Changeset 2036
- Timestamp:
- 01/16/2008 12:47:37 AM (6 months ago)
- Files:
-
- trunk/NEWS (modified) (1 diff)
- trunk/src/base.h (modified) (3 diffs)
- trunk/src/configfile.c (modified) (5 diffs)
- trunk/src/network.c (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/NEWS
r2029 r2036 12 12 * execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428) 13 13 * fix bug that rrdtool reports "0" for incoming data (#1514) 14 * ssl.cipher-list and ssl.use-sslv2 ported from 1.4.x (#1422) 14 15 15 16 - 1.5.0-r19.. - trunk/src/base.h
r1885 r2036 299 299 buffer *ssl_pemfile; 300 300 buffer *ssl_ca_file; 301 buffer *ssl_cipher_list; 302 unsigned short ssl_use_sslv2; 301 303 unsigned short use_ipv6; 302 304 unsigned short is_ssl; … … 306 308 307 309 unsigned short kbytes_per_second; /* connection kb/s limit */ 308 310 309 311 /* configside */ 310 312 unsigned short global_kbytes_per_second; /* */ … … 570 572 buffer *ssl_pemfile; 571 573 buffer *ssl_ca_file; 574 buffer *ssl_cipher_list; 575 unsigned short ssl_use_sslv2; 572 576 unsigned short use_ipv6; 573 577 unsigned short is_ssl; trunk/src/configfile.c
r1867 r2036 98 98 { "server.max-connection-idle", NULL, T_CONFIG_SHORT, T_CONFIG_SCOPE_CONNECTION }, /* 50 */ 99 99 { "debug.log-timing", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_SERVER }, /* 51 */ 100 { "ssl.cipher-list", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 52 */ 101 { "ssl.use-sslv2", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 53 */ 100 102 101 103 { "server.host", "use server.bind instead", T_CONFIG_DEPRECATED, T_CONFIG_SCOPE_UNSET }, … … 163 165 s->server_tag = buffer_init(); 164 166 s->errorfile_prefix = buffer_init(); 167 s->ssl_cipher_list = buffer_init(); 168 s->ssl_use_sslv2 = 0; 165 169 s->max_keep_alive_requests = 16; 166 170 s->max_keep_alive_idle = 5; … … 220 224 221 225 cv[50].destination = &(s->max_connection_idle); 226 cv[52].destination = s->ssl_cipher_list; 227 cv[53].destination = &(s->ssl_use_sslv2); 222 228 223 229 srv->config_storage[i] = s; … … 290 296 PATCH(ssl_pemfile); 291 297 PATCH(ssl_ca_file); 298 PATCH(ssl_cipher_list); 299 PATCH(ssl_use_sslv2); 292 300 return 0; 293 301 } … … 341 349 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.engine"))) { 342 350 PATCH(is_ssl); 351 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.cipher-list"))) { 352 PATCH(ssl_cipher_list); 353 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.use-sslv2"))) { 354 PATCH(ssl_use_sslv2); 343 355 #ifdef HAVE_LSTAT 344 356 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("server.follow-symlink"))) { trunk/src/network.c
r2029 r2036 486 486 return -1; 487 487 } 488 488 489 if (!s->ssl_use_sslv2) { 490 /* disable SSLv2 */ 491 if (SSL_OP_NO_SSLv2 != SSL_CTX_set_options(s->ssl_ctx, SSL_OP_NO_SSLv2)) { 492 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 493 ERR_error_string(ERR_get_error(), NULL)); 494 return -1; 495 } 496 } 497 498 if (!buffer_is_empty(s->ssl_cipher_list)) { 499 if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) { 500 log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:", 501 ERR_error_string(ERR_get_error(), NULL)); 502 return -1; 503 } 504 } 505 489 506 if (buffer_is_empty(s->ssl_pemfile)) { 490 507 log_error_write(srv, __FILE__, __LINE__, "s", "ssl.pemfile has to be set");
