diff options
| author | Kevin Lin <developer@kevinlin.info> | 2021-05-31 13:33:48 -0700 |
|---|---|---|
| committer | dormando <dormando@rydia.net> | 2021-09-27 12:54:20 -0700 |
| commit | 3a8ca319b35a3b3533b1f1ca55e904cfcb71962c (patch) | |
| tree | 6a61bc3c9481e8fcbc4d6e3314613cccb63c06cc /tls.c | |
| parent | f8a55c4731ab38b8c1a88cb7bf10fadc209fd78f (diff) | |
| download | memcached-3a8ca319b35a3b3533b1f1ca55e904cfcb71962c.tar.gz | |
Configurable minimum supported TLS protocol version
`-o ssl_min_version` can be used to configure the server to only accept
handshakes from clients with a minimum TLS protocol version. Currently
supported options are TLS v1.0, TLS v1.1, TLS v1.2, and TLS v1.3
(OpenSSL 1.1.1+ only).
Diffstat (limited to 'tls.c')
| -rw-r--r-- | tls.c | 24 |
1 files changed, 20 insertions, 4 deletions
@@ -177,13 +177,12 @@ static bool load_server_certificates(char **errmsg) { */ int ssl_init(void) { assert(settings.ssl_enabled); + // SSL context for the process. All connections will share one // process level context. settings.ssl_ctx = SSL_CTX_new(TLS_server_method()); - // Clients should use at least TLSv1.2 - int flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | - SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; - SSL_CTX_set_options(settings.ssl_ctx, flags); + + SSL_CTX_set_min_proto_version(settings.ssl_ctx, settings.ssl_min_version); // The server certificate, private key and validations. char *error_msg; @@ -249,4 +248,21 @@ int ssl_new_session_callback(SSL *s, SSL_SESSION *sess) { bool refresh_certs(char **errmsg) { return load_server_certificates(errmsg); } + +const char *ssl_proto_text(int version) { + switch (version) { + case TLS1_VERSION: + return "tlsv1.0"; + case TLS1_1_VERSION: + return "tlsv1.1"; + case TLS1_2_VERSION: + return "tlsv1.2"; +#if OPENSSL_VERSION_NUMBER >= 0x10101000L + case TLS1_3_VERSION: + return "tlsv1.3"; +#endif + default: + return "unknown"; + } +} #endif |