Merge branch '2.3' into 2.4

2019-11-28 08:05:44 +02:00
parent 218354081c 774e9bc3f0
commit c5ce940b12
2 changed files with 43 additions and 24 deletions
--- a/include/maxscale/ssl.hh
+++ b/include/maxscale/ssl.hh
@ -34,13 +34,10 @@ class MXS_CONFIG_PARAMETER;

 enum ssl_method_type_t
 {
-#ifndef OPENSSL_1_1
    SERVICE_TLS10,
-#endif
-#ifdef OPENSSL_1_0
    SERVICE_TLS11,
    SERVICE_TLS12,
-#endif
+    SERVICE_TLS13,
    SERVICE_SSL_MAX,
    SERVICE_TLS_MAX,
    SERVICE_SSL_TLS_MAX,
--- a/server/core/ssl.cc
+++ b/server/core/ssl.cc
@ -41,13 +41,10 @@ static RSA* rsa_1024 = NULL;
 const MXS_ENUM_VALUE ssl_version_values[] =
 {
    {"MAX",    SERVICE_SSL_TLS_MAX},
-#ifndef OPENSSL_1_1
    {"TLSv10", SERVICE_TLS10      },
-#endif
-#ifdef OPENSSL_1_0
    {"TLSv11", SERVICE_TLS11      },
    {"TLSv12", SERVICE_TLS12      },
-#endif
+    {"TLSv13", SERVICE_TLS13      },
    {NULL}
 };

@ -122,19 +119,18 @@ const char* ssl_method_type_to_string(ssl_method_type_t method_type)
 {
    switch (method_type)
    {
-#ifndef OPENSSL_1_1
    case SERVICE_TLS10:
-        return "TLSV10";
+        return "TLSv10";

-#endif
-#ifdef OPENSSL_1_0
    case SERVICE_TLS11:
-        return "TLSV11";
+        return "TLSv11";

    case SERVICE_TLS12:
-        return "TLSV12";
+        return "TLSv12";
+
+    case SERVICE_TLS13:
+        return "TLSv13";

-#endif
    case SERVICE_SSL_MAX:
    case SERVICE_TLS_MAX:
    case SERVICE_SSL_TLS_MAX:
@ -151,14 +147,10 @@ ssl_method_type_t string_to_ssl_method_type(const char* str)
    {
        return SERVICE_SSL_TLS_MAX;
    }
-
-#ifndef OPENSSL_1_1
    else if (strcasecmp("TLSV10", str) == 0)
    {
        return SERVICE_TLS10;
    }
-#endif
-#ifdef OPENSSL_1_0
    else if (strcasecmp("TLSV11", str) == 0)
    {
        return SERVICE_TLS11;
@ -167,8 +159,10 @@ ssl_method_type_t string_to_ssl_method_type(const char* str)
    {
        return SERVICE_TLS12;
    }
-#endif
-
+    else if (strcasecmp("TLSV13", str) == 0)
+    {
+        return SERVICE_TLS13;
+    }
    return SERVICE_SSL_UNKNOWN;
 }

@ -240,22 +234,43 @@ bool SSLContext::init()

    switch (m_cfg.version)
    {
-#ifndef OPENSSL_1_1
    case SERVICE_TLS10:
+#ifndef OPENSSL_1_1
        m_method = (SSL_METHOD*)TLSv1_method();
+#else
+        MXS_ERROR("TLSv1.0 is not supported on this system.");
+        return false;
+#endif
        break;

-#endif
-#ifdef OPENSSL_1_0
+
    case SERVICE_TLS11:
+#ifdef OPENSSL_1_0
        m_method = (SSL_METHOD*)TLSv1_1_method();
+#else
+        MXS_ERROR("TLSv1.1 is not supported on this system.");
+        return false;
+#endif
        break;

    case SERVICE_TLS12:
+#ifdef OPENSSL_1_0
        m_method = (SSL_METHOD*)TLSv1_2_method();
+#else
+        MXS_ERROR("TLSv1.2 is not supported on this system.");
+        return false;
+#endif
        break;

+    case SERVICE_TLS13:
+#ifdef OPENSSL_1_1
+        m_method = (SSL_METHOD*)TLS_method();
+#else
+        MXS_ERROR("TLSv1.3 is not supported on this system.");
+        return false;
 #endif
+        break;
+
    /** Rest of these use the maximum available SSL/TLS methods */
    case SERVICE_SSL_MAX:
        m_method = (SSL_METHOD*)SSLv23_method();
@ -290,6 +305,13 @@ bool SSLContext::init()
    /** Disable SSLv3 */
    SSL_CTX_set_options(m_ctx, SSL_OP_NO_SSLv3);

+    if (m_cfg.version == SERVICE_TLS13)
+    {
+        // There is no TLSv1_3_method function as the TLSv1_X_method functions are deprecated in favor of
+        // disabling them via options.
+        SSL_CTX_set_options(m_ctx, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
+    }
+
    // Disable session cache
    SSL_CTX_set_session_cache_mode(m_ctx, SSL_SESS_CACHE_OFF);