From 425dd8cb3b7c93b698a3395022638f299a6a4861 Mon Sep 17 00:00:00 2001 From: Markus Makela Date: Wed, 17 Jun 2015 10:20:00 +0300 Subject: [PATCH] Removed SSLv2 methods from serviceInitSSL because OpenSSL 1.1.0 does not support them. --- Documentation/Getting-Started/Configuration-Guide.md | 1 - Documentation/Reference/MaxScale-and-SSL.md | 2 +- server/core/service.c | 7 +------ server/include/service.h | 5 ++--- 4 files changed, 4 insertions(+), 11 deletions(-) diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index afda397fe..c2f815d09 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -349,7 +349,6 @@ This is the Certificate Authority file. It will be used to verify that both the ### `ssl_version` This parameter controls the level of encryption used. Accepted values are: - * SSLv2 * SSLv3 * TLSv10 * TLSv11 diff --git a/Documentation/Reference/MaxScale-and-SSL.md b/Documentation/Reference/MaxScale-and-SSL.md index d03a5af52..f293085c1 100644 --- a/Documentation/Reference/MaxScale-and-SSL.md +++ b/Documentation/Reference/MaxScale-and-SSL.md @@ -11,5 +11,5 @@ ssl | disabled, enabled, required |`disable` disables SSL, `enabled` ena ssl_cert | path to file |Path to server certificate ssl_key | path to file |Path to server private key ssl_ca_cert | path to file |Path to Certificate Authority file -ssl_version|SSLV2,SSLV3,TLSV10,TLSV11,TLSV12,MAX| The SSL method level, defaults to highest available encryption level which is TLSv1.2 +ssl_version|SSLV3,TLSV10,TLSV11,TLSV12,MAX| The SSL method level, defaults to highest available encryption level which is TLSv1.2 ssl_cert_verify_depth|integer|Certificate authority certificate verification depth, default is 100. diff --git a/server/core/service.c b/server/core/service.c index 4d2507cd6..b0959e6c3 100644 --- a/server/core/service.c +++ b/server/core/service.c @@ -909,9 +909,7 @@ serviceSetCertificates(SERVICE *service, char* cert,char* key, char* ca_cert) int serviceSetSSLVersion(SERVICE *service, char* version) { - if(strcasecmp(version,"SSLV2") == 0) - service->ssl_method_type = SERVICE_SSLV2; - else if(strcasecmp(version,"SSLV3") == 0) + if(strcasecmp(version,"SSLV3") == 0) service->ssl_method_type = SERVICE_SSLV3; else if(strcasecmp(version,"TLSV10") == 0) service->ssl_method_type = SERVICE_TLS10; @@ -1952,9 +1950,6 @@ int serviceInitSSL(SERVICE* service) { switch(service->ssl_method_type) { - case SERVICE_SSLV2: - service->method = (SSL_METHOD*)SSLv2_server_method(); - break; case SERVICE_SSLV3: service->method = (SSL_METHOD*)SSLv3_server_method(); break; diff --git a/server/include/service.h b/server/include/service.h index 085c0c595..3337ebfc0 100644 --- a/server/include/service.h +++ b/server/include/service.h @@ -115,7 +115,6 @@ typedef enum { } ssl_mode_t; enum{ - SERVICE_SSLV2, SERVICE_SSLV3, SERVICE_TLS10, SERVICE_TLS11, @@ -175,10 +174,10 @@ typedef struct service { char *weightby; struct service *next; /**< The next service in the linked list */ SSL_CTX *ctx; - SSL_METHOD *method; /*< SSLv2/3 or TLSv1/2 methods + SSL_METHOD *method; /*< SSLv3 or TLS1.0/1.1/1.2 methods * see: https://www.openssl.org/docs/ssl/SSL_CTX_new.html */ int ssl_cert_verify_depth; /*< SSL certificate verification depth */ - int ssl_method_type; /*< Which of the SSLv2/3 or TLS1.0/1.1/1.2 methods to use */ + int ssl_method_type; /*< Which of the SSLv3 or TLS1.0/1.1/1.2 methods to use */ char* ssl_cert; /*< SSL certificate */ char* ssl_key; /*< SSL private key */ char* ssl_ca_cert; /*< SSL CA certificate */