diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-12 04:40:24 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-12 04:40:24 +0000 |
| commit | 3359b4a7564501fd3905ac2e709a97524d38398c (patch) | |
| tree | 9449da1fa9438b02ccd4c4b65cbc43439140085d /usr.sbin/httpd/parse.y | |
| parent | 496ad4078aa0f09a35229e5d6d5bcddbf15954ac (diff) | |
Allow TLS protocols to be specified via a "tls protocols" configuration
option.
ok reyk@
Diffstat (limited to 'usr.sbin/httpd/parse.y')
| -rw-r--r-- | usr.sbin/httpd/parse.y | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/usr.sbin/httpd/parse.y b/usr.sbin/httpd/parse.y index 51f7d980209..7e48abad023 100644 --- a/usr.sbin/httpd/parse.y +++ b/usr.sbin/httpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.64 2015/02/08 04:50:32 reyk Exp $ */ +/* $OpenBSD: parse.y,v 1.65 2015/02/12 04:40:23 jsing Exp $ */ /* * Copyright (c) 2007 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -131,8 +131,9 @@ typedef struct { %token ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON %token COMBINED CONNECTION DHE DIRECTORY ECDHE ERR FCGI INDEX IP KEY LISTEN -%token LOCATION LOG LOGDIR MAXIMUM NO NODELAY ON PORT PREFORK REQUEST REQUESTS -%token ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT TLS TYPES +%token LOCATION LOG LOGDIR MAXIMUM NO NODELAY ON PORT PREFORK PROTOCOLS +%token REQUEST REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TIMEOUT +%token TLS TYPES %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS %token <v.string> STRING %token <v.number> NUMBER @@ -236,6 +237,7 @@ server : SERVER STRING { s->srv_conf.maxrequestbody = SERVER_MAXREQUESTBODY; s->srv_conf.flags |= SRVFLAG_LOG; s->srv_conf.logformat = LOG_FORMAT_COMMON; + s->srv_conf.tls_protocols = TLS_PROTOCOLS_ALL; if ((s->srv_conf.tls_cert_file = strdup(HTTPD_TLS_CERT)) == NULL) fatal("out of memory"); @@ -297,6 +299,13 @@ server : SERVER STRING { YYERROR; } + if ((srv->srv_conf.flags & SRVFLAG_TLS) && + srv->srv_conf.tls_protocols == 0) { + yyerror("no TLS protocols"); + free(srv); + YYERROR; + } + if (server_tls_load_keypair(srv) == -1) { yyerror("failed to load public/private keys " "for server %s", srv->srv_conf.name); @@ -643,6 +652,15 @@ tlsopts : CERTIFICATE STRING { } free($2); } + | PROTOCOLS STRING { + if (tls_config_parse_protocols( + &srv_conf->tls_protocols, $2) != 0) { + yyerror("invalid TLS protocols"); + free($2); + YYERROR; + } + free($2); + } ; root : ROOT rootflags @@ -1097,6 +1115,7 @@ lookup(char *s) { "pass", PASS }, { "port", PORT }, { "prefork", PREFORK }, + { "protocols", PROTOCOLS }, { "request", REQUEST }, { "requests", REQUESTS }, { "return", RETURN }, |