forked from pool/haproxy
26c4149063
- Backport patches from upstream: - BUG/MINOR: http: remove stupid HTTP_METH_NONE entry - BUG/MAJOR: http: don't call http_send_name_header() after an error - Add 0014-BUG-MINOR-http-remove-stupid-HTTP_METH_NONE-entry.patch - Add 0015-BUG-MAJOR-http-don-t-call-http_send_name_header-afte.patch - Backport patches from upstream: - BUG/MINOR: log: missing some ARGC_* entries in fmt_directives() - DOC: usesrc root privileges requirements - BUILD: ssl: Allow building against libssl without SSLv3. - DOC/MINOR: fix OpenBSD versions where haproxy works - BUG/MINOR: http/sample: gmtime/localtime can fail - DOC: typo in 'redirect', 302 code meaning - DOC: mention that %ms is left-padded with zeroes. - CLEANUP: .gitignore: ignore more test files - CLEANUP: .gitignore: finally ignore everything but what is known. - MEDIUM: config: emit a warning on a frontend without listener - BUG/MEDIUM: counters: ensure that src_{inc,clr}_gpc0 creates a missing entry - DOC: ssl: missing LF - DOC: fix example of http-request using ssl_fc_session_id - Add 0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch - Add 0002-DOC-usesrc-root-privileges-requirements.patch - Add 0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch - Add 0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch - Add 0005-BUG-MINOR-http-sample-gmtime-localtime-can-fail.patch - Add 0006-DOC-typo-in-redirect-302-code-meaning.patch - Add 0007-DOC-mention-that-ms-is-left-padded-with-zeroes.patch - Add 0008-CLEANUP-.gitignore-ignore-more-test-files.patch - Add 0009-CLEANUP-.gitignore-finally-ignore-everything-but-wha.patch - Add 0010-MEDIUM-config-emit-a-warning-on-a-frontend-without-l.patch (forwarded request 329653 from KGronlund) OBS-URL: https://build.opensuse.org/request/show/329654 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haproxy?expand=0&rev=32
53 lines
1.9 KiB
Diff
53 lines
1.9 KiB
Diff
From eee374c28ea8ea22834ff14515b5584bc3e0c7b5 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Courr=C3=A8ges-Anglas?= <jca@wxcvbn.org>
|
|
Date: Sat, 25 Jul 2015 16:50:52 -0600
|
|
Subject: [PATCH 03/11] BUILD: ssl: Allow building against libssl without
|
|
SSLv3.
|
|
|
|
If SSLv3 is explicitely requested but not available, warn the user and
|
|
bail out.
|
|
(cherry picked from commit 17c3f6284cf605e47f6525c077bc644c45272849)
|
|
---
|
|
src/ssl_sock.c | 16 ++++++++++++++--
|
|
1 file changed, 14 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
|
index 7d77d36..2ae45ec 100644
|
|
--- a/src/ssl_sock.c
|
|
+++ b/src/ssl_sock.c
|
|
@@ -1405,8 +1405,14 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
|
|
ssloptions |= SSL_OP_NO_TLSv1_2;
|
|
if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
|
|
ssloptions |= SSL_OP_NO_TICKET;
|
|
- if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3)
|
|
+ if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) {
|
|
+#ifndef OPENSSL_NO_SSL3
|
|
SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
|
|
+#else
|
|
+ Alert("SSLv3 support requested but unavailable.\n");
|
|
+ cfgerr++;
|
|
+#endif
|
|
+ }
|
|
if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10)
|
|
SSL_CTX_set_ssl_version(ctx, TLSv1_server_method());
|
|
#if SSL_OP_NO_TLSv1_1
|
|
@@ -1750,8 +1756,14 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy)
|
|
options |= SSL_OP_NO_TLSv1_2;
|
|
if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
|
|
options |= SSL_OP_NO_TICKET;
|
|
- if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3)
|
|
+ if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) {
|
|
+#ifndef OPENSSL_NO_SSL3
|
|
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method());
|
|
+#else
|
|
+ Alert("SSLv3 support requested but unavailable.");
|
|
+ cfgerr++;
|
|
+#endif
|
|
+ }
|
|
if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10)
|
|
SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method());
|
|
#if SSL_OP_NO_TLSv1_1
|
|
--
|
|
2.1.4
|
|
|