You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2019/06/13 18:34:42 UTC
[trafficserver] branch master updated: Removes the remaining code
and configurations for SSL3
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new ee23b6f Removes the remaining code and configurations for SSL3
ee23b6f is described below
commit ee23b6f463b1a4da06f9724f7cf1a8d2c246a347
Author: Leif Hedstrom <zw...@apache.org>
AuthorDate: Fri Jun 7 13:32:45 2019 -0600
Removes the remaining code and configurations for SSL3
---
configure.ac | 14 +-------------
doc/admin-guide/files/records.config.en.rst | 4 ----
include/tscore/ink_config.h.in | 1 -
iocore/net/SSLConfig.cc | 6 ------
iocore/net/SSLDiags.cc | 24 ------------------------
lib/perl/lib/Apache/TS/AdminClient.pm | 5 +++--
mgmt/RecordsConfig.cc | 6 ------
7 files changed, 4 insertions(+), 56 deletions(-)
diff --git a/configure.ac b/configure.ac
index 9328124..062437b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -440,18 +440,6 @@ AC_ARG_ENABLE([hardening],
AC_MSG_RESULT([$enable_hardening])
#
-# Enable SSLv3 to origin
-#
-AC_MSG_CHECKING([whether to enable SSLv3 config for origin connections])
-AC_ARG_ENABLE([sslv3-client],
- [AS_HELP_STRING([--enable-sslv3-client],[Enable SSLv3 config for origin connections (Only do this if you understand the risks)])],
- [],
- [enable_sslv3_client="no"]
-)
-AC_MSG_RESULT([$enable_sslv3_client])
-TS_ARG_ENABLE_VAR([use], [sslv3-client])
-
-#
# Use TPROXY for connection transparency.
#
AC_MSG_CHECKING([whether to enable TPROXY based transparency])
@@ -1233,7 +1221,7 @@ AC_CHECK_FUNC([EVP_MD_CTX_free], [],
LIBS="$saved_LIBS"
-#
+#
# Check OpenSSL version for JA3 Fingerprint
#
AC_MSG_CHECKING([for JA3 compatible OpenSSL version])
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index cebde44..887addd 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3407,10 +3407,6 @@ Client-Related Configuration
`host` which means the host header field value is used for the SNI. If `remap` is specified, the
remapped origin name is used for the SNI value.
-.. ts:cv:: CONFIG proxy.config.ssl.client.SSLv3 INT 0
-
- Enables (``1``) or disables (``0``) SSLv3 in the ATS client context. Disabled by default
-
.. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1 INT 0
Enables (``1``) or disables (``0``) TLSv1.0 in the ATS client context. If not specified, enabled by default
diff --git a/include/tscore/ink_config.h.in b/include/tscore/ink_config.h.in
index 53b02db..36f9871 100644
--- a/include/tscore/ink_config.h.in
+++ b/include/tscore/ink_config.h.in
@@ -75,7 +75,6 @@
#define TS_USE_TLS_SET_CIPHERSUITES @use_tls_set_ciphersuites@
#define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
#define TS_USE_REMOTE_UNWINDING @use_remote_unwinding@
-#define TS_USE_SSLV3_CLIENT @use_sslv3_client@
#define TS_USE_TLS_OCSP @use_tls_ocsp@
#define TS_HAS_SO_PEERCRED @has_so_peercred@
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 86694a8..f854883 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -200,12 +200,6 @@ SSLConfigParams::initialize()
int option = 0;
-#if TS_USE_SSLV3_CLIENT
- REC_ReadConfigInteger(option, "proxy.config.ssl.client.SSLv3");
- if (option)
- ssl_client_ctx_options &= ~SSL_OP_NO_SSLv3;
-#endif
-
REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1");
if (!option) {
ssl_ctx_options |= SSL_OP_NO_TLSv1;
diff --git a/iocore/net/SSLDiags.cc b/iocore/net/SSLDiags.cc
index 549a4d3..e1d8d68 100644
--- a/iocore/net/SSLDiags.cc
+++ b/iocore/net/SSLDiags.cc
@@ -42,42 +42,30 @@ increment_ssl_client_error(unsigned long err)
// (we ignore FUNCTION with the prejudice that we don't care what function
// the error came from, hope that's ok?)
switch (ERR_GET_REASON(err)) {
-#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED
case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_expired_cert_stat);
break;
-#endif
-#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED
case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_revoked_cert_stat);
break;
-#endif
-#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN
case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_unknown_cert_stat);
break;
-#endif
case SSL_R_CERTIFICATE_VERIFY_FAILED:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_cert_verify_failed_stat);
break;
-#ifdef SSL_R_SSLV3_ALERT_BAD_CERTIFICATE
case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_bad_cert_stat);
break;
-#endif
-#ifdef SSL_R_TLSV1_ALERT_DECRYPTION_FAILED
case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_decryption_failed_stat);
break;
-#endif
case SSL_R_WRONG_VERSION_NUMBER:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_wrong_version_stat);
break;
-#ifdef SSL_R_TLSV1_ALERT_UNKNOWN_CA
case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_unknown_ca_stat);
break;
-#endif
default:
SSL_INCREMENT_DYN_STAT(ssl_user_agent_other_errors_stat);
return false;
@@ -101,42 +89,30 @@ increment_ssl_server_error(unsigned long err)
// (we ignore FUNCTION with the prejudice that we don't care what function
// the error came from, hope that's ok?)
switch (ERR_GET_REASON(err)) {
-#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED
case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_expired_cert_stat);
break;
-#endif
-#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED
case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_revoked_cert_stat);
break;
-#endif
-#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN
case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_unknown_cert_stat);
break;
-#endif
case SSL_R_CERTIFICATE_VERIFY_FAILED:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_cert_verify_failed_stat);
break;
-#ifdef SSL_R_SSLV3_ALERT_BAD_CERTIFICATE
case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_bad_cert_stat);
break;
-#endif
-#ifdef SSL_R_TLSV1_ALERT_DECRYPTION_FAILED
case SSL_R_TLSV1_ALERT_DECRYPTION_FAILED:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_decryption_failed_stat);
break;
-#endif
case SSL_R_WRONG_VERSION_NUMBER:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_wrong_version_stat);
break;
-#ifdef SSL_R_TLSV1_ALERT_UNKNOWN_CA
case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_unknown_ca_stat);
break;
-#endif
default:
SSL_INCREMENT_DYN_STAT(ssl_origin_server_other_errors_stat);
return false;
diff --git a/lib/perl/lib/Apache/TS/AdminClient.pm b/lib/perl/lib/Apache/TS/AdminClient.pm
index 85d937e..dc3b6c5 100644
--- a/lib/perl/lib/Apache/TS/AdminClient.pm
+++ b/lib/perl/lib/Apache/TS/AdminClient.pm
@@ -591,9 +591,10 @@ The Apache Traffic Server Administration Manual will explain what these strings
proxy.config.ssl.server.cipher_suite
proxy.config.ssl.server.honor_cipher_order
proxy.config.ssl.server.dhparams_file
- proxy.config.ssl.SSLv2
- proxy.config.ssl.SSLv3
proxy.config.ssl.TLSv1
+ proxy.config.ssl.TLSv1_1
+ proxy.config.ssl.TLSv1_2
+ proxy.config.ssl.TLSv1_3
proxy.config.ssl.server.multicert.filename
proxy.config.ssl.server.private_key.path
proxy.config.stat_collector.interval
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 93508da..2e71638 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1068,12 +1068,6 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.TLSv1_3", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
-
- // Client SSL protocols
-#if TS_USE_SSLV3_CLIENT
- {RECT_CONFIG, "proxy.config.ssl.client.SSLv3", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
- ,
-#endif
{RECT_CONFIG, "proxy.config.ssl.client.TLSv1", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.client.TLSv1_1", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}