158 listener->nacceptors = conf->nacceptors; |
158 listener->nacceptors = conf->nacceptors; |
159 listener->port = conf->port; |
159 listener->port = conf->port; |
160 listener->ref = 1; |
160 listener->ref = 1; |
161 listener->next = NULL; |
161 listener->next = NULL; |
162 listener->ssl = NULL; |
162 listener->ssl = NULL; |
|
163 |
|
164 int error = 0; |
|
165 |
163 if(conf->ssl) { |
166 if(conf->ssl) { |
164 listener->ssl = malloc(sizeof(HttpSSL)); |
167 listener->ssl = malloc(sizeof(HttpSSL)); |
165 |
168 |
166 SSL_CTX *ctx = SSL_CTX_new( SSLv23_server_method()); |
169 SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method()); |
167 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); |
170 SSL_CTX_set_options( |
168 |
171 ctx, |
|
172 SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv3); |
|
173 if(conf->disable_proto.ptr) { |
|
174 ssize_t n = 0; |
|
175 sstr_t *plist = sstrsplit(conf->disable_proto, S(","), &n); |
|
176 if(plist) { |
|
177 for(int i=0;i<n;i++) { |
|
178 sstr_t proto = plist[i]; |
|
179 log_ereport( |
|
180 LOG_VERBOSE, |
|
181 "Listener %s: Disable protocol %s", |
|
182 listener->name.ptr, |
|
183 proto.ptr); |
|
184 if(!sstrcasecmp(sstrtrim(proto), S("SSLv2"))) { |
|
185 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); |
|
186 } else if(!sstrcasecmp(sstrtrim(proto), S("SSLv3"))) { |
|
187 SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); |
|
188 } else if(!sstrcasecmp(sstrtrim(proto), S("TLSv1"))) { |
|
189 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); |
|
190 } else if(!sstrcasecmp(sstrtrim(proto), S("TLSv1.1"))) { |
|
191 #ifdef SSL_OP_NO_TLSv1_1 |
|
192 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); |
|
193 #else |
|
194 log_ereport( |
|
195 LOG_WARN, |
|
196 "Listener: %s: TLSv1.1 already not supported", |
|
197 listener->name.ptr); |
|
198 #endif |
|
199 } else if(sstrcasecmp(sstrtrim(proto), S("TLSv1.2"))) { |
|
200 #ifdef SSL_OP_NO_TLSv1_2 |
|
201 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); |
|
202 #else |
|
203 log_ereport( |
|
204 LOG_WARN, |
|
205 "Listener: %s: TLSv1.2 already not supported", |
|
206 listener->name.ptr); |
|
207 #endif |
|
208 } else if(sstrcasecmp(sstrtrim(proto), S("TLSv1.3"))) { |
|
209 #ifdef SSL_OP_NO_TLSv1_3 |
|
210 SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); |
|
211 #else |
|
212 log_ereport( |
|
213 LOG_WARN, |
|
214 "Listener: %s: TLSv1.3 already not supported", |
|
215 listener->name.ptr); |
|
216 #endif |
|
217 } else { |
|
218 error = 1; |
|
219 log_ereport( |
|
220 LOG_MISCONFIG, |
|
221 "Listener: %s: Unknown protocol %s", |
|
222 listener->name.ptr, |
|
223 proto.ptr); |
|
224 } |
|
225 free(proto.ptr); |
|
226 } |
|
227 free(plist); |
|
228 } |
|
229 } |
|
230 |
|
231 if(error) { |
|
232 return NULL; |
|
233 } |
169 // TODO: cleanup on error |
234 // TODO: cleanup on error |
170 |
235 |
171 sstr_t file; |
236 sstr_t file; |
172 int ret; |
237 int ret; |
173 char errbuf[512]; |
238 char errbuf[512]; |