Default to only TLSv1.2 from now on.

Add configuration setting tls_version to specify if you
either want TLSv1.2 or TLSv1.0 or both.

The configuration options ssl_cipher and ssl_dhparam
have changed name to tls_cipher and tls_dhparam. There is
no fallback so you might have to update your configs.

conf/kore.conf.example

@@ -80,12 +80,19 @@ validator	v_regex		regex		^/test/[a-z]*$
 validator	v_number	regex		^[0-9]*$
 validator	v_session	function	v_session_validate
 
-# Specify the SSL ciphers that will be used.
-#ssl_cipher	ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kRSA:!kDSA
+# Specify what TLS version to be used. Default is TLSv1.2
+# Allowed values:
+#	1.2 for TLSv1.2 (default)
+#	1.0 for TLSv1.0
+#	both for TLSv1.0 and TLSv1.2
+#tls_version	1.2
+
+# Specify the TLS ciphers that will be used.
+#tls_cipher	ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kRSA:!kDSA
 
 # If you wish to use EDH / ECDH specify a file containing
 # a generated DH key (See OpenSSL dhparam).
-#ssl_dhparam	dh2048.pem
+#tls_dhparam	dh2048.pem
 
 # Specify the amount of seconds a SPDY connection is kept open.
 # You can keep it open indefinately by setting this to 0.

examples/cpp/conf/cpp.conf

@@ -2,7 +2,7 @@
 
 bind		127.0.0.1 8888
 load		./cpp.so
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 domain 127.0.0.1 {
 	certfile	cert/server.crt

examples/generic/conf/generic.conf

@@ -3,7 +3,7 @@
 bind		127.0.0.1 8888
 load		./generic.so		example_load
 
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 validator	v_example	function	v_example_func
 validator	v_regex		regex		^/test/[a-z]*$

examples/headers/conf/headers.conf

@@ -3,7 +3,7 @@
 bind		127.0.0.1 8888
 load		./headers.so
 
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 domain 127.0.0.1 {
 	certfile	cert/server.crt

examples/integers/conf/integers.conf

@@ -6,7 +6,7 @@ load		./integers.so
 workers			2
 worker_max_connections	5000
 
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 validator	v_id	regex	^-?[0-9]*$
 

examples/json_yajl/conf/json_yajl.conf

@@ -3,7 +3,7 @@
 bind		127.0.0.1 8888
 load		./json_yajl.so
 
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 domain 127.0.0.1 {
 	certfile	cert/server.crt

examples/ktunnel/conf/ktunnel.conf

@@ -3,7 +3,7 @@
 bind		127.0.0.1 8888
 load		./ktunnel.so
 
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 # Regexes here are incorrect.
 validator v_host regex		^.*$

examples/parameters/conf/parameters.conf

@@ -3,7 +3,7 @@
 bind		127.0.0.1 8888
 load		./parameters.so
 
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 # The validator used to validate the 'id' parameter
 # defined below. We'll use a simple regex to make sure

examples/pgsql/conf/pgsql.conf

@@ -3,7 +3,7 @@
 bind		127.0.0.1 8888
 load		./pgsql.so init
 
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 http_keepalive_time	0
 

examples/tasks/conf/tasks.conf

@@ -3,7 +3,7 @@
 bind		127.0.0.1 8888
 load		./tasks.so
 
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 validator	v_user		regex		^[a-z]*$
 

examples/video_stream/conf/video_stream.conf

@@ -3,7 +3,7 @@
 bind		127.0.0.1 8888
 load		./video_stream.so init
 
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 spdy_idle_time		600
 http_keepalive_time	600

examples/websocket/conf/websocket.conf

@@ -3,7 +3,7 @@
 bind		127.0.0.1 8888
 load		./websocket.so
 
-ssl_dhparam	dh2048.pem
+tls_dhparam	dh2048.pem
 
 websocket_maxframe	65536
 websocket_timeout	20

includes/kore.h

@@ -57,6 +57,10 @@ extern int daemon(int, int);
 #define KORE_VERSION_PATCH	3
 #define KORE_VERSION_STATE	"rc1"
 
+#define KORE_TLS_VERSION_1_2	0
+#define KORE_TLS_VERSION_1_0	1
+#define KORE_TLS_VERSION_BOTH	2
+
 #define errno_s			strerror(errno)
 #define ssl_errno_s		ERR_error_string(ERR_get_error(), NULL)
 
@@ -351,8 +355,9 @@ extern char	*chroot_path;
 extern char	*runas_user;
 extern char	*kore_pidfile;
 extern char	*config_file;
-extern char	*kore_ssl_cipher_list;
-extern DH	*ssl_dhparam;
+extern char	*kore_tls_cipher_list;
+extern int	tls_version;
+extern DH	*tls_dhparam;
 
 extern u_int8_t			nlisteners;
 extern u_int64_t		spdy_idle_time;
@@ -416,9 +421,9 @@ u_int64_t	kore_timer_run(u_int64_t);
 void		kore_timer_add(void (*cb)(u_int64_t, u_int64_t),
 		    u_int64_t, int);
 
-int		kore_ssl_sni_cb(SSL *, int *, void *);
+int		kore_tls_sni_cb(SSL *, int *, void *);
 int		kore_server_bind(const char *, const char *);
-int		kore_ssl_npn_cb(SSL *, const u_char **, unsigned int *, void *);
+int		kore_tls_npn_cb(SSL *, const u_char **, unsigned int *, void *);
 
 void			kore_connection_init(void);
 struct connection	*kore_connection_new(void *);

src/cli.c

@@ -161,7 +161,7 @@ static const char *config_data =
 	"bind\t\t127.0.0.1 8888\n"
 	"load\t\t./%s.so\n"
 #if !defined(KORE_BENCHMARK)
-	"ssl_dhparam\tdh2048.pem\n"
+	"tls_dhparam\tdh2048.pem\n"
 #endif
 	"\n"
 	"domain 127.0.0.1 {\n"

src/config.c

@@ -46,9 +46,9 @@ static int		configure_rlimit_nofiles(char **);
 static int		configure_max_connections(char **);
 static int		configure_accept_treshold(char **);
 static int		configure_set_affinity(char **);
-static int		configure_ssl_cipher(char **);
-static int		configure_ssl_dhparam(char **);
-static int		configure_ssl_no_compression(char **);
+static int		configure_tls_version(char **);
+static int		configure_tls_cipher(char **);
+static int		configure_tls_dhparam(char **);
 static int		configure_spdy_idle_time(char **);
 static int		configure_http_header_max(char **);
 static int		configure_http_body_max(char **);
@@ -84,9 +84,9 @@ static struct {
 	{ "load",			configure_load },
 	{ "static",			configure_handler },
 	{ "dynamic",			configure_handler },
-	{ "ssl_cipher",			configure_ssl_cipher },
-	{ "ssl_dhparam",		configure_ssl_dhparam },
-	{ "ssl_no_compression",		configure_ssl_no_compression },
+	{ "tls_version",		configure_tls_version },
+	{ "tls_cipher",			configure_tls_cipher },
+	{ "tls_dhparam",		configure_tls_dhparam },
 	{ "spdy_idle_time",		configure_spdy_idle_time },
 	{ "domain",			configure_domain },
 	{ "chroot",			configure_chroot },
@@ -220,6 +220,11 @@ kore_parse_config_file(char *fpath)
 			}
 		}
 
+		if (config_names[i].name == NULL) {
+			printf("unknown configuration option on line %d\n",
+			    lineno);
+		}
+
 		lineno++;
 	}
 
@@ -258,22 +263,42 @@ configure_load(char **argv)
 }
 
 static int
-configure_ssl_cipher(char **argv)
+configure_tls_version(char **argv)
 {
 	if (argv[1] == NULL)
 		return (KORE_RESULT_ERROR);
 
-	if (strcmp(kore_ssl_cipher_list, KORE_DEFAULT_CIPHER_LIST)) {
-		kore_debug("duplicate ssl_cipher directive specified");
+	if (!strcmp(argv[1], "1.2")) {
+		tls_version = KORE_TLS_VERSION_1_2;
+	} else if (!strcmp(argv[1], "1.0")) {
+		tls_version = KORE_TLS_VERSION_1_0;
+	} else if (!strcmp(argv[1], "both")) {
+		tls_version = KORE_TLS_VERSION_BOTH;
+	} else {
+		printf("unknown value for tls_version: %s\n", argv[1]);
 		return (KORE_RESULT_ERROR);
 	}
 
-	kore_ssl_cipher_list = kore_strdup(argv[1]);
 	return (KORE_RESULT_OK);
 }
 
 static int
-configure_ssl_dhparam(char **argv)
+configure_tls_cipher(char **argv)
+{
+	if (argv[1] == NULL)
+		return (KORE_RESULT_ERROR);
+
+	if (strcmp(kore_tls_cipher_list, KORE_DEFAULT_CIPHER_LIST)) {
+		kore_debug("duplicate tls_cipher directive specified");
+		return (KORE_RESULT_ERROR);
+	}
+
+	kore_tls_cipher_list = kore_strdup(argv[1]);
+	return (KORE_RESULT_OK);
+}
+
+static int
+configure_tls_dhparam(char **argv)
 {
 #if !defined(KORE_BENCHMARK)
 	BIO		*bio;
@@ -281,8 +306,8 @@ configure_ssl_dhparam(char **argv)
 	if (argv[1] == NULL)
 		return (KORE_RESULT_ERROR);
 
-	if (ssl_dhparam != NULL) {
-		kore_debug("duplicate ssl_dhparam directive specified");
+	if (tls_dhparam != NULL) {
+		kore_debug("duplicate tls_dhparam directive specified");
 		return (KORE_RESULT_ERROR);
 	}
 
@@ -291,10 +316,10 @@ configure_ssl_dhparam(char **argv)
 		return (KORE_RESULT_ERROR);
 	}
 
-	ssl_dhparam = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+	tls_dhparam = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
 	BIO_free(bio);
 
-	if (ssl_dhparam == NULL) {
+	if (tls_dhparam == NULL) {
 		printf("PEM_read_bio_DHparams(): %s\n", ssl_errno_s);
 		return (KORE_RESULT_ERROR);
 	}
@@ -302,13 +327,6 @@ configure_ssl_dhparam(char **argv)
 	return (KORE_RESULT_OK);
 }
 
-static int
-configure_ssl_no_compression(char **argv)
-{
-	printf("ssl_no_compression is deprecated, and always on by default\n");
-	return (KORE_RESULT_OK);
-}
-
 static int
 configure_spdy_idle_time(char **argv)
 {

src/domain.c

@@ -22,7 +22,8 @@
 
 struct kore_domain_h		domains;
 struct kore_domain		*primary_dom = NULL;
-DH				*ssl_dhparam = NULL;
+DH				*tls_dhparam = NULL;
+int				tls_version = KORE_TLS_VERSION_1_2;
 
 static void	domain_load_crl(struct kore_domain *);
 
@@ -69,13 +70,28 @@ kore_domain_sslstart(struct kore_domain *dom)
 #if !defined(KORE_BENCHMARK)
 	STACK_OF(X509_NAME)	*certs;
 	X509_STORE		*store;
+	const SSL_METHOD	*method;
 #if !defined(OPENSSL_NO_EC)
 	EC_KEY		*ecdh;
 #endif
 
 	kore_debug("kore_domain_sslstart(%s)", dom->domain);
 
-	dom->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
+	switch (tls_version) {
+	case KORE_TLS_VERSION_1_2:
+		method = TLSv1_2_server_method();
+		break;
+	case KORE_TLS_VERSION_1_0:
+		method = TLSv1_server_method();
+		break;
+	case KORE_TLS_VERSION_BOTH:
+		method = SSLv23_server_method();
+		break;
+	default:
+		fatal("unknown tls_version: %d", tls_version);
+	}
+
+	dom->ssl_ctx = SSL_CTX_new(method);
 	if (dom->ssl_ctx == NULL)
 		fatal("kore_domain_sslstart(): SSL_ctx_new(): %s", ssl_errno_s);
 	if (!SSL_CTX_use_certificate_chain_file(dom->ssl_ctx, dom->certfile)) {
@@ -92,10 +108,10 @@ kore_domain_sslstart(struct kore_domain *dom)
 	if (!SSL_CTX_check_private_key(dom->ssl_ctx))
 		fatal("Public/Private key for %s do not match", dom->domain);
 
-	if (ssl_dhparam == NULL)
+	if (tls_dhparam == NULL)
 		fatal("No DH parameters given");
 
-	SSL_CTX_set_tmp_dh(dom->ssl_ctx, ssl_dhparam);
+	SSL_CTX_set_tmp_dh(dom->ssl_ctx, tls_dhparam);
 	SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_SINGLE_DH_USE);
 
 #if !defined(OPENSSL_NO_EC)
@@ -142,14 +158,18 @@ kore_domain_sslstart(struct kore_domain *dom)
 #endif
 	SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
 
-	SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv2);
-	SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv3);
-	SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-	SSL_CTX_set_cipher_list(dom->ssl_ctx, kore_ssl_cipher_list);
+	if (tls_version == KORE_TLS_VERSION_BOTH) {
+		SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv2);
+		SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv3);
+		SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_TLSv1_1);
+	}
 
-	SSL_CTX_set_tlsext_servername_callback(dom->ssl_ctx, kore_ssl_sni_cb);
+	SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+	SSL_CTX_set_cipher_list(dom->ssl_ctx, kore_tls_cipher_list);
+
+	SSL_CTX_set_tlsext_servername_callback(dom->ssl_ctx, kore_tls_sni_cb);
 	SSL_CTX_set_next_protos_advertised_cb(dom->ssl_ctx,
-	    kore_ssl_npn_cb, NULL);
+	    kore_tls_npn_cb, NULL);
 
 	kore_mem_free(dom->certfile);
 	kore_mem_free(dom->certkey);

src/kore.c

@@ -36,7 +36,7 @@ char			*runas_user = NULL;
 char			*chroot_path = NULL;
 u_int32_t		kore_socket_backlog = 5000;
 char			*kore_pidfile = KORE_PIDFILE_DEFAULT;
-char			*kore_ssl_cipher_list = KORE_DEFAULT_CIPHER_LIST;
+char			*kore_tls_cipher_list = KORE_DEFAULT_CIPHER_LIST;
 
 static void	usage(void);
 static void	version(void);
@@ -169,9 +169,9 @@ main(int argc, char *argv[])
 
 #if !defined(KORE_BENCHMARK)
 int
-kore_ssl_npn_cb(SSL *ssl, const u_char **data, unsigned int *len, void *arg)
+kore_tls_npn_cb(SSL *ssl, const u_char **data, unsigned int *len, void *arg)
 {
-	kore_debug("kore_ssl_npn_cb(): sending protocols");
+	kore_debug("kore_tls_npn_cb(): sending protocols");
 
 	*data = (const unsigned char *)KORE_SSL_PROTO_STRING;
 	*len = strlen(KORE_SSL_PROTO_STRING);
@@ -180,13 +180,13 @@ kore_ssl_npn_cb(SSL *ssl, const u_char **data, unsigned int *len, void *arg)
 }
 
 int
-kore_ssl_sni_cb(SSL *ssl, int *ad, void *arg)
+kore_tls_sni_cb(SSL *ssl, int *ad, void *arg)
 {
 	struct kore_domain	*dom;
 	const char		*sname;
 
 	sname = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-	kore_debug("kore_ssl_sni_cb(): received host %s", sname);
+	kore_debug("kore_tls_sni_cb(): received host %s", sname);
 
 	if (sname != NULL && (dom = kore_domain_lookup(sname)) != NULL) {
 		kore_debug("kore_ssl_sni_cb(): Using %s CTX", sname);