Repository: trafficserver Updated Branches: refs/heads/master 5f738a28e -> c021744fd
TS-2593 HTTPS to origin fails on CentOS6.x Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/e279b5b5 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/e279b5b5 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/e279b5b5 Branch: refs/heads/master Commit: e279b5b57423cf4ee84c629079131bd9135d29ba Parents: 5f738a2 Author: Leif Hedstrom <zw...@apache.org> Authored: Thu Feb 27 08:53:39 2014 -0700 Committer: Leif Hedstrom <zw...@apache.org> Committed: Thu Feb 27 08:53:39 2014 -0700 ---------------------------------------------------------------------- iocore/net/P_SSLUtils.h | 9 --------- iocore/net/SSLConfig.cc | 7 +++++++ mgmt/RecordsConfig.cc | 3 ++- 3 files changed, 9 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e279b5b5/iocore/net/P_SSLUtils.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h index e517824..1dd46d4 100644 --- a/iocore/net/P_SSLUtils.h +++ b/iocore/net/P_SSLUtils.h @@ -33,15 +33,6 @@ #error Traffic Server requires a OpenSSL library that support threads #endif -// if we are compiling against an early version of OpenSSL, define our own values -#ifndef SSL_OP_NO_TLSv1_1 -#define SSL_OP_NO_TLSv1_1 0x10000000L -#endif -#ifndef SSL_OP_NO_TLSv1_2 -#define SSL_OP_NO_TLSv1_2 0x08000000L -#endif -#define SSL_VERSION_1_0_1 0x010001000 // MMNNFFPPS: major minor fix patch status - struct SSLConfigParams; struct SSLCertLookup; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e279b5b5/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 0b2df26..27cc2b4 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -150,12 +150,19 @@ SSLConfigParams::initialize() REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1"); if (!options) ssl_ctx_options |= SSL_OP_NO_TLSv1; + + // These are not available in all, older versions of OpenSSL (e.g. CentOS6) +#ifdef SSL_OP_NO_TLSv1_1 REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1"); if (!options) ssl_ctx_options |= SSL_OP_NO_TLSv1_1; +#endif +#ifdef SSL_OP_NO_TLSv1_2 REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2"); if (!options) ssl_ctx_options |= SSL_OP_NO_TLSv1_2; +#endif + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE REC_ReadConfigInteger(options, "proxy.config.ssl.server.honor_cipher_order"); if (options) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/e279b5b5/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index ccc3818..e98e70a 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1231,7 +1231,8 @@ RecordElement RecordsConfig[] = { , {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , - {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} // default disabled for now. OpenSSL v1.0.1e (and lower) have issue TS-2355 + // Disable this when using some versions of OpenSSL that causes crashes. See TS-2355. + {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.compression", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} ,
