BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0

In bug #676, it was reported that ssl-min-ver SSLv3 does not work in
Amazon environments with OpenSSL 1.0.2.

The reason for this is a patch of Amazon OpenSSL which sets
SSL_OP_NO_SSLv3 in SSL_CTX_new(). Which is kind of a problem with our
implementation of ssl-{min,max}-ver in old openSSL versions, because it
does not try to clear existing version flags.

This patch fixes the bug by cleaning versions flags known by HAProxy in
the SSL_CTX before applying the right ones.

Should be backported as far as 1.8.

(cherry picked from commit d0712f3873546a0c24f3204ad75dd7eacd689602)
[wla: context edit]
Signed-off-by: William Lallemand <wlallemand@haproxy.org>

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 565aeab..adf06dd 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4520,9 +4520,15 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
        if (min == max)
                methodVersions[min].ctx_set_version(ctx, SET_SERVER);
        else
-               for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
+               for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) {
+                       /* clear every version flags in case SSL_CTX_new()
+                        * returns an SSL_CTX with disabled versions */
+                       SSL_CTX_clear_options(ctx, methodVersions[i].option);
+
                        if (flags & methodVersions[i].flag)
                                options |= methodVersions[i].option;
+
+               }
 #else   /* openssl >= 1.1.0 */
        /* set the max_version is required to cap TLS version or activate new TLS (v1.3) */
         methodVersions[min].ctx_set_version(ctx, SET_MIN);