hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Removed SSLv2 methods from serviceInitSSL because OpenSSL 1.1.0 does not support them.

Browse Source
This commit is contained in:
Markus Makela
2015-06-17 10:20:00 +03:00
parent f0aed1f666
commit 425dd8cb3b
4 changed files with 4 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Documentation/Getting-Started/Configuration-Guide.md
View File

@ -349,7 +349,6 @@ This is the Certificate Authority file. It will be used to verify that both the
### `ssl_version` ### `ssl_version`
This parameter controls the level of encryption used. Accepted values are: This parameter controls the level of encryption used. Accepted values are:
* SSLv2
* SSLv3 * SSLv3
* TLSv10 * TLSv10
* TLSv11 * TLSv11

2
Documentation/Reference/MaxScale-and-SSL.md
View File

@ -11,5 +11,5 @@ ssl | disabled, enabled, required |`disable` disables SSL, `enabled` ena
ssl_cert | path to file |Path to server certificate ssl_cert | path to file |Path to server certificate
ssl_key | path to file |Path to server private key ssl_key | path to file |Path to server private key
ssl_ca_cert | path to file |Path to Certificate Authority file ssl_ca_cert | path to file |Path to Certificate Authority file
ssl_version|SSLV2,SSLV3,TLSV10,TLSV11,TLSV12,MAX| The SSL method level, defaults to highest available encryption level which is TLSv1.2 ssl_version|SSLV3,TLSV10,TLSV11,TLSV12,MAX| The SSL method level, defaults to highest available encryption level which is TLSv1.2
ssl_cert_verify_depth|integer|Certificate authority certificate verification depth, default is 100. ssl_cert_verify_depth|integer|Certificate authority certificate verification depth, default is 100.

7
server/core/service.c
View File

@ -909,9 +909,7 @@ serviceSetCertificates(SERVICE *service, char* cert,char* key, char* ca_cert)
int int
serviceSetSSLVersion(SERVICE *service, char* version) serviceSetSSLVersion(SERVICE *service, char* version)
{ {
if(strcasecmp(version,"SSLV2") == 0) if(strcasecmp(version,"SSLV3") == 0)
service->ssl_method_type = SERVICE_SSLV2;
else if(strcasecmp(version,"SSLV3") == 0)
service->ssl_method_type = SERVICE_SSLV3; service->ssl_method_type = SERVICE_SSLV3;
else if(strcasecmp(version,"TLSV10") == 0) else if(strcasecmp(version,"TLSV10") == 0)
service->ssl_method_type = SERVICE_TLS10; service->ssl_method_type = SERVICE_TLS10;
@ -1952,9 +1950,6 @@ int serviceInitSSL(SERVICE* service)
{ {
switch(service->ssl_method_type) switch(service->ssl_method_type)
{ {
case SERVICE_SSLV2:
service->method = (SSL_METHOD*)SSLv2_server_method();
break;
case SERVICE_SSLV3: case SERVICE_SSLV3:
service->method = (SSL_METHOD*)SSLv3_server_method(); service->method = (SSL_METHOD*)SSLv3_server_method();
break; break;

5
server/include/service.h
View File

@ -115,7 +115,6 @@ typedef enum {
} ssl_mode_t; } ssl_mode_t;
enum{ enum{
SERVICE_SSLV2,
SERVICE_SSLV3, SERVICE_SSLV3,
SERVICE_TLS10, SERVICE_TLS10,
SERVICE_TLS11, SERVICE_TLS11,
@ -175,10 +174,10 @@ typedef struct service {
char *weightby; char *weightby;
struct service *next; /**< The next service in the linked list */ struct service *next; /**< The next service in the linked list */
SSL_CTX *ctx; SSL_CTX *ctx;
SSL_METHOD *method; /*< SSLv2/3 or TLSv1/2 methods SSL_METHOD *method; /*< SSLv3 or TLS1.0/1.1/1.2 methods
* see: https://www.openssl.org/docs/ssl/SSL_CTX_new.html */ * see: https://www.openssl.org/docs/ssl/SSL_CTX_new.html */
int ssl_cert_verify_depth; /*< SSL certificate verification depth */ int ssl_cert_verify_depth; /*< SSL certificate verification depth */
int ssl_method_type; /*< Which of the SSLv2/3 or TLS1.0/1.1/1.2 methods to use */ int ssl_method_type; /*< Which of the SSLv3 or TLS1.0/1.1/1.2 methods to use */
char* ssl_cert; /*< SSL certificate */ char* ssl_cert; /*< SSL certificate */
char* ssl_key; /*< SSL private key */ char* ssl_key; /*< SSL private key */
char* ssl_ca_cert; /*< SSL CA certificate */ char* ssl_ca_cert; /*< SSL CA certificate */