From 01f8e2f61b099b0d9270b84cd77cf091fe1d310d Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Fri, 18 May 2012 16:02:00 +0200 Subject: [PATCH] MEDIUM: config: add support for the 'ssl' option on 'server' lines This option currently takes no option and simply turns SSL on for all connections going to the server. It is likely that more options will be needed in the future. --- include/types/server.h | 1 + src/cfgparse.c | 53 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/include/types/server.h b/include/types/server.h index b009e1bad..21366a90a 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -169,6 +169,7 @@ struct server { int check_data_len; /* length of partial check results stored in check_data */ #ifdef USE_OPENSSL + int use_ssl; /* ssl enabled */ struct { SSL_CTX *ctx; SSL_SESSION *reused_sess; diff --git a/src/cfgparse.c b/src/cfgparse.c index d8b7e6dbe..06559e6b6 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -4144,6 +4144,9 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) newsrv->onerror = curproxy->defsrv.onerror; newsrv->consecutive_errors_limit = curproxy->defsrv.consecutive_errors_limit; +#ifdef OPENSSL + newsrv->use_ssl = curproxy->defsrv.use_ssl; +#endif newsrv->uweight = newsrv->iweight = curproxy->defsrv.iweight; @@ -4380,6 +4383,17 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) newsrv->health = 0; cur_arg += 1; } + else if (!strcmp(args[cur_arg], "ssl")) { +#ifdef USE_OPENSSL + newsrv->use_ssl = 1; + cur_arg += 1; +#else /* USE_OPENSSL */ + Alert("parsing [%s:%d]: '%s' option not implemented.\n", + file, linenum, args[cur_arg]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif /* USE_OPENSSL */ + } else if (!defsrv && !strcmp(args[cur_arg], "observe")) { if (!strcmp(args[cur_arg + 1], "none")) newsrv->observe = HANA_OBS_NONE; @@ -6340,6 +6354,45 @@ int check_config_validity() newsrv->minconn = newsrv->maxconn; } +#ifdef USE_OPENSSL +#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */ +#define SSL_OP_NO_COMPRESSION 0 +#endif +#ifndef SSL_MODE_RELEASE_BUFFERS /* needs OpenSSL >= 1.0.0 */ +#define SSL_MODE_RELEASE_BUFFERS 0 +#endif +#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */ +#define SSL_OP_NO_COMPRESSION 0 +#endif + if (newsrv->use_ssl) { + int ssloptions = + SSL_OP_ALL | /* all known workarounds for bugs */ + SSL_OP_NO_SSLv2 | + SSL_OP_NO_COMPRESSION; + int sslmode = + SSL_MODE_ENABLE_PARTIAL_WRITE | + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_RELEASE_BUFFERS; + + /* Initiate SSL context for current server */ + newsrv->ssl_ctx.reused_sess = NULL; + newsrv->data = &ssl_sock; + newsrv->ssl_ctx.ctx = SSL_CTX_new(SSLv23_client_method()); + if(!newsrv->ssl_ctx.ctx) { + + Alert("config : %s '%s', server '%s': unable to allocate ssl context.\n", + proxy_type_str(curproxy), curproxy->id, + newsrv->id); + cfgerr++; + goto next_srv; + } + + SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions); + SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode); + SSL_CTX_set_verify(newsrv->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL); + SSL_CTX_set_session_cache_mode(newsrv->ssl_ctx.ctx, SSL_SESS_CACHE_OFF); + } +#endif /* USE_OPENSSL */ if (newsrv->trackit) { struct proxy *px; struct server *srv;