Updated Branches: refs/heads/master 6dfab90be -> 2a979548d
TS-2355: ATS 4.0.x crashes when using OpenSSL 1.0.1e Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/2a979548 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/2a979548 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/2a979548 Branch: refs/heads/master Commit: 2a979548dbf17dea5fbeb43e79116b4c3dcf4a6e Parents: 6dfab90 Author: Ron Barber <[email protected]> Authored: Mon Dec 16 14:56:32 2013 -0800 Committer: Bryan Call <[email protected]> Committed: Mon Dec 16 14:56:32 2013 -0800 ---------------------------------------------------------------------- doc/reference/configuration/records.config.en.rst | 8 ++++++++ iocore/net/P_SSLUtils.h | 9 +++++++++ iocore/net/SSLConfig.cc | 6 ++++++ mgmt/RecordsConfig.cc | 4 ++++ 4 files changed, 27 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/doc/reference/configuration/records.config.en.rst ---------------------------------------------------------------------- diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst index 2092ef7..99a81a8 100644 --- a/doc/reference/configuration/records.config.en.rst +++ b/doc/reference/configuration/records.config.en.rst @@ -1922,6 +1922,14 @@ SSL Termination Enables (``1``) or disables (``0``) TLSv1. +.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 1 + + Enables (``1``) or disables (``0``) TLS v1.1. If not specified, enabled by default. [Requires OpenSSL v1.0.1 and higher] + +.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_2 INT 1 + + Enables (``1``) or disables (``0``) TLS v1.2. If not specified, DISABLED by default. [Requires OpenSSL v1.0.1 and higher] + .. ts:cv:: CONFIG proxy.config.ssl.client.certification_level INT 0 Sets the client certification level: http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/iocore/net/P_SSLUtils.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h index 289ff99..5ed2d82 100644 --- a/iocore/net/P_SSLUtils.h +++ b/iocore/net/P_SSLUtils.h @@ -33,6 +33,15 @@ #error Traffic Server requires a OpenSSL library that support threads #endif +// if we are compiling against an early version of OpenSSL, define our own values +#ifndef SSL_OP_NO_TLSv1_1 +#define SSL_OP_NO_TLSv1_1 0x10000000L +#endif +#ifndef SSL_OP_NO_TLSv1_2 +#define SSL_OP_NO_TLSv1_2 0x08000000L +#endif +#define SSL_VERSION_1_0_1 0x010001000 // MMNNFFPPS: major minor fix patch status + struct SSLConfigParams; struct SSLCertLookup; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index d4e0b9e..8493766 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -148,6 +148,12 @@ SSLConfigParams::initialize() REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1"); if (!options) ssl_ctx_options |= SSL_OP_NO_TLSv1; + REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1"); + if (!options) + ssl_ctx_options |= SSL_OP_NO_TLSv1_1; + REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2"); + if (!options) + ssl_ctx_options |= SSL_OP_NO_TLSv1_2; #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE REC_ReadConfigInteger(options, "proxy.config.ssl.server.honor_cipher_order"); if (!options) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 94b9055..134e029 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1223,6 +1223,10 @@ RecordElement RecordsConfig[] = { , {RECT_CONFIG, "proxy.config.ssl.TLSv1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , + {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} + , + {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} // default disabled for now. OpenSSL v1.0.1e (and lower) have issue TS-2355 + , {RECT_CONFIG, "proxy.config.ssl.compression", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.number.threads", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
