From bd7ee39d2eb614bdec75cec5ca5569ca52ca3609 Mon Sep 17 00:00:00 2001 From: Ishwor Gurung Date: Sun, 3 May 2015 16:59:59 +1000 Subject: [PATCH] Allow user to choose between TLS versions(TLSProtocol option introduced). --- mlogc/mlogc.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/mlogc/mlogc.c b/mlogc/mlogc.c index e67da108..e650452d 100644 --- a/mlogc/mlogc.c +++ b/mlogc/mlogc.c @@ -158,6 +158,8 @@ static apr_pool_t *recv_pool = NULL; static apr_array_header_t *queue = NULL; static const char *queue_path = NULL; static int ssl_validation = 0; +static int tlsprotocol = 1; +static curl_version_info_data* curlversion = NULL; /* static apr_time_t queue_time = 0; */ static void *requestline_regex = NULL; static int running = 0; @@ -810,6 +812,26 @@ static void init_configuration(void) startup_delay = atoi(s); } + /* TLS Protocol - TLSv1(0) TLSv1.1(1) TLSv1.2(2) (SSLv3 not supported) */ + s = apr_table_get(conf, "TLSProtocol"); + if (s != NULL) { + int num = atoi(s); + switch (num) { + case 0: + tlsprotocol = 0; + break; + case 1: + tlsprotocol = 1; + break; + case 2: + tlsprotocol = 2; + break; + default: + tlsprotocol = 2; /* Default is TLSv1.2 */ + } + } + curlversion = curl_version_info(CURLVERSION_NOW); + if ( startup_delay > 0 ) { error_log(LOG_NOTICE, NULL, "Delaying execution for %dms.", startup_delay); @@ -824,6 +846,8 @@ static void init_configuration(void) error_log(LOG_DEBUG2, NULL, "ErrorLog=%s", error_log_path); error_log(LOG_DEBUG2, NULL, "ErrorLogLevel=%d", error_log_level); error_log(LOG_DEBUG2, NULL, "StartupDelay=%d", startup_delay); + error_log(LOG_DEBUG2, NULL, "TLSProtocol=%d", tlsprotocol); + error_log(LOG_DEBUG2, NULL, "cURL version=%s", curlversion->version); s = apr_table_get(conf, "CheckpointInterval"); if (s != NULL) { @@ -1182,6 +1206,8 @@ static void logc_init(void) apr_status_t rc = 0; const char *errptr = NULL; int i, erroffset; + /* cURL major, minor and patch version */ + short cmaj, cmin, cpat = 0; queue = apr_array_make(pool, 64, sizeof(entry_t *)); if (queue == NULL) { @@ -1246,8 +1272,31 @@ static void logc_init(void) /* Seems like CURL_SSLVERSION_TLSv1_2 is not supported on libcurl * < v7.34.0 + * + * version_num is a 24 bit number created like this: + * <8 bits major number> | <8 bits minor number> | <8 bits patch number>. */ - curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); + switch (tlsprotocol) { + case 0: + curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0); + break; + case 1: + curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1); + break; + case 2: + curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); + break; + default: + curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); + break; + } + cmaj = curlversion->version_num >> 16; + cmin = (curlversion->version_num & 0x00ff00) >> 8; + cpat = (curlversion->version_num & 0x0000ff); + /* If cURL version < v7.34.0, use TLS v1.x */ + if (cmaj <= 7 && cmin < 34) { + curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); + } curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 15); curl_easy_setopt(curl, CURLOPT_NOSIGNAL, TRUE); @@ -1258,6 +1307,10 @@ static void logc_init(void) *(CURL **)apr_array_push(curl_handles) = curl; } + if (cmaj <= 7 && cmin < 34) { + error_log(LOG_DEBUG2, NULL, "TLSv1.2 is unsupported in cURL %d.%d.%d", cmaj, cmin, cpat); + } + logline_regex = pcre_compile(logline_pattern, PCRE_CASELESS, &errptr, &erroffset, NULL); if (logline_regex == NULL) {