apache · maskit · May 10, 2023 · Apr 29, 2023 · May 2, 2023 · ywkaras
diff --git a/configs/sni.yaml.default b/configs/sni.yaml.default
@@ -20,7 +20,9 @@
 #    verify_client_ca_certs   - specifies an alternate set of certificate authority certs to use to verify the client cert.
 #    host_sni_policy          - sets the flag to control how policy impacting mismatches between host header and SNI values are dealt with;
 #                               parameters = one of 'DISABLED', 'PERMISSIVE', or 'ENFORCED'
-#    valid_tls_versions_in    - sets the list of TLS protocols that will be offered to user agents during the TLS negotiation;
+#    valid_tls_version_min_in - sets the minimum TLS version that will be offered to user agents during the TLS negotiation;
+#                               parameters = one of 'TLSv1', 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3'.
+#    valid_tls_version_max_in - sets the maximum TLS version that will be offered to user agents during the TLS negotiation;
 #                               parameters = one of 'TLSv1', 'TLSv1_1', 'TLSv1_2', and 'TLSv1_3'.
 #    client_cert              - sets the client certificate to present to the server specified in dest_host; parameters = certificate file .
 #                               The location of the certificate file is relative to proxy.config.ssl.server.cert.path directory.

diff --git a/doc/admin-guide/files/records.yaml.en.rst b/doc/admin-guide/files/records.yaml.en.rst
@@ -3583,11 +3583,45 @@ SSL Termination
 
    This configuration works with OpenSSL v1.0.2 and above.
 
+.. ts:cv:: CONFIG proxy.config.ssl.server.version.min INT -1
+
+   Specifies the minimum TLS version that will be offered to clients during the TLS negotiation.
+
+   ======== ===================================================================
+   Value    Version
+   ======== ===================================================================
+   ``0``    TLS 1.0
+   ``1``    TLS 1.1
+   ``2``    TLS 1.2
+   ``3``    TLS 1.3
+   ======== ===================================================================
+
+.. ts:cv:: CONFIG proxy.config.ssl.server.version.max INT -1
+
+   Specifies the maximum TLS version that will be offered to clients during the TLS negotiation.
+
+   ======== ===================================================================
+   Value    Version
+   ======== ===================================================================
+   ``0``    TLS 1.0
+   ``1``    TLS 1.1
+   ``2``    TLS 1.2
+   ``3``    TLS 1.3
+   ======== ===================================================================
+
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 0
+   :deprecated:
+
+   This setting is deprecated in favor of :ts:cv:`proxy.config.ssl.server.version.min` and
+   :ts:cv:`proxy.config.ssl.server.version.min`, and will be ignored if those new settings are used.
 
    Enables (``1``) or disables (``0``) TLSv1.0. If not specified, disabled by default.
 
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 0
+   :deprecated:
+
+   This setting is deprecated in favor of :ts:cv:`proxy.config.ssl.server.version.min` and
+   :ts:cv:`proxy.config.ssl.server.version.min`, and will be ignored if those new settings are used.
 
    Enables (``1``) or disables (``0``) TLS v1.1.  If not specified, disabled by default.  [Requires OpenSSL v1.0.1 and higher]
 
@@ -3599,10 +3633,18 @@ SSL Termination
 
 
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_2 INT 1
+   :deprecated:
+
+   This setting is deprecated in favor of :ts:cv:`proxy.config.ssl.server.version.min` and
+   :ts:cv:`proxy.config.ssl.server.version.min`, and will be ignored if those new settings are used.
 
    Enables (``1``) or disables (``0``) TLS v1.2.  If not specified, enabled by default.  [Requires OpenSSL v1.0.1 and higher]
 
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_3 INT 1
+   :deprecated:
+
+   This setting is deprecated in favor of :ts:cv:`proxy.config.ssl.server.version.min` and
+   :ts:cv:`proxy.config.ssl.server.version.min`, and will be ignored if those new settings are used.
 
    Enables (``1``) or disables (``0``) TLS v1.3.  If not specified, enabled by default.  [Requires OpenSSL v1.1.1 and higher]
 
@@ -4008,19 +4050,61 @@ Client-Related Configuration
          warning and return an immediate HTTP 400 response.
    ===== ======================================================================
 
+.. ts:cv:: CONFIG proxy.config.ssl.client.version.min INT -1
+
+   Specifies the minimum TLS version that will be offered to servers during the TLS negotiation.
+
+   ======== ===================================================================
+   Value    Version
+   ======== ===================================================================
+   ``0``    TLS 1.0
+   ``1``    TLS 1.1
+   ``2``    TLS 1.2
+   ``3``    TLS 1.3
+   ======== ===================================================================
+
+.. ts:cv:: CONFIG proxy.config.ssl.client.version.max INT -1
+
+   Specifies the maximum TLS version that will be offered to servers during the TLS negotiation.
+
+   ======== ===================================================================
+   Value    Version
+   ======== ===================================================================
+   ``0``    TLS 1.0
+   ``1``    TLS 1.1
+   ``2``    TLS 1.2
+   ``3``    TLS 1.3
+   ======== ===================================================================
+
 .. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1 INT 0
+   :deprecated:
+
+   This setting is deprecated in favor of :ts:cv:`proxy.config.ssl.client.version.min` and
+   :ts:cv:`proxy.config.ssl.client.version.min`, and will be ignored if those new settings are used.
 
    Enables (``1``) or disables (``0``) TLSv1.0 in the ATS client context. If not specified, enabled by default
 
 .. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1_1 INT 0
+   :deprecated:
+
+   This setting is deprecated in favor of :ts:cv:`proxy.config.ssl.client.version.min` and
+   :ts:cv:`proxy.config.ssl.client.version.min`, and will be ignored if those new settings are used.
 
    Enables (``1``) or disables (``0``) TLSv1_1 in the ATS client context. If not specified, enabled by default
 
 .. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
+   :deprecated:
+
+   This setting is deprecated in favor of :ts:cv:`proxy.config.ssl.client.version.min` and
+   :ts:cv:`proxy.config.ssl.client.version.min`, and will be ignored if those new settings are used.
 
    Enables (``1``) or disables (``0``) TLSv1_2 in the ATS client context. If not specified, enabled by default
 
 .. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1_3 INT 1
+   :deprecated:
+
+   This setting is deprecated in favor of :ts:cv:`proxy.config.ssl.client.version.min` and
+   :ts:cv:`proxy.config.ssl.client.version.min`, and will be ignored if those new settings are used.
 
    Enables (``1``) or disables (``0``) TLSv1_3 in the ATS client context. If not specified, enabled by default
 

diff --git a/doc/admin-guide/files/sni.yaml.en.rst b/doc/admin-guide/files/sni.yaml.en.rst
@@ -122,7 +122,25 @@ host_sni_policy           Inbound   One of the values :code:`DISABLED`, :code:`P
                                     which a malicious user may alter to some other server value whose policies are more
                                     lenient than the host he is trying to access.
 
-valid_tls_versions_in     Inbound   This specifies the list of TLS protocols that will be offered to user agents during
+valid_tls_version_min_in  Inbound   This specifies the minimum TLS version that will be offered to user agents during
+                                    the TLS negotiation.  This replaces the global settings in
+                                    :ts:cv:`proxy.config.ssl.server.version.min`,
+                                    :ts:cv:`proxy.config.ssl.TLSv1`, :ts:cv:`proxy.config.ssl.TLSv1_1`,
+                                    :ts:cv:`proxy.config.ssl.TLSv1_2`, and :ts:cv:`proxy.config.ssl.TLSv1_3`. The potential
+                                    values are TLSv1, TLSv1_1, TLSv1_2, and TLSv1_3. This key is only valid for OpenSSL
+                                    1.1.0 and later and BoringSSL. Older versions of OpenSSL do not provide a hook early enough to update
+                                    the SSL object.  It is a syntax error for |TS| built against earlier versions.
+
+valid_tls_version_max_in  Inbound   This specifies the minimum TLS version that will be offered to user agents during
+                                    the TLS negotiation.  This replaces the global settings in
+                                    :ts:cv:`proxy.config.ssl.server.version.max`,
+                                    :ts:cv:`proxy.config.ssl.TLSv1`, :ts:cv:`proxy.config.ssl.TLSv1_1`,
+                                    :ts:cv:`proxy.config.ssl.TLSv1_2`, and :ts:cv:`proxy.config.ssl.TLSv1_3`. The potential
+                                    values are TLSv1, TLSv1_1, TLSv1_2, and TLSv1_3. This key is only valid for OpenSSL
+                                    1.1.0 and later and BoringSSL. Older versions of OpenSSL do not provide a hook early enough to update
+                                    the SSL object.  It is a syntax error for |TS| built against earlier versions.
+
+valid_tls_versions_in     Inbound   Deprecated. This specifies the list of TLS protocols that will be offered to user agents during
                                     the TLS negotiation.  This replaces the global settings in
                                     :ts:cv:`proxy.config.ssl.TLSv1`, :ts:cv:`proxy.config.ssl.TLSv1_1`,
                                     :ts:cv:`proxy.config.ssl.TLSv1_2`, and :ts:cv:`proxy.config.ssl.TLSv1_3`. The potential

diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h
@@ -332,6 +332,8 @@ class TLSValidProtocols : public ActionItem
 {
   bool unset = true;
   unsigned long protocol_mask;
+  int min_ver = -1;
+  int max_ver = -1;
 
 public:
 #ifdef SSL_OP_NO_TLSv1_3
@@ -341,15 +343,25 @@ class TLSValidProtocols : public ActionItem
 #endif
   TLSValidProtocols() : protocol_mask(max_mask) {}
   TLSValidProtocols(unsigned long protocols) : unset(false), protocol_mask(protocols) {}
+  TLSValidProtocols(int min_ver, int max_ver) : unset(false), protocol_mask(0), min_ver(min_ver), max_ver(max_ver) {}
 
   int
   SNIAction(TLSSNISupport *snis, const Context & /* ctx */) const override
   {
-    if (!unset) {
-      auto ssl_vc            = dynamic_cast<SSLNetVConnection *>(snis);
+    if (this->min_ver >= 0 || this->max_ver >= 0) {
       const char *servername = snis->get_sni_server_name();
-      Debug("ssl_sni", "TLSValidProtocol param 0%x, fqdn [%s]", static_cast<unsigned int>(this->protocol_mask), servername);
-      ssl_vc->set_valid_tls_protocols(protocol_mask, TLSValidProtocols::max_mask);
+      Debug("ssl_sni", "TLSValidProtocol min=%d, max=%d, fqdn [%s]", this->min_ver, this->max_ver, servername);
+      auto ssl_vc = dynamic_cast<SSLNetVConnection *>(snis);
+      ssl_vc->set_valid_tls_version_min(this->min_ver);
+      ssl_vc->set_valid_tls_version_max(this->max_ver);
+    } else {
+      if (!unset) {
+        auto ssl_vc            = dynamic_cast<SSLNetVConnection *>(snis);
+        const char *servername = snis->get_sni_server_name();
+        Debug("ssl_sni", "TLSValidProtocol param 0%x, fqdn [%s]", static_cast<unsigned int>(this->protocol_mask), servername);
+        ssl_vc->set_valid_tls_protocols(protocol_mask, TLSValidProtocols::max_mask);
+        Warning("valid_tls_versions_in is deprecated. Use valid_tls_version_min_in and ivalid_tls_version_max_in instead.");
+      }
     }
 
     return SSL_TLSEXT_ERR_OK;

diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
@@ -111,6 +111,10 @@ struct SSLConfigParams : public ConfigInfo {
   char *client_tls13_cipher_suites;
   char *server_groups_list;
   char *client_groups_list;
+  int server_tls_ver_min;
+  int server_tls_ver_max;
+  int client_tls_ver_min;
+  int client_tls_ver_max;
 
   char *keylog_file;
 

diff --git a/iocore/net/P_SSLNetVConnection.h b/iocore/net/P_SSLNetVConnection.h
@@ -389,12 +389,9 @@ class SSLNetVConnection : public UnixNetVConnection,
     return _ca_cert_dir.get();
   }
 
-  void
-  set_valid_tls_protocols(unsigned long proto_mask, unsigned long max_mask)
-  {
-    SSL_set_options(this->ssl, proto_mask);
-    SSL_clear_options(this->ssl, max_mask & ~proto_mask);
-  }
+  void set_valid_tls_protocols(unsigned long proto_mask, unsigned long max_mask);
+  void set_valid_tls_version_min(int min);
+  void set_valid_tls_version_max(int max);
 
 protected:
   SSL *

diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
@@ -204,6 +204,22 @@ SSLInitClientContext(const SSLConfigParams *params)
     }
   }
 
+  if (params->client_tls_ver_min >= 0 || params->client_tls_ver_max >= 0) {
+    int ver = 0;
+    if (params->client_tls_ver_min >= 0) {
+      ver = TLS1_VERSION + params->client_tls_ver_min;
+    }
+    // Setting 0 enables version down to the lowest version supported by the SSL library
+    SSL_CTX_set_min_proto_version(client_ctx, ver);
+
+    ver = 0;
+    if (params->client_tls_ver_max >= 0) {
+      ver = TLS1_VERSION + params->client_tls_ver_max;
+    }
+    // Setting 0 enables version up to the highest version supported by the SSL library
+    SSL_CTX_set_max_proto_version(client_ctx, ver);
+  }
+
 #if TS_USE_TLS_SET_CIPHERSUITES
   if (params->client_tls13_cipher_suites != nullptr) {
     if (!SSL_CTX_set_ciphersuites(client_ctx, params->client_tls13_cipher_suites)) {

diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
@@ -280,47 +280,85 @@ SSLConfigParams::initialize()
 
   int option = 0;
 
-  REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1");
-  if (!option) {
-    ssl_ctx_options |= SSL_OP_NO_TLSv1;
-  }
+  REC_ReadConfigInteger(client_tls_ver_min, "proxy.config.ssl.client.version.min");
+  REC_ReadConfigInteger(client_tls_ver_max, "proxy.config.ssl.client.version.max");
+  if (client_tls_ver_min < 0 || client_tls_ver_max < 0) {
+    REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1");
+    if (!option) {
+      ssl_client_ctx_options |= SSL_OP_NO_TLSv1;
+    } else {
+      // This is disabled by default. It's used if it's enabled.
+      Warning("proxy.config.ssl.client.TLSv1 is deprecated. Use proxy.config.ssl.client.version.min and "
+              "proxy.config.ssl.client.version.max instead.");
+    }
 
-  REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1");
-  if (!option) {
-    ssl_client_ctx_options |= SSL_OP_NO_TLSv1;
-  }
+    REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1_1");
+    if (!option) {
+      ssl_client_ctx_options |= SSL_OP_NO_TLSv1_1;
+    } else {
+      // This is disabled by default. It's used if it's enabled.
+      Warning("proxy.config.ssl.client.TLSv1_1 is deprecated. Use proxy.config.ssl.client.version.min and "
+              "proxy.config.ssl.client.version.max instead.");
+    }
 
-  REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1_1");
-  if (!option) {
-    ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
-  }
+    REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1_2");
+    if (!option) {
+      ssl_client_ctx_options |= SSL_OP_NO_TLSv1_2;
+      // This is enabled by default. It's used if it's disabled.
+      Warning("proxy.config.ssl.client.TLSv1_2 is deprecated. Use proxy.config.ssl.client.version.min and "
+              "proxy.config.ssl.client.version.max instead.");
+    }
 
-  REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1_1");
-  if (!option) {
-    ssl_client_ctx_options |= SSL_OP_NO_TLSv1_1;
+#ifdef SSL_OP_NO_TLSv1_3
+    REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1_3.enabled");
+    if (!option) {
+      ssl_client_ctx_options |= SSL_OP_NO_TLSv1_3;
+      // This is enabled by default. It's used if it's disabled.
+      Warning("proxy.config.ssl.client.TLSv1_3.enabled is deprecated. Use proxy.config.ssl.client.version.min and "
+              "proxy.config.ssl.client.version.max instead.");
+    }
+#endif
   }
 
-  REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1_2");
-  if (!option) {
-    ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
-  }
+  REC_ReadConfigInteger(server_tls_ver_min, "proxy.config.ssl.server.version.min");
+  REC_ReadConfigInteger(server_tls_ver_max, "proxy.config.ssl.server.version.max");
+  if (server_tls_ver_min < 0 || server_tls_ver_max < 0) {
+    REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1");
+    if (!option) {
+      ssl_ctx_options |= SSL_OP_NO_TLSv1;
+    } else {
+      // This is disabled by default. It's used if it's enabled.
+      Warning("proxy.config.ssl.client.TLSv1 is deprecated. Use proxy.config.ssl.client.version.min and "
+              "proxy.config.ssl.client.version.max instead.");
+    }
 
-  REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1_2");
-  if (!option) {
-    ssl_client_ctx_options |= SSL_OP_NO_TLSv1_2;
-  }
+    REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1_1");
+    if (!option) {
+      ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
+    } else {
+      // This is disabled by default. It's used if it's enabled.
+      Warning("proxy.config.ssl.client.TLSv1_1 is deprecated. Use proxy.config.ssl.client.version.min and "
+              "proxy.config.ssl.client.version.max instead.");
+    }
 
-#ifdef SSL_OP_NO_TLSv1_3
-  REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1_3.enabled");
-  if (!option) {
-    ssl_ctx_options |= SSL_OP_NO_TLSv1_3;
-  }
+    REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1_2");
+    if (!option) {
+      ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
+      // This is enabled by default. It's used if it's disabled.
+      Warning("proxy.config.ssl.client.TLSv1_2 is deprecated. Use proxy.config.ssl.client.version.min and "
+              "proxy.config.ssl.client.version.max instead.");
+    }
 
-  REC_ReadConfigInteger(option, "proxy.config.ssl.client.TLSv1_3.enabled");
-  if (!option) {
-    ssl_client_ctx_options |= SSL_OP_NO_TLSv1_3;
-  }
+#ifdef SSL_OP_NO_TLSv1_3
+    REC_ReadConfigInteger(option, "proxy.config.ssl.TLSv1_3.enabled");
+    if (!option) {
+      ssl_ctx_options |= SSL_OP_NO_TLSv1_3;
+      // This is enabled by default. It's used if it's disabled.
+      Warning("proxy.config.ssl.client.TLSv1_3.enabled is deprecated. Use proxy.config.ssl.client.version.min and "
+              "proxy.config.ssl.client.version.max instead.");
+    }
 #endif
+  }
 
   // Read in the protocol string for ALPN to origin
   char *clientALPNProtocols = nullptr;