You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2013/12/16 23:57:43 UTC

git commit: TS-2355: ATS 4.0.x crashes when using OpenSSL 1.0.1e

Updated Branches:
  refs/heads/master 6dfab90be -> 2a979548d


TS-2355: ATS 4.0.x crashes when using OpenSSL 1.0.1e


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/2a979548
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/2a979548
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/2a979548

Branch: refs/heads/master
Commit: 2a979548dbf17dea5fbeb43e79116b4c3dcf4a6e
Parents: 6dfab90
Author: Ron Barber <rb...@yahoo-inc.com>
Authored: Mon Dec 16 14:56:32 2013 -0800
Committer: Bryan Call <bc...@apache.org>
Committed: Mon Dec 16 14:56:32 2013 -0800

----------------------------------------------------------------------
 doc/reference/configuration/records.config.en.rst | 8 ++++++++
 iocore/net/P_SSLUtils.h                           | 9 +++++++++
 iocore/net/SSLConfig.cc                           | 6 ++++++
 mgmt/RecordsConfig.cc                             | 4 ++++
 4 files changed, 27 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/doc/reference/configuration/records.config.en.rst
----------------------------------------------------------------------
diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst
index 2092ef7..99a81a8 100644
--- a/doc/reference/configuration/records.config.en.rst
+++ b/doc/reference/configuration/records.config.en.rst
@@ -1922,6 +1922,14 @@ SSL Termination
 
    Enables (``1``) or disables (``0``) TLSv1.
 
+.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 1
+
+   Enables (``1``) or disables (``0``) TLS v1.1.  If not specified, enabled by default.  [Requires OpenSSL v1.0.1 and higher]
+
+.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_2 INT 1
+
+   Enables (``1``) or disables (``0``) TLS v1.2.  If not specified, DISABLED by default.  [Requires OpenSSL v1.0.1 and higher]
+
 .. ts:cv:: CONFIG proxy.config.ssl.client.certification_level INT 0
 
    Sets the client certification level:

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/iocore/net/P_SSLUtils.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
index 289ff99..5ed2d82 100644
--- a/iocore/net/P_SSLUtils.h
+++ b/iocore/net/P_SSLUtils.h
@@ -33,6 +33,15 @@
 #error Traffic Server requires a OpenSSL library that support threads
 #endif
 
+// if we are compiling against an early version of OpenSSL, define our own values
+#ifndef SSL_OP_NO_TLSv1_1
+#define SSL_OP_NO_TLSv1_1 0x10000000L
+#endif
+#ifndef SSL_OP_NO_TLSv1_2
+#define SSL_OP_NO_TLSv1_2 0x08000000L
+#endif
+#define SSL_VERSION_1_0_1 0x010001000 // MMNNFFPPS: major minor fix patch status
+
 struct SSLConfigParams;
 struct SSLCertLookup;
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index d4e0b9e..8493766 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -148,6 +148,12 @@ SSLConfigParams::initialize()
   REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1");
   if (!options)
     ssl_ctx_options |= SSL_OP_NO_TLSv1;
+  REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1");
+  if (!options)
+    ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
+  REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2");
+  if (!options)
+    ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
   REC_ReadConfigInteger(options, "proxy.config.ssl.server.honor_cipher_order");
   if (!options)

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 94b9055..134e029 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1223,6 +1223,10 @@ RecordElement RecordsConfig[] = {
   ,
   {RECT_CONFIG, "proxy.config.ssl.TLSv1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
+  {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  ,
+  {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} // default disabled for now.  OpenSSL v1.0.1e (and lower) have issue TS-2355
+  ,
   {RECT_CONFIG, "proxy.config.ssl.compression", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.number.threads", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}