|
|
|
|
@ -1520,6 +1520,14 @@ mod_openssl_alpn_select_cb (SSL *ssl, const unsigned char **out, unsigned char *
|
|
|
|
|
#endif /* OPENSSL_NO_TLSEXT */
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#if defined(BORINGSSL_API_VERSION) \
|
|
|
|
|
|| defined(LIBRESSL_VERSION_NUMBER) \
|
|
|
|
|
|| defined(WOLFSSL_VERSION)
|
|
|
|
|
static int
|
|
|
|
|
mod_openssl_ssl_conf_cmd (server *srv, plugin_config_socket *s);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
network_openssl_ssl_conf_cmd (server *srv, plugin_config_socket *s)
|
|
|
|
|
{
|
|
|
|
|
@ -1567,6 +1575,12 @@ network_openssl_ssl_conf_cmd (server *srv, plugin_config_socket *s)
|
|
|
|
|
SSL_CONF_CTX_free(cctx);
|
|
|
|
|
return rc;
|
|
|
|
|
|
|
|
|
|
#elif defined(BORINGSSL_API_VERSION) \
|
|
|
|
|
|| defined(LIBRESSL_VERSION_NUMBER) \
|
|
|
|
|
|| defined(WOLFSSL_VERSION)
|
|
|
|
|
|
|
|
|
|
return mod_openssl_ssl_conf_cmd(srv, s);
|
|
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
|
|
|
|
|
UNUSED(s);
|
|
|
|
|
@ -3183,3 +3197,197 @@ int mod_openssl_plugin_init (plugin *p)
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#if defined(BORINGSSL_API_VERSION) \
|
|
|
|
|
|| defined(LIBRESSL_VERSION_NUMBER) \
|
|
|
|
|
|| defined(WOLFSSL_VERSION)
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
mod_openssl_ssl_conf_proto_val (server *srv, plugin_config_socket *s, const buffer *b, int max)
|
|
|
|
|
{
|
|
|
|
|
if (NULL == b) /* default: min TLSv1.2, max TLSv1.3 */
|
|
|
|
|
#ifdef TLS1_3_VERSION
|
|
|
|
|
return max ? TLS1_3_VERSION : TLS1_2_VERSION;
|
|
|
|
|
#else
|
|
|
|
|
return TLS1_2_VERSION;
|
|
|
|
|
#endif
|
|
|
|
|
else if (buffer_eq_icase_slen(b, CONST_STR_LEN("None"))) /*"disable" limit*/
|
|
|
|
|
return max
|
|
|
|
|
?
|
|
|
|
|
#ifdef TLS1_3_VERSION
|
|
|
|
|
TLS1_3_VERSION
|
|
|
|
|
#else
|
|
|
|
|
TLS1_2_VERSION
|
|
|
|
|
#endif
|
|
|
|
|
: (s->ssl_use_sslv3 ? SSL3_VERSION : TLS1_VERSION);
|
|
|
|
|
else if (buffer_eq_icase_slen(b, CONST_STR_LEN("SSLv3")))
|
|
|
|
|
return SSL3_VERSION;
|
|
|
|
|
else if (buffer_eq_icase_slen(b, CONST_STR_LEN("TLSv1.0")))
|
|
|
|
|
return TLS1_VERSION;
|
|
|
|
|
else if (buffer_eq_icase_slen(b, CONST_STR_LEN("TLSv1.1")))
|
|
|
|
|
return TLS1_1_VERSION;
|
|
|
|
|
else if (buffer_eq_icase_slen(b, CONST_STR_LEN("TLSv1.2")))
|
|
|
|
|
return TLS1_2_VERSION;
|
|
|
|
|
#ifdef TLS1_3_VERSION
|
|
|
|
|
else if (buffer_eq_icase_slen(b, CONST_STR_LEN("TLSv1.3")))
|
|
|
|
|
return TLS1_3_VERSION;
|
|
|
|
|
#endif
|
|
|
|
|
else {
|
|
|
|
|
if (buffer_eq_icase_slen(b, CONST_STR_LEN("DTLSv1"))
|
|
|
|
|
|| buffer_eq_icase_slen(b, CONST_STR_LEN("DTLSv1.2")))
|
|
|
|
|
log_error(srv->errh, __FILE__, __LINE__,
|
|
|
|
|
"SSL: ssl.openssl.ssl-conf-cmd %s %s ignored",
|
|
|
|
|
max ? "MaxProtocol" : "MinProtocol", b->ptr);
|
|
|
|
|
else
|
|
|
|
|
log_error(srv->errh, __FILE__, __LINE__,
|
|
|
|
|
"SSL: ssl.openssl.ssl-conf-cmd %s %s invalid; ignored",
|
|
|
|
|
max ? "MaxProtocol" : "MinProtocol", b->ptr);
|
|
|
|
|
}
|
|
|
|
|
#ifdef TLS1_3_VERSION
|
|
|
|
|
return max ? TLS1_3_VERSION : TLS1_2_VERSION;
|
|
|
|
|
#else
|
|
|
|
|
return TLS1_2_VERSION;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
mod_openssl_ssl_conf_cmd (server *srv, plugin_config_socket *s)
|
|
|
|
|
{
|
|
|
|
|
/* reference:
|
|
|
|
|
* https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html */
|
|
|
|
|
int rc = 0;
|
|
|
|
|
buffer *cipherstring = NULL;
|
|
|
|
|
/*buffer *ciphersuites = NULL;*/
|
|
|
|
|
buffer *minb = NULL;
|
|
|
|
|
buffer *maxb = NULL;
|
|
|
|
|
buffer *curves = NULL;
|
|
|
|
|
|
|
|
|
|
for (size_t i = 0; i < s->ssl_conf_cmd->used; ++i) {
|
|
|
|
|
data_string *ds = (data_string *)s->ssl_conf_cmd->data[i];
|
|
|
|
|
if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("CipherString")))
|
|
|
|
|
cipherstring = &ds->value;
|
|
|
|
|
#if 0
|
|
|
|
|
else if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("Ciphersuites")))
|
|
|
|
|
ciphersuites = &ds->value;
|
|
|
|
|
#endif
|
|
|
|
|
else if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("Curves"))
|
|
|
|
|
|| buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("Groups")))
|
|
|
|
|
curves = &ds->value;
|
|
|
|
|
else if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("MaxProtocol")))
|
|
|
|
|
maxb = &ds->value;
|
|
|
|
|
else if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("MinProtocol")))
|
|
|
|
|
minb = &ds->value;
|
|
|
|
|
else if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("Protocol"))) {
|
|
|
|
|
/* openssl config for Protocol=... is complex and deprecated */
|
|
|
|
|
log_error(srv->errh, __FILE__, __LINE__,
|
|
|
|
|
"SSL: ssl.openssl.ssl-conf-cmd %s ignored; "
|
|
|
|
|
"use MinProtocol=... and MaxProtocol=... instead",
|
|
|
|
|
ds->key.ptr);
|
|
|
|
|
}
|
|
|
|
|
else if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("Options"))) {
|
|
|
|
|
for (char *v = ds->value.ptr, *e; *v; v = e) {
|
|
|
|
|
while (*v == ' ' || *v == '\t' || *v == ',') ++v;
|
|
|
|
|
int flag = 1;
|
|
|
|
|
if (*v == '-') {
|
|
|
|
|
flag = 0;
|
|
|
|
|
++v;
|
|
|
|
|
}
|
|
|
|
|
for (e = v; light_isalpha(*e); ++e) ;
|
|
|
|
|
switch ((int)(e-v)) {
|
|
|
|
|
case 11:
|
|
|
|
|
if (buffer_eq_icase_ssn(v, "Compression", 11)) {
|
|
|
|
|
if (flag)
|
|
|
|
|
SSL_CTX_clear_options(s->ssl_ctx,
|
|
|
|
|
SSL_OP_NO_COMPRESSION);
|
|
|
|
|
else
|
|
|
|
|
SSL_CTX_set_options(s->ssl_ctx,
|
|
|
|
|
SSL_OP_NO_COMPRESSION);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case 13:
|
|
|
|
|
if (buffer_eq_icase_ssn(v, "SessionTicket", 13)) {
|
|
|
|
|
if (flag)
|
|
|
|
|
SSL_CTX_clear_options(s->ssl_ctx,
|
|
|
|
|
SSL_OP_NO_TICKET);
|
|
|
|
|
else
|
|
|
|
|
SSL_CTX_set_options(s->ssl_ctx,
|
|
|
|
|
SSL_OP_NO_TICKET);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case 16:
|
|
|
|
|
if (buffer_eq_icase_ssn(v, "ServerPreference", 16)) {
|
|
|
|
|
if (flag)
|
|
|
|
|
SSL_CTX_set_options(s->ssl_ctx,
|
|
|
|
|
SSL_OP_CIPHER_SERVER_PREFERENCE);
|
|
|
|
|
else
|
|
|
|
|
SSL_CTX_clear_options(s->ssl_ctx,
|
|
|
|
|
SSL_OP_CIPHER_SERVER_PREFERENCE);
|
|
|
|
|
s->ssl_honor_cipher_order = flag;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
/* warn if not explicitly handled or ignored above */
|
|
|
|
|
if (!flag) --v;
|
|
|
|
|
log_error(srv->errh, __FILE__, __LINE__,
|
|
|
|
|
"SSL: ssl.openssl.ssl-conf-cmd Options %.*s "
|
|
|
|
|
"ignored", (int)(e-v), v);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#if 0
|
|
|
|
|
else if (buffer_eq_icase_slen(&ds->key, CONST_STR_LEN("..."))) {
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
else {
|
|
|
|
|
/* warn if not explicitly handled or ignored above */
|
|
|
|
|
log_error(srv->errh, __FILE__, __LINE__,
|
|
|
|
|
"SSL: ssl.openssl.ssl-conf-cmd %s ignored",
|
|
|
|
|
ds->key.ptr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (minb) {
|
|
|
|
|
/*(wolfSSL_CTX_SetMinVersion() alt uses enums with different values)*/
|
|
|
|
|
int n = mod_openssl_ssl_conf_proto_val(srv, s, minb, 0);
|
|
|
|
|
if (!SSL_CTX_set_min_proto_version(s->ssl_ctx, n))
|
|
|
|
|
rc = -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (maxb) {
|
|
|
|
|
#ifndef WOLFSSL_VERSION /*WolfSSL max ver is set at WolfSSL compile-time*/
|
|
|
|
|
int x = mod_openssl_ssl_conf_proto_val(srv, s, maxb, 1);
|
|
|
|
|
if (!SSL_CTX_set_max_proto_version(s->ssl_ctx, x))
|
|
|
|
|
rc = -1;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (cipherstring) {
|
|
|
|
|
/* Disable support for low encryption ciphers */
|
|
|
|
|
buffer_append_string_len(cipherstring,
|
|
|
|
|
CONST_STR_LEN(":!aNULL:!eNULL:!EXP"));
|
|
|
|
|
if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
|
|
|
|
|
log_error(srv->errh, __FILE__, __LINE__,
|
|
|
|
|
"SSL: %s", ERR_error_string(ERR_get_error(), NULL));
|
|
|
|
|
rc = -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s->ssl_honor_cipher_order)
|
|
|
|
|
SSL_CTX_set_options(s->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (curves) {
|
|
|
|
|
if (!mod_openssl_ssl_conf_curves(srv, s, curves))
|
|
|
|
|
rc = -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif /* BORINGSSL_API_VERSION || LIBRESSL_VERSION_NUMBER || WOLFSSL_VERSION */
|
|
|
|
|
|
