diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod
index 1b14a7391e5d8842b6b4d6663f5e3788765e93ad..cdfebc86d2f8c13e11b6d73d1e5fbf02bcfed96d 100644
--- a/doc/man3/SSL_read_early_data.pod
+++ b/doc/man3/SSL_read_early_data.pod
@@ -180,7 +180,7 @@ server application will either use both of SSL_read_early_data() and
SSL_CTX_set_max_early_data() (or SSL_set_max_early_data()), or neither of them,
since there is no practical benefit from using only one of them. If the maximum
early data setting for a server is non-zero then replay protection is
-automatically enabled (see L below).
+automatically enabled (see L below).
In the event that the current maximum early data setting for the server is
different to that originally specified in a session that a client is resuming
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 485ec0870b684e94b449d0f60271442ed513d750..7885d6a4b6e26d6aacef2dfbf0d5712c43606324 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -247,6 +247,22 @@ For example:
ECDSA.Certificate = server-ecdsa.pem
Ciphers = ALL:!RC4
+The system default configuration with name B if present will
+be applied during any creation of the B structure.
+
+Example of a configuration with the system default:
+
+ ssl_conf = ssl_sect
+
+ [ssl_sect]
+
+ system_default = system_default_sect
+
+ [system_default_sect]
+
+ MinProtocol = TLSv1.2
+
+
=head1 NOTES
If a configuration file attempts to expand a variable that doesn't exist
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e42333160b451aa70d7d3213c3e39129888be827..baf8a94aa66ae6e0b7d8c42e5aea99b1ca993c5a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3112,6 +3112,8 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
*/
ret->max_early_data = 0;
+ ssl_ctx_system_config(ret);
+
return ret;
err:
SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 83a033445d908c2bf46b3c37a192e607607adcaf..9d4e0f17a7ef3699ebfa4115ea30502d4243e135 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2587,6 +2587,9 @@ void custom_exts_free(custom_ext_methods *exts);
void ssl_comp_free_compression_methods_int(void);
+/* ssl_mcnf.c */
+void ssl_ctx_system_config(SSL_CTX *ctx);
+
# else /* OPENSSL_UNIT_TEST */
# define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer
diff --git a/ssl/ssl_mcnf.c b/ssl/ssl_mcnf.c
index 59674f3d39c9dd6bd78d87d0e06eb4483c783cc1..70c7ed811f649da8d544e1cda6ff8ca7fb33b701 100644
--- a/ssl/ssl_mcnf.c
+++ b/ssl/ssl_mcnf.c
@@ -125,6 +125,7 @@ static const struct ssl_conf_name *ssl_name_find(const char *name)
{
size_t i;
const struct ssl_conf_name *nm;
+
if (name == NULL)
return NULL;
for (i = 0, nm = ssl_names; i < ssl_names_count; i++, nm++) {
@@ -134,7 +135,7 @@ static const struct ssl_conf_name *ssl_name_find(const char *name)
return NULL;
}
-static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name)
+static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name, int system)
{
SSL_CONF_CTX *cctx = NULL;
size_t i;
@@ -143,21 +144,28 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name)
const SSL_METHOD *meth;
const struct ssl_conf_name *nm;
struct ssl_conf_cmd *cmd;
+
if (s == NULL && ctx == NULL) {
SSLerr(SSL_F_SSL_DO_CONFIG, ERR_R_PASSED_NULL_PARAMETER);
goto err;
}
+
+ if (name == NULL && system)
+ name = "system_default";
nm = ssl_name_find(name);
if (nm == NULL) {
- SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
- ERR_add_error_data(2, "name=", name);
+ if (!system) {
+ SSLerr(SSL_F_SSL_DO_CONFIG, SSL_R_INVALID_CONFIGURATION_NAME);
+ ERR_add_error_data(2, "name=", name);
+ }
goto err;
}
cctx = SSL_CONF_CTX_new();
if (cctx == NULL)
goto err;
flags = SSL_CONF_FLAG_FILE;
- flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE;
+ if (!system)
+ flags |= SSL_CONF_FLAG_CERTIFICATE | SSL_CONF_FLAG_REQUIRE_PRIVATE;
if (s != NULL) {
meth = s->method;
SSL_CONF_CTX_set_ssl(cctx, s);
@@ -190,10 +198,15 @@ static int ssl_do_config(SSL *s, SSL_CTX *ctx, const char *name)
int SSL_config(SSL *s, const char *name)
{
- return ssl_do_config(s, NULL, name);
+ return ssl_do_config(s, NULL, name, 0);
}
int SSL_CTX_config(SSL_CTX *ctx, const char *name)
{
- return ssl_do_config(NULL, ctx, name);
+ return ssl_do_config(NULL, ctx, name, 0);
+}
+
+void ssl_ctx_system_config(SSL_CTX *ctx)
+{
+ ssl_do_config(NULL, ctx, NULL, 1);
}
diff --git a/test/build.info b/test/build.info
index 45e3fddce1be7c462dc05ec8b8aab5c611d24d5b..085f0faa108912f9234184904ec4d5a091e9636c 100644
--- a/test/build.info
+++ b/test/build.info
@@ -48,7 +48,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
recordlentest drbgtest sslbuffertest \
time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
- servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest
+ servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest \
+ sysdefaulttest
SOURCE[aborttest]=aborttest.c
INCLUDE[aborttest]=../include
@@ -513,6 +514,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
SOURCE[sslbuffertest]=sslbuffertest.c ssltestlib.c
INCLUDE[sslbuffertest]=../include
DEPEND[sslbuffertest]=../libcrypto ../libssl libtestutil.a
+
+ SOURCE[sysdefaulttest]=sysdefaulttest.c
+ INCLUDE[sysdefaulttest]=../include
+ DEPEND[sysdefaulttest]=../libcrypto ../libssl libtestutil.a
ENDIF
{-
diff --git a/test/recipes/90-test_sysdefault.t b/test/recipes/90-test_sysdefault.t
new file mode 100644
index 0000000000000000000000000000000000000000..79d20a8d8106a1f1ebe1270f9fb1834ebe44131a
--- /dev/null
+++ b/test/recipes/90-test_sysdefault.t
@@ -0,0 +1,23 @@
+#! /usr/bin/env perl
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test::Utils;
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+my $test_name = "test_sysdefault";
+setup($test_name);
+
+plan skip_all => "$test_name is not supported in this build"
+ if disabled("tls1_2") || disabled("rsa");
+
+plan tests => 1;
+
+$ENV{OPENSSL_CONF} = srctop_file("test", "sysdefault.cnf");
+
+ok(run(test(["sysdefaulttest"])), "sysdefaulttest");
diff --git a/test/sysdefault.cnf b/test/sysdefault.cnf
new file mode 100644
index 0000000000000000000000000000000000000000..5473d837c10f3539423369a10e3af52e136a3b10
--- /dev/null
+++ b/test/sysdefault.cnf
@@ -0,0 +1,15 @@
+# Configuration file to test system default SSL configuration
+
+openssl_conf = default_conf
+
+[ default_conf ]
+
+ssl_conf = ssl_sect
+
+[ssl_sect]
+
+system_default = ssl_default_sect
+
+[ssl_default_sect]
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
diff --git a/test/sysdefaulttest.c b/test/sysdefaulttest.c
new file mode 100644
index 0000000000000000000000000000000000000000..8ee4f243a1e6b82eebfd1b55abd047a0f30c0f5d
--- /dev/null
+++ b/test/sysdefaulttest.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include
+#include
+
+#include
+#include
+#include
+#include
+#include "testutil.h"
+
+static SSL_CTX *ctx;
+
+static int test_func(void)
+{
+ if (!TEST_int_eq(SSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION)
+ && !TEST_int_eq(SSL_CTX_get_max_proto_version(ctx), TLS1_2_VERSION)) {
+ TEST_info("min/max version setting incorrect");
+ return 0;
+ }
+ return 1;
+}
+
+int global_init(void)
+{
+ if (!OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN
+ | OPENSSL_INIT_LOAD_CONFIG, NULL))
+ return 0;
+ return 1;
+}
+
+int setup_tests(void)
+{
+ if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method())))
+ return 0;
+ ADD_TEST(test_func);
+ return 1;
+}
+
+void cleanup_tests(void)
+{
+ SSL_CTX_free(ctx);
+}