You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2019/06/07 19:07:54 UTC
[trafficserver] branch master updated: Turns off TLS v1.0 and TLS v1.1 by default

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 69f1390  Turns off TLS v1.0 and TLS v1.1 by default
69f1390 is described below

commit 69f13909cd520da2f5c615ab6f27733da813fc43
Author: Leif Hedstrom <zw...@apache.org>
AuthorDate: Thu Jun 6 18:39:45 2019 -0600

    Turns off TLS v1.0 and TLS v1.1 by default
---
 doc/admin-guide/files/records.config.en.rst | 12 +++----
 iocore/net/SSLConfig.cc                     | 56 ++++++++++++++---------------
 mgmt/RecordsConfig.cc                       |  8 ++---
 3 files changed, 37 insertions(+), 39 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index b8653e2..cebde44 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3081,11 +3081,11 @@ SSL Termination
 
    This configuration works with OpenSSL v1.0.2 and above.
 
-.. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 1
+.. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 0
 
-   Enables (``1``) or disables (``0``) TLSv1.
+   Enables (``1``) or disables (``0``) TLSv1.0.
 
-.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 1
+.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 0
 
    Enables (``1``) or disables (``0``) TLS v1.1.  If not specified, enabled by default.  [Requires OpenSSL v1.0.1 and higher]
 
@@ -3411,11 +3411,11 @@ Client-Related Configuration
 
    Enables (``1``) or disables (``0``) SSLv3 in the ATS client context. Disabled by default
 
-.. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1 INT 1
+.. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1 INT 0
 
-   Enables (``1``) or disables (``0``) TLSv1 in the ATS client context. If not specified, enabled by default
+   Enables (``1``) or disables (``0``) TLSv1.0 in the ATS client context. If not specified, enabled by default
 
-.. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
+.. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1_1 INT 0
 
    Enables (``1``) or disables (``0``) TLSv1_1 in the ATS client context. If not specified, enabled by default
 
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 6097d17..0183800 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -198,61 +198,59 @@ SSLConfigParams::initialize()
 
   dhparamsFile = ats_stringdup(RecConfigReadConfigPath("proxy.config.ssl.server.dhparams_file"));
 
-  int options;
-  int client_ssl_options = 0;
-  REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1");
-  if (!options) {
-    ssl_ctx_options |= SSL_OP_NO_TLSv1;
-  }
+  int option = 0;
 
 #if TS_USE_SSLV3_CLIENT
-  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv3");
-  if (client_ssl_options)
+  REC_ReadConfigInteger(option, "proxy.config.ssl.client.SSLv3");
+  if (option)
     ssl_client_ctx_options &= ~SSL_OP_NO_SSLv3;
 #endif
-  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1");
-  if (!client_ssl_options) {
+
+  REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1");
+  if (!option) {
+    ssl_ctx_options |= SSL_OP_NO_TLSv1;
+  }
+
+  REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1");
+  if (!option) {
     ssl_client_ctx_options |= SSL_OP_NO_TLSv1;
   }
 
-// These are not available in all versions of OpenSSL (e.g. CentOS6). Also see http://s.apache.org/TS-2355.
-#ifdef SSL_OP_NO_TLSv1_1
-  REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1");
-  if (!options) {
+  REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1_1");
+  if (!option) {
     ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
   }
 
-  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_1");
-  if (!client_ssl_options) {
+  REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1_1");
+  if (!option) {
     ssl_client_ctx_options |= SSL_OP_NO_TLSv1_1;
   }
-#endif
-#ifdef SSL_OP_NO_TLSv1_2
-  REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2");
-  if (!options) {
+
+  REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1_2");
+  if (!option) {
     ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
   }
 
-  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_2");
-  if (!client_ssl_options) {
+  REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1_2");
+  if (!option) {
     ssl_client_ctx_options |= SSL_OP_NO_TLSv1_2;
   }
-#endif
+
 #ifdef SSL_OP_NO_TLSv1_3
-  REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_3");
-  if (!options) {
+  REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1_3");
+  if (!option) {
     ssl_ctx_options |= SSL_OP_NO_TLSv1_3;
   }
 
-  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_3");
-  if (!client_ssl_options) {
+  REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1_3");
+  if (!option) {
     ssl_client_ctx_options |= SSL_OP_NO_TLSv1_3;
   }
 #endif
 
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
-  REC_ReadConfigInteger(options, "proxy.config.ssl.server.honor_cipher_order");
-  if (options) {
+  REC_ReadConfigInteger(option, "proxy.config.ssl.server.honor_cipher_order");
+  if (option) {
     ssl_ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
   }
 #endif
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 8e29a89..93508da 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1059,9 +1059,9 @@ static const RecordElement RecordsConfig[] =
   //##############################################################################
   {RECT_CONFIG, "proxy.config.ssl.server.session_ticket.enable", RECD_INT, "1", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.ssl.TLSv1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  {RECT_CONFIG, "proxy.config.ssl.TLSv1", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
   // Disable this when using some versions of OpenSSL that causes crashes. See TS-2355.
   {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
@@ -1074,9 +1074,9 @@ static const RecordElement RecordsConfig[] =
   {RECT_CONFIG, "proxy.config.ssl.client.SSLv3", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
 #endif
-  {RECT_CONFIG, "proxy.config.ssl.client.TLSv1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  {RECT_CONFIG, "proxy.config.ssl.client.TLSv1", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_1", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,