmp(args[cur_arg], "force-sslv3")) {
+#ifdef USE_OPENSSL
+				newsrv->ssl_ctx.options |= SRV_SSL_O_USE_SSLV3;
+				cur_arg += 1;
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif /* USE_OPENSSL */
+			}
+			else if (!strcmp(args[cur_arg], "force-tlsv10")) {
+#ifdef USE_OPENSSL
+				newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV10;
+				cur_arg += 1;
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif /* USE_OPENSSL */
+			}
+			else if (!strcmp(args[cur_arg], "force-tlsv11")) {
+#ifdef USE_OPENSSL
+#if SSL_OP_NO_TLSv1_1
+				newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV11;
+				cur_arg += 1;
+#else
+				Alert("parsing [%s:%d]: '%s' library does not support protocol TLSv1.1.\n",
+                                      file, linenum, args[cur_arg]);
+                                err_code |= ERR_ALERT | ERR_FATAL;
+                                goto out;
+#endif
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif /* USE_OPENSSL */
+			}
+			else if (!strcmp(args[cur_arg], "force-tlsv12")) {
+#ifdef USE_OPENSSL
+#if SSL_OP_NO_TLSv1_2
+				newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV12;
+				cur_arg += 1;
+#else
+				Alert("parsing [%s:%d]: '%s' library does not support protocol TLSv1.2.\n",
+                                      file, linenum, args[cur_arg]);
+                                err_code |= ERR_ALERT | ERR_FATAL;
+                                goto out;
+#endif
+#else /* USE_OPENSSL */
+				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
+				      file, linenum, args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif /* USE_OPENSSL */
+			}
 			else if (!strcmp(args[cur_arg], "downinter")) {
 				const char *err = parse_time_err(args[cur_arg + 1], &val, TIME_UNIT_MS);
 				if (err) {
@ -6368,6 +6426,19 @@ out_uri_auth_compat:
 					ssloptions |= SSL_OP_NO_TLSv1_1;
 				if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
 					ssloptions |= SSL_OP_NO_TLSv1_2;
+				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
+					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, SSLv3_client_method());
+				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
+					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_client_method());
+#if SSL_OP_NO_TLSv1_1
+				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV11)
+					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_1_client_method());
+#endif
+#if SSL_OP_NO_TLSv1_2
+				if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV12)
+					SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_2_client_method());
+#endif
+
 				SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
 				SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
 				SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);