openssl allow set clear of ssl options from info

This commit is contained in:
Andy Green 2016-06-10 08:37:26 +08:00
parent d13c1471c1
commit 1ec8ba893a
4 changed files with 40 additions and 0 deletions

View file

@ -210,6 +210,23 @@ Other vhost options
- "`ipv6only`": "on" Only allow ipv6 on this vhost / "off" only allow ipv4 on this vhost - "`ipv6only`": "on" Only allow ipv6 on this vhost / "off" only allow ipv4 on this vhost
- "`ssl-option-set`": "<decimal>" Sets the SSL option flag value for the vhost.
It may be used multiple times and OR's the flags together.
The values are derived from /usr/include/openssl/ssl.h
```
# define SSL_OP_NO_TLSv1_1 0x10000000L
```
would equate to
```
"`ssl-option-set`": "268435456"
```
- "`ssl-option-clear'": "<decimal>" Clears the SSL option flag value for the vhost.
It may be used multiple times and OR's the flags together.
Mounts Mounts
------ ------

View file

@ -76,6 +76,8 @@ static const char * const paths_vhosts[] = {
"vhosts[].ecdh-curve", "vhosts[].ecdh-curve",
"vhosts[].noipv6", "vhosts[].noipv6",
"vhosts[].ipv6only", "vhosts[].ipv6only",
"vhosts[].ssl-option-set",
"vhosts[].ssl-option-clear",
}; };
enum lejp_vhost_paths { enum lejp_vhost_paths {
@ -109,6 +111,8 @@ enum lejp_vhost_paths {
LEJPVP_ECDH_CURVE, LEJPVP_ECDH_CURVE,
LEJPVP_NOIPV6, LEJPVP_NOIPV6,
LEJPVP_IPV6ONLY, LEJPVP_IPV6ONLY,
LEJPVP_SSL_OPTION_SET,
LEJPVP_SSL_OPTION_CLEAR,
}; };
#define MAX_PLUGIN_DIRS 10 #define MAX_PLUGIN_DIRS 10
@ -493,6 +497,13 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
a->info->options &= ~(LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE); a->info->options &= ~(LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE);
return 0; return 0;
case LEJPVP_SSL_OPTION_SET:
a->info->ssl_options_set |= atol(ctx->buf);
return 0;
case LEJPVP_SSL_OPTION_CLEAR:
a->info->ssl_options_clear |= atol(ctx->buf);
return 0;
default: default:
return 0; return 0;
} }

View file

@ -1561,6 +1561,8 @@ struct lws_http_mount {
* is nonzero, this will be used in place of the default. It's * is nonzero, this will be used in place of the default. It's
* like this for compatibility with the original short version, * like this for compatibility with the original short version,
* this is unsigned int length. * this is unsigned int length.
* @ssl_options_set: VHOST: Any bits set here will be set as SSL options
* @ssl_options_clear: VHOST: Any bits set here will be cleared as SSL options
*/ */
struct lws_context_creation_info { struct lws_context_creation_info {
@ -1605,6 +1607,8 @@ struct lws_context_creation_info {
const char *server_string; /* context */ const char *server_string; /* context */
unsigned int pt_serv_buf_size; /* context */ unsigned int pt_serv_buf_size; /* context */
unsigned int max_http_header_data2; /* context */ unsigned int max_http_header_data2; /* context */
long ssl_options_set; /* VH */
long ssl_options_clear; /* VH */
/* Add new things just above here ---^ /* Add new things just above here ---^
* This is part of the ABI, don't needlessly break compatibility * This is part of the ABI, don't needlessly break compatibility

View file

@ -390,6 +390,14 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
/* Normally SSL listener rejects non-ssl, optionally allow */ /* Normally SSL listener rejects non-ssl, optionally allow */
vhost->allow_non_ssl_on_ssl_port = 1; vhost->allow_non_ssl_on_ssl_port = 1;
if (info->ssl_options_set)
SSL_CTX_set_options(vhost->ssl_ctx, info->ssl_options_set);
if (info->ssl_options_clear)
SSL_CTX_clear_options(vhost->ssl_ctx, info->ssl_options_clear);
lwsl_info(" SSL options 0x%X\n",
SSL_CTX_get_options(vhost->ssl_ctx));
if (vhost->use_ssl) { if (vhost->use_ssl) {
/* openssl init for server sockets */ /* openssl init for server sockets */