openssl allow set clear of ssl options from info
This commit is contained in:
parent
d13c1471c1
commit
1ec8ba893a
4 changed files with 40 additions and 0 deletions
|
@ -210,6 +210,23 @@ Other vhost options
|
||||||
|
|
||||||
- "`ipv6only`": "on" Only allow ipv6 on this vhost / "off" only allow ipv4 on this vhost
|
- "`ipv6only`": "on" Only allow ipv6 on this vhost / "off" only allow ipv4 on this vhost
|
||||||
|
|
||||||
|
- "`ssl-option-set`": "<decimal>" Sets the SSL option flag value for the vhost.
|
||||||
|
It may be used multiple times and OR's the flags together.
|
||||||
|
|
||||||
|
The values are derived from /usr/include/openssl/ssl.h
|
||||||
|
|
||||||
|
```
|
||||||
|
# define SSL_OP_NO_TLSv1_1 0x10000000L
|
||||||
|
```
|
||||||
|
|
||||||
|
would equate to
|
||||||
|
|
||||||
|
```
|
||||||
|
"`ssl-option-set`": "268435456"
|
||||||
|
```
|
||||||
|
|
||||||
|
- "`ssl-option-clear'": "<decimal>" Clears the SSL option flag value for the vhost.
|
||||||
|
It may be used multiple times and OR's the flags together.
|
||||||
|
|
||||||
Mounts
|
Mounts
|
||||||
------
|
------
|
||||||
|
|
|
@ -76,6 +76,8 @@ static const char * const paths_vhosts[] = {
|
||||||
"vhosts[].ecdh-curve",
|
"vhosts[].ecdh-curve",
|
||||||
"vhosts[].noipv6",
|
"vhosts[].noipv6",
|
||||||
"vhosts[].ipv6only",
|
"vhosts[].ipv6only",
|
||||||
|
"vhosts[].ssl-option-set",
|
||||||
|
"vhosts[].ssl-option-clear",
|
||||||
};
|
};
|
||||||
|
|
||||||
enum lejp_vhost_paths {
|
enum lejp_vhost_paths {
|
||||||
|
@ -109,6 +111,8 @@ enum lejp_vhost_paths {
|
||||||
LEJPVP_ECDH_CURVE,
|
LEJPVP_ECDH_CURVE,
|
||||||
LEJPVP_NOIPV6,
|
LEJPVP_NOIPV6,
|
||||||
LEJPVP_IPV6ONLY,
|
LEJPVP_IPV6ONLY,
|
||||||
|
LEJPVP_SSL_OPTION_SET,
|
||||||
|
LEJPVP_SSL_OPTION_CLEAR,
|
||||||
};
|
};
|
||||||
|
|
||||||
#define MAX_PLUGIN_DIRS 10
|
#define MAX_PLUGIN_DIRS 10
|
||||||
|
@ -493,6 +497,13 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
|
||||||
a->info->options &= ~(LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE);
|
a->info->options &= ~(LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
case LEJPVP_SSL_OPTION_SET:
|
||||||
|
a->info->ssl_options_set |= atol(ctx->buf);
|
||||||
|
return 0;
|
||||||
|
case LEJPVP_SSL_OPTION_CLEAR:
|
||||||
|
a->info->ssl_options_clear |= atol(ctx->buf);
|
||||||
|
return 0;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1561,6 +1561,8 @@ struct lws_http_mount {
|
||||||
* is nonzero, this will be used in place of the default. It's
|
* is nonzero, this will be used in place of the default. It's
|
||||||
* like this for compatibility with the original short version,
|
* like this for compatibility with the original short version,
|
||||||
* this is unsigned int length.
|
* this is unsigned int length.
|
||||||
|
* @ssl_options_set: VHOST: Any bits set here will be set as SSL options
|
||||||
|
* @ssl_options_clear: VHOST: Any bits set here will be cleared as SSL options
|
||||||
*/
|
*/
|
||||||
|
|
||||||
struct lws_context_creation_info {
|
struct lws_context_creation_info {
|
||||||
|
@ -1605,6 +1607,8 @@ struct lws_context_creation_info {
|
||||||
const char *server_string; /* context */
|
const char *server_string; /* context */
|
||||||
unsigned int pt_serv_buf_size; /* context */
|
unsigned int pt_serv_buf_size; /* context */
|
||||||
unsigned int max_http_header_data2; /* context */
|
unsigned int max_http_header_data2; /* context */
|
||||||
|
long ssl_options_set; /* VH */
|
||||||
|
long ssl_options_clear; /* VH */
|
||||||
|
|
||||||
/* Add new things just above here ---^
|
/* Add new things just above here ---^
|
||||||
* This is part of the ABI, don't needlessly break compatibility
|
* This is part of the ABI, don't needlessly break compatibility
|
||||||
|
|
|
@ -390,6 +390,14 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
|
||||||
/* Normally SSL listener rejects non-ssl, optionally allow */
|
/* Normally SSL listener rejects non-ssl, optionally allow */
|
||||||
vhost->allow_non_ssl_on_ssl_port = 1;
|
vhost->allow_non_ssl_on_ssl_port = 1;
|
||||||
|
|
||||||
|
if (info->ssl_options_set)
|
||||||
|
SSL_CTX_set_options(vhost->ssl_ctx, info->ssl_options_set);
|
||||||
|
if (info->ssl_options_clear)
|
||||||
|
SSL_CTX_clear_options(vhost->ssl_ctx, info->ssl_options_clear);
|
||||||
|
|
||||||
|
lwsl_info(" SSL options 0x%X\n",
|
||||||
|
SSL_CTX_get_options(vhost->ssl_ctx));
|
||||||
|
|
||||||
if (vhost->use_ssl) {
|
if (vhost->use_ssl) {
|
||||||
/* openssl init for server sockets */
|
/* openssl init for server sockets */
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue