diff --git a/README.lwsws.md b/README.lwsws.md index dea7411f..b22853ef 100644 --- a/README.lwsws.md +++ b/README.lwsws.md @@ -210,6 +210,23 @@ Other vhost options - "`ipv6only`": "on" Only allow ipv6 on this vhost / "off" only allow ipv4 on this vhost + - "`ssl-option-set`": "" Sets the SSL option flag value for the vhost. + It may be used multiple times and OR's the flags together. + + The values are derived from /usr/include/openssl/ssl.h + + ``` + # define SSL_OP_NO_TLSv1_1 0x10000000L + ``` + + would equate to + + ``` + "`ssl-option-set`": "268435456" + ``` + + - "`ssl-option-clear'": "" Clears the SSL option flag value for the vhost. + It may be used multiple times and OR's the flags together. Mounts ------ diff --git a/lib/lejp-conf.c b/lib/lejp-conf.c index 31b03be9..1ac84ef1 100644 --- a/lib/lejp-conf.c +++ b/lib/lejp-conf.c @@ -76,6 +76,8 @@ static const char * const paths_vhosts[] = { "vhosts[].ecdh-curve", "vhosts[].noipv6", "vhosts[].ipv6only", + "vhosts[].ssl-option-set", + "vhosts[].ssl-option-clear", }; enum lejp_vhost_paths { @@ -109,6 +111,8 @@ enum lejp_vhost_paths { LEJPVP_ECDH_CURVE, LEJPVP_NOIPV6, LEJPVP_IPV6ONLY, + LEJPVP_SSL_OPTION_SET, + LEJPVP_SSL_OPTION_CLEAR, }; #define MAX_PLUGIN_DIRS 10 @@ -493,6 +497,13 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason) a->info->options &= ~(LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE); return 0; + case LEJPVP_SSL_OPTION_SET: + a->info->ssl_options_set |= atol(ctx->buf); + return 0; + case LEJPVP_SSL_OPTION_CLEAR: + a->info->ssl_options_clear |= atol(ctx->buf); + return 0; + default: return 0; } diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h index dcb3e642..254d5721 100644 --- a/lib/libwebsockets.h +++ b/lib/libwebsockets.h @@ -1561,6 +1561,8 @@ struct lws_http_mount { * is nonzero, this will be used in place of the default. It's * like this for compatibility with the original short version, * this is unsigned int length. + * @ssl_options_set: VHOST: Any bits set here will be set as SSL options + * @ssl_options_clear: VHOST: Any bits set here will be cleared as SSL options */ struct lws_context_creation_info { @@ -1605,6 +1607,8 @@ struct lws_context_creation_info { const char *server_string; /* context */ unsigned int pt_serv_buf_size; /* context */ unsigned int max_http_header_data2; /* context */ + long ssl_options_set; /* VH */ + long ssl_options_clear; /* VH */ /* Add new things just above here ---^ * This is part of the ABI, don't needlessly break compatibility diff --git a/lib/ssl-server.c b/lib/ssl-server.c index 762911f7..b1e21741 100644 --- a/lib/ssl-server.c +++ b/lib/ssl-server.c @@ -390,6 +390,14 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info, /* Normally SSL listener rejects non-ssl, optionally allow */ vhost->allow_non_ssl_on_ssl_port = 1; + if (info->ssl_options_set) + SSL_CTX_set_options(vhost->ssl_ctx, info->ssl_options_set); + if (info->ssl_options_clear) + SSL_CTX_clear_options(vhost->ssl_ctx, info->ssl_options_clear); + + lwsl_info(" SSL options 0x%X\n", + SSL_CTX_get_options(vhost->ssl_ctx)); + if (vhost->use_ssl) { /* openssl init for server sockets */