From 8694b9a6823612bef50d0ad514aba1a7594ab2a8 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Fri, 5 Oct 2012 14:39:07 +0200 Subject: [PATCH] MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on server These options force the SSL lib to use the specified protocol when connecting to a server. They are complentary to no-tlsv*/no-sslv3. --- doc/configuration.txt | 42 ++++++++++++++++++++----- include/types/server.h | 5 +++ src/cfgparse.c | 71 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111 insertions(+), 7 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index ea89e9969..50c6bb149 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -7140,6 +7140,31 @@ fall Supported in default-server: Yes +force-sslv3 + This option enforces use of SSLv3 only when SSL is used to communicate with + the server. SSLv3 is generally less expensive than the TLS counterparts for + high connection rates. See also "no-tlsv*", "no-sslv3". + + Supported in default-server: No + +force-tlsv10 + This option enforces use of TLSv1.0 only when SSL is used to communicate with + the server. See also "no-tlsv*", "no-sslv3". + + Supported in default-server: No + +force-tlsv11 + This option enforces use of TLSv1.1 only when SSL is used to communicate with + the server. See also "no-tlsv*", "no-sslv3". + + Supported in default-server: No + +force-tlsv12 + This option enforces use of TLSv1.2 only when SSL is used to communicate with + the server. See also "no-tlsv*", "no-sslv3". + + Supported in default-server: No + id Set a persistent ID for the server. This ID must be positive and unique for the proxy. An unused ID will automatically be assigned if unset. The first @@ -7216,31 +7241,34 @@ minconn no-sslv3 This option disables support for SSLv3 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled - using any configuration option. + using any configuration option. See also "force-sslv3", "force-tlsv*". Supported in default-server: No no-tlsv10 - This option disables support for TLSv10 when SSL is used to communicate with + This option disables support for TLSv1.0 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. TLSv1 is more expensive than SSLv3 so it - often makes sense to disable it when communicating with local servers. + often makes sense to disable it when communicating with local servers. See + also "force-sslv3", "force-tlsv*". Supported in default-server: No no-tlsv11 - This option disables support for TLSv11 when SSL is used to communicate with + This option disables support for TLSv1.1 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. TLSv1 is more expensive than SSLv3 so it - often makes sense to disable it when communicating with local servers. + often makes sense to disable it when communicating with local servers. See + also "force-sslv3", "force-tlsv*". Supported in default-server: No no-tlsv12 - This option disables support for TLSv12 when SSL is used to communicate with + This option disables support for TLSv1.2 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. TLSv1 is more expensive than SSLv3 so it - often makes sense to disable it when communicating with local servers. + often makes sense to disable it when communicating with local servers. See + also "force-sslv3", "force-tlsv*". Supported in default-server: No diff --git a/include/types/server.h b/include/types/server.h index 5453b0856..2a22e72e5 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -87,6 +87,11 @@ #define SRV_SSL_O_NO_TLSV11 0x0004 /* disable TLSv1.1 */ #define SRV_SSL_O_NO_TLSV12 0x0008 /* disable TLSv1.2 */ /* 0x000F reserved for 'no' protocol version options */ +#define SRV_SSL_O_USE_SSLV3 0x0001 /* force SSLv3 */ +#define SRV_SSL_O_USE_TLSV10 0x0002 /* force TLSv1.0 */ +#define SRV_SSL_O_USE_TLSV11 0x0004 /* force TLSv1.1 */ +#define SRV_SSL_O_USE_TLSV12 0x0008 /* force TLSv1.2 */ +/* 0x00F0 reserved for 'force' protocol version options */ #endif /* A tree occurrence is a descriptor of a place in a tree, with a pointer back diff --git a/src/cfgparse.c b/src/cfgparse.c index 9b1ac46c6..88c630032 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -4138,6 +4138,64 @@ stats_error_parsing: newsrv->fastinter = val; cur_arg += 2; } + else if (!strcmp(args[cur_arg], "force-sslv3")) { +#ifdef USE_OPENSSL + newsrv->ssl_ctx.options |= SRV_SSL_O_USE_SSLV3; + cur_arg += 1; +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } + else if (!strcmp(args[cur_arg], "force-tlsv10")) { +#ifdef USE_OPENSSL + newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV10; + cur_arg += 1; +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } + else if (!strcmp(args[cur_arg], "force-tlsv11")) { +#ifdef USE_OPENSSL +#if SSL_OP_NO_TLSv1_1 + newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV11; + cur_arg += 1; +#else + Alert("parsing [%s:%d]: '%s' library does not support protocol TLSv1.1.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } + else if (!strcmp(args[cur_arg], "force-tlsv12")) { +#ifdef USE_OPENSSL +#if SSL_OP_NO_TLSv1_2 + newsrv->ssl_ctx.options |= SRV_SSL_O_USE_TLSV12; + cur_arg += 1; +#else + Alert("parsing [%s:%d]: '%s' library does not support protocol TLSv1.2.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } else if (!strcmp(args[cur_arg], "downinter")) { const char *err = parse_time_err(args[cur_arg + 1], &val, TIME_UNIT_MS); if (err) { @@ -6368,6 +6426,19 @@ out_uri_auth_compat: ssloptions |= SSL_OP_NO_TLSv1_1; if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12) ssloptions |= SSL_OP_NO_TLSv1_2; + if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) + SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, SSLv3_client_method()); + if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10) + SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_client_method()); +#if SSL_OP_NO_TLSv1_1 + if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV11) + SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_1_client_method()); +#endif +#if SSL_OP_NO_TLSv1_2 + if (newsrv->ssl_ctx.options & SRV_SSL_O_USE_TLSV12) + SSL_CTX_set_ssl_version(newsrv->ssl_ctx.ctx, TLSv1_2_client_method()); +#endif + SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions); SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode); SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);