openssl allow set clear of ssl options from info

2016-06-10 08:37:26 +08:00 · 2016-06-10 08:37:26 +08:00 · 1ec8ba893a
commit 1ec8ba893a
parent d13c1471c1
4 changed files with 40 additions and 0 deletions
--- a/README.lwsws.md
+++ b/README.lwsws.md
@ -210,6 +210,23 @@ Other vhost options

 - "`ipv6only`": "on"  Only allow ipv6 on this vhost / "off" only allow ipv4 on this vhost

+ - "`ssl-option-set`": "<decimal>"  Sets the SSL option flag value for the vhost.
+ It may be used multiple times and OR's the flags together.
+ 
+ The values are derived from /usr/include/openssl/ssl.h
+ 
+ ```
+ # define SSL_OP_NO_TLSv1_1                               0x10000000L
+ ```
+ 
+ would equate to
+ 
+ ```
+ "`ssl-option-set`": "268435456"
+ ```
+ 
+ - "`ssl-option-clear'": "<decimal>"   Clears the SSL option flag value for the vhost.
+ It may be used multiple times and OR's the flags together.

 Mounts
 ------
--- a/lib/lejp-conf.c
+++ b/lib/lejp-conf.c
@ -76,6 +76,8 @@ static const char * const paths_vhosts[] = {
 	"vhosts[].ecdh-curve",
 	"vhosts[].noipv6",
 	"vhosts[].ipv6only",
+	"vhosts[].ssl-option-set",
+	"vhosts[].ssl-option-clear",
 };

 enum lejp_vhost_paths {
@ -109,6 +111,8 @@ enum lejp_vhost_paths {
 	LEJPVP_ECDH_CURVE,
 	LEJPVP_NOIPV6,
 	LEJPVP_IPV6ONLY,
+	LEJPVP_SSL_OPTION_SET,
+	LEJPVP_SSL_OPTION_CLEAR,
 };

 #define MAX_PLUGIN_DIRS 10
@ -493,6 +497,13 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
 			a->info->options &= ~(LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE);
 		return 0;

+	case LEJPVP_SSL_OPTION_SET:
+		a->info->ssl_options_set |= atol(ctx->buf);
+		return 0;
+	case LEJPVP_SSL_OPTION_CLEAR:
+		a->info->ssl_options_clear |= atol(ctx->buf);
+		return 0;
+
 	default:
 		return 0;
 	}
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@ -1561,6 +1561,8 @@ struct lws_http_mount {
 *		is nonzero, this will be used in place of the default.  It's
 *		like this for compatibility with the original short version,
 *		this is unsigned int length.
+ * @ssl_options_set:  VHOST: Any bits set here will be set as SSL options
+ * @ssl_options_clear:  VHOST: Any bits set here will be cleared as SSL options
 */

 struct lws_context_creation_info {
@ -1605,6 +1607,8 @@ struct lws_context_creation_info {
 	const char *server_string;			/* context */
 	unsigned int pt_serv_buf_size;			/* context */
 	unsigned int max_http_header_data2;		/* context */
+	long ssl_options_set;				/* VH */
+	long ssl_options_clear;				/* VH */

 	/* Add new things just above here ---^
 	 * This is part of the ABI, don't needlessly break compatibility
--- a/lib/ssl-server.c
+++ b/lib/ssl-server.c
@ -390,6 +390,14 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 		/* Normally SSL listener rejects non-ssl, optionally allow */
 		vhost->allow_non_ssl_on_ssl_port = 1;

+	if (info->ssl_options_set)
+		SSL_CTX_set_options(vhost->ssl_ctx, info->ssl_options_set);
+	if (info->ssl_options_clear)
+		SSL_CTX_clear_options(vhost->ssl_ctx, info->ssl_options_clear);
+
+	lwsl_info(" SSL options 0x%X\n",
+		    SSL_CTX_get_options(vhost->ssl_ctx));
+
 	if (vhost->use_ssl) {
 		/* openssl init for server sockets */