1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
diff --git a/src/base.h b/src/base.h
index 134fc41..f2d849e 100644
--- a/src/base.h
+++ b/src/base.h
@@ -289,6 +289,9 @@ typedef struct {
unsigned short ssl_empty_fragments; /* whether to not set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
unsigned short ssl_use_sslv2;
unsigned short ssl_use_sslv3;
+ unsigned short ssl_use_tlsv1;
+ unsigned short ssl_use_tlsv1_1;
+ unsigned short ssl_use_tlsv1_2;
unsigned short ssl_verifyclient;
unsigned short ssl_verifyclient_enforce;
unsigned short ssl_verifyclient_depth;
diff --git a/src/configfile.c b/src/configfile.c
index bba6925..bbedd77 100644
--- a/src/configfile.c
+++ b/src/configfile.c
@@ -146,6 +146,10 @@ static int config_insert(server *srv) {
{ "server.max-request-field-size", NULL, T_CONFIG_INT, T_CONFIG_SCOPE_SERVER }, /* 78 */
{ "ssl.read-ahead", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 79 */
+ { "ssl.use-tlsv1", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 80 */
+ { "ssl.use-tlsv1_1", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 81 */
+ { "ssl.use-tlsv1_2", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 82 */
+
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
};
@@ -226,6 +230,9 @@ static int config_insert(server *srv) {
s->ssl_empty_fragments = 0;
s->ssl_use_sslv2 = 0;
s->ssl_use_sslv3 = 0;
+ s->ssl_use_tlsv1 = 0;
+ s->ssl_use_tlsv1_1 = 0;
+ s->ssl_use_tlsv1_2 = 1;
s->use_ipv6 = (i == 0) ? 0 : srv->config_storage[0]->use_ipv6;
s->set_v6only = (i == 0) ? 1 : srv->config_storage[0]->set_v6only;
s->defer_accept = (i == 0) ? 0 : srv->config_storage[0]->defer_accept;
@@ -318,6 +325,9 @@ static int config_insert(server *srv) {
cv[76].destination = &(s->stream_request_body);
cv[77].destination = &(s->stream_response_body);
cv[79].destination = &(s->ssl_read_ahead);
+ cv[80].destination = &(s->ssl_use_tlsv1);
+ cv[81].destination = &(s->ssl_use_tlsv1_1);
+ cv[82].destination = &(s->ssl_use_tlsv1_2);
srv->config_storage[i] = s;
@@ -536,6 +546,9 @@ int config_setup_connection(server *srv, connection *con) {
PATCH(ssl_empty_fragments);
PATCH(ssl_use_sslv2);
PATCH(ssl_use_sslv3);
+ PATCH(ssl_use_tlsv1);
+ PATCH(ssl_use_tlsv1_1);
+ PATCH(ssl_use_tlsv1_2);
PATCH(etag_use_inode);
PATCH(etag_use_mtime);
PATCH(etag_use_size);
@@ -615,6 +628,12 @@ int config_patch_connection(server *srv, connection *con) {
PATCH(ssl_use_sslv2);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv3"))) {
PATCH(ssl_use_sslv3);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-tlsv1"))) {
+ PATCH(ssl_use_tlsv1);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-tlsv1_1"))) {
+ PATCH(ssl_use_tlsv1_1);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-tlsv1_2"))) {
+ PATCH(ssl_use_tlsv1_2);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) {
PATCH(ssl_cipher_list);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.engine"))) {
diff --git a/src/network.c b/src/network.c
index 4295fe9..a3f9ec3 100644
--- a/src/network.c
+++ b/src/network.c
@@ -859,6 +859,33 @@ int network_init(server *srv) {
}
}
+ if (!s->ssl_use_tlsv1) {
+ /* disable TLSv1 */
+ if (!(SSL_OP_NO_TLSv1 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_TLSv1))) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
+ }
+
+ if (!s->ssl_use_tlsv1_1) {
+ /* disable TLSv1.1 */
+ if (!(SSL_OP_NO_TLSv1_1 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_TLSv1_1))) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
+ }
+
+ if (!s->ssl_use_tlsv1_2) {
+ /* disable TLSv1.2 */
+ if (!(SSL_OP_NO_TLSv1_2 & SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_TLSv1_2))) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
+ ERR_error_string(ERR_get_error(), NULL));
+ return -1;
+ }
+ }
+
if (!buffer_string_is_empty(s->ssl_cipher_list)) {
/* Disable support for low encryption ciphers */
if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
|
