Update the handling of ProxyTLSCipherSuite for nicer detection/handling of TLSv1.3 ciphersuite configurations.

Castaglia · Castaglia · commit 73fa969aa204 · 2023-09-30T10:12:30.000-07:00
diff --git a/mod_proxy.c b/mod_proxy.c
@@ -1793,13 +1793,37 @@ MODRET set_proxytlsciphersuite(cmd_rec *cmd) {
   if (cmd->argc-1 == 1) {
     ciphersuite = cmd->argv[1];
 
+    /* Currently, OpenSSL ciphersuite names for TLSv1.3 all use underscores;
+     * ciphersuite names for TLSv1.2 and older do NOT use underscores.
+     *
+     * So if we see an underscore in the configured ciphersuites here, we
+     * know that the optional protocol parameter has NOT been used, and that
+     * a TLSv1.3 ciphersuite is being configured -- and that this situation
+     * will be silently ignored by OpenSSL.
+     */
+    if (strchr(ciphersuite, '_') != NULL) {
+      CONF_ERROR(cmd, pstrcat(cmd->tmp_pool,
+        "use of TLSv1.3 ciphersuite in '", ciphersuite,
+        "' requires protocol parameter; use 'ProxyTLSCipherSuite TLSv1.3 ",
+        ciphersuite, "'", NULL));
+    }
+
   } else if (cmd->argc-1 == 2) {
     char *protocol_text;
 
     protocol_text = cmd->argv[1];
     if (strcasecmp(protocol_text, "TLSv1.3") == 0) {
       protocol = PROXY_TLS_PROTO_TLS_V1_3;
 
+    } else if (strcasecmp(protocol_text, "TLSv1.2") == 0) {
+      protocol = PROXY_TLS_PROTO_TLS_V1_2;
+
+    } else if (strcasecmp(protocol_text, "TLSv1.1") == 0) {
+      protocol = PROXY_TLS_PROTO_TLS_V1_1;
+
+    } else if (strcasecmp(protocol_text, "TLSv1.0") == 0) {
+      protocol = PROXY_TLS_PROTO_TLS_V1;
+
     } else {
       CONF_ERROR(cmd, pstrcat(cmd->tmp_pool,
         "unknown/unsupported protocol specifier: ", protocol_text, NULL));
