Hi Manu, >> > > yes, i delayed this change (lack of time). > last patch with 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, > TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 > > Manu > >
Could you please rebase your patch set on the master and split them by features. The latest feature seems to match what we expect but you're sending incremental patches depending of the talks and this is now completely confusing. To Willy: in attachement a small patch just to avoid warnings with openssl >= 1.1, the current behavior is kept regardless the talk with Manu. R, Emeric
>From 83b1ff6ef56a0c2fb502552bb1525de7b843d0d6 Mon Sep 17 00:00:00 2001 From: Emeric Brun <[email protected]> Date: Fri, 28 Apr 2017 16:19:51 +0200 Subject: [PATCH] BUG/MINOR: ssl: fix warnings about methods for opensslv1.1. This patch replaces the calls to TLSvX_X_client/server/_method by the new TLS_client/server_method and it uses the new functions SSL_set_min_proto_version and SSL_set_max_proto_version, setting them at the wanted protocol version using 'force-' statements. --- src/ssl_sock.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 4c1be5a..48ad1b2 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3188,6 +3188,28 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) SSL_MODE_SMALL_BUFFERS; int conf_ssl_options = bind_conf->ssl_options; +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL || defined OPENSSL_IS_BORINGSSL) + if (!ctx && conf_ssl_options & BC_SSL_O_USE_TLSV12) { + ctx = SSL_CTX_new(TLS_server_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); + } + if (!ctx && conf_ssl_options & BC_SSL_O_USE_TLSV11) { + ctx = SSL_CTX_new(TLS_server_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); + } + if (!ctx && conf_ssl_options & BC_SSL_O_USE_TLSV10) { + ctx = SSL_CTX_new(TLS_server_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); + } + if (!ctx && conf_ssl_options & BC_SSL_O_USE_SSLV3) { + ctx = SSL_CTX_new(TLS_server_method()); + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); + SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); + } +#else #if SSL_OP_NO_TLSv1_2 if (!ctx && conf_ssl_options & BC_SSL_O_USE_TLSV12) ctx = SSL_CTX_new(TLSv1_2_server_method()); @@ -3202,6 +3224,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) if (!ctx && conf_ssl_options & BC_SSL_O_USE_SSLV3) ctx = SSL_CTX_new(SSLv3_server_method()); #endif +#endif if (!ctx) { ctx = SSL_CTX_new(SSLv23_server_method()); if (conf_ssl_options & BC_SSL_O_NO_SSLV3) @@ -3588,6 +3611,28 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) if (srv->check.use_ssl) srv->check.xprt = &ssl_sock; +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL || defined OPENSSL_IS_BORINGSSL) + if (!ctx && srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV12) { + ctx = SSL_CTX_new(TLS_client_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); + } + if (!ctx && srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV11) { + ctx = SSL_CTX_new(TLS_client_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); + } + if (!ctx && srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10) { + ctx = SSL_CTX_new(TLS_client_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); + } + if (!ctx && srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) { + ctx = SSL_CTX_new(TLS_client_method()); + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); + SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); + } +#else #if SSL_OP_NO_TLSv1_2 if (!ctx && srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV12) ctx = SSL_CTX_new(TLSv1_2_client_method()); @@ -3602,6 +3647,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) if (!ctx && srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) ctx = SSL_CTX_new(SSLv3_client_method()); #endif +#endif if (!ctx) { ctx = SSL_CTX_new(SSLv23_client_method()); if (srv->ssl_ctx.options & SRV_SSL_O_NO_SSLV3) -- 1.8.3.1
