You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2013/12/16 23:57:43 UTC
git commit: TS-2355: ATS 4.0.x crashes when using OpenSSL 1.0.1e
Updated Branches:
refs/heads/master 6dfab90be -> 2a979548d
TS-2355: ATS 4.0.x crashes when using OpenSSL 1.0.1e
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/2a979548
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/2a979548
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/2a979548
Branch: refs/heads/master
Commit: 2a979548dbf17dea5fbeb43e79116b4c3dcf4a6e
Parents: 6dfab90
Author: Ron Barber <rb...@yahoo-inc.com>
Authored: Mon Dec 16 14:56:32 2013 -0800
Committer: Bryan Call <bc...@apache.org>
Committed: Mon Dec 16 14:56:32 2013 -0800
----------------------------------------------------------------------
doc/reference/configuration/records.config.en.rst | 8 ++++++++
iocore/net/P_SSLUtils.h | 9 +++++++++
iocore/net/SSLConfig.cc | 6 ++++++
mgmt/RecordsConfig.cc | 4 ++++
4 files changed, 27 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/doc/reference/configuration/records.config.en.rst
----------------------------------------------------------------------
diff --git a/doc/reference/configuration/records.config.en.rst b/doc/reference/configuration/records.config.en.rst
index 2092ef7..99a81a8 100644
--- a/doc/reference/configuration/records.config.en.rst
+++ b/doc/reference/configuration/records.config.en.rst
@@ -1922,6 +1922,14 @@ SSL Termination
Enables (``1``) or disables (``0``) TLSv1.
+.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 1
+
+ Enables (``1``) or disables (``0``) TLS v1.1. If not specified, enabled by default. [Requires OpenSSL v1.0.1 and higher]
+
+.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_2 INT 1
+
+ Enables (``1``) or disables (``0``) TLS v1.2. If not specified, DISABLED by default. [Requires OpenSSL v1.0.1 and higher]
+
.. ts:cv:: CONFIG proxy.config.ssl.client.certification_level INT 0
Sets the client certification level:
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/iocore/net/P_SSLUtils.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
index 289ff99..5ed2d82 100644
--- a/iocore/net/P_SSLUtils.h
+++ b/iocore/net/P_SSLUtils.h
@@ -33,6 +33,15 @@
#error Traffic Server requires a OpenSSL library that support threads
#endif
+// if we are compiling against an early version of OpenSSL, define our own values
+#ifndef SSL_OP_NO_TLSv1_1
+#define SSL_OP_NO_TLSv1_1 0x10000000L
+#endif
+#ifndef SSL_OP_NO_TLSv1_2
+#define SSL_OP_NO_TLSv1_2 0x08000000L
+#endif
+#define SSL_VERSION_1_0_1 0x010001000 // MMNNFFPPS: major minor fix patch status
+
struct SSLConfigParams;
struct SSLCertLookup;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index d4e0b9e..8493766 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -148,6 +148,12 @@ SSLConfigParams::initialize()
REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1");
if (!options)
ssl_ctx_options |= SSL_OP_NO_TLSv1;
+ REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1");
+ if (!options)
+ ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
+ REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2");
+ if (!options)
+ ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
REC_ReadConfigInteger(options, "proxy.config.ssl.server.honor_cipher_order");
if (!options)
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2a979548/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 94b9055..134e029 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1223,6 +1223,10 @@ RecordElement RecordsConfig[] = {
,
{RECT_CONFIG, "proxy.config.ssl.TLSv1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
+ {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} // default disabled for now. OpenSSL v1.0.1e (and lower) have issue TS-2355
+ ,
{RECT_CONFIG, "proxy.config.ssl.compression", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.number.threads", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}