RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-14 15:34:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

MEDIUM: ssl: disable SSLv3 per default for bind

Browse Source 
For security, disable SSLv3 on bind line must be the default configuration.
SSLv3 can be enabled with "ssl-min-ver SSLv3".
This commit is contained in:
Emmanuel Hocdet 2017-05-15 15:53:41 +02:00 committed by Willy Tarreau
parent df701a2adb
commit bd695fe024
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/configuration.txt
View File

@ -10678,7 +10678,8 @@ ssl
enables SSL deciphering on connections instantiated from this listener. A
certificate is necessary (see "crt" above). All contents in the buffers will
appear in clear text, so that ACLs and HTTP processing will only have access
to deciphered contents.
to deciphered contents. SSLv3 is disabled per default, use "ssl-min-ver SSLv3"
to enable it.
ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
This option enforces use of <version> or lower on SSL connections instantiated

14
src/ssl_sock.c
View File

@ -3544,12 +3544,16 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
else
flags = conf_ssl_methods->flags;
min = conf_ssl_methods->min;
max = conf_ssl_methods->max;
/* start with TLSv10 to remove SSLv3 per default */
if (!min && (!max || max >= CONF_TLSV10))
min = CONF_TLSV10;
/* Real min and max should be determinate with configuration and openssl's capabilities */
if (conf_ssl_methods->min)
flags |= (methodVersions[conf_ssl_methods->min].flag - 1);
if (conf_ssl_methods->max)
flags |= ~((methodVersions[conf_ssl_methods->max].flag << 1) - 1);
if (min)
flags |= (methodVersions[min].flag - 1);
if (max)
flags |= ~((methodVersions[max].flag << 1) - 1);
/* find min, max and holes */
min = max = CONF_TLSV_NONE;
hole = 0;