Re: tls_config_parse_protocols vs httpd in snapshot

Thu, 05 Jan 2017 18:04:13 -0800 

On Thu, Jan 05, 2017 at 06:02:53PM -0500, Michael W. Lucas wrote:
> 
> Hi,
> 
> Something doesn't seem right between httpd.conf and
> tls_config_parse_protocols. Running today's snapshot, but was first
> attempted in the 15 Dec snapshot.
> 
> httpd.conf(5) says to get TLS protocols from
> tls_config_parse_protocols(3). That page says:
> 
>      The tls_config_parse_protocols() function parses a protocol string and
>      returns the corresponding value via the protocols argument.  This value
>      can then be passed to the tls_config_set_protocols() function.  The
>      protocol string is a comma or colon separated list of keywords. 
> 
> Comma or colon delimited. Seems fine.
> 
> My httpd.conf is this:
> 
> server "www3.mwlucas.org" {
>         listen on * port 80
>         block return 302 "https://$SERVER_NAME$REQUEST_URI";
> }
> 
> server "www3.mwlucas.org" {
>         alias tarpit.mwlucas.org
>         listen on * tls port 443
>         hsts
>         # TLS certificate and key files created with acme-client(1)
>         tls certificate "/etc/ssl/acme/fullchain.pem"
>         tls key "/etc/ssl/acme/private/privkey.pem"
>         tls ocsp "/etc/ssl/acme/ocsp.der"
>         tls protocols tlsv1.0,tlsv1.1
> 
>            location "/.well-known/acme-challenge/*" {
>                    root "/acme"
>                    root strip 2
>            }
> }
> 
> 
> The man page says I can use a comma instead of a colon, so I change it
> like so.
> 
>         tls protocols tlsv1.0,tlsv1.1

Quote the string. Unquoted strings in the httpd.conf can't contain certain
characters, such as commas and exclamation points.


--
Carlin

> 
> This gives me
> 
> # httpd -n
> /etc/httpd.conf:16: syntax error
> 
> Looks like something doesn't match.
> 
> The man page also says:
> 
>  If a value has a negative prefix (in the form
>      of a leading exclamation mark) then it is removed from the list of
>      available protocols, rather than being added to it.
> 
> I read this as the following should work.
> 
>         tls protocols all:!tlsv1.0
> 
> Instead, I get:
> 
> httpd -n
> /etc/httpd.conf:16: invalid tls protocols
> 
> ==ml
> 
> -- 
> Michael W. Lucas  -  mwlu...@michaelwlucas.com, Twitter @mwlauthor 
> http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
>

Reply via email to