mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-23 14:51:27 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: add statement to force some ssl options in global.

Browse Source 
Adds global statements 'ssl-default-server-options' and
'ssl-default-bind-options' to force on 'server' and 'bind' lines
some ssl options.

Currently available options are 'no-sslv3', 'no-tlsv10', 'no-tlsv11',
'no-tlsv12', 'force-sslv3', 'force-tlsv10', 'force-tlsv11',
'force-tlsv12', and 'no-tls-tickets'.

Example:
      global
        ssl-default-server-options no-sslv3
        ssl-default-bind-options no-sslv3
This commit is contained in:
Emeric Brun 2014-10-30 15:56:50 +01:00 committed by Willy Tarreau
parent 5e0d0e046a
commit 2c86cbf753
3 changed files with 168 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
doc/configuration.txt
View File

@ -663,6 +663,15 @@ ssl-default-bind-ciphers <ciphers>
as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
"bind" keyword for more information. "bind" keyword for more information.
ssl-default-bind-options [<option>]...
This setting is only available when support for OpenSSL was built in. It sets
default ssl-options to force on all "bind" lines. Please check the "bind"
keyword to see available options.
Example:
global
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers <ciphers> ssl-default-server-ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
sets the default string describing the list of cipher algorithms that are sets the default string describing the list of cipher algorithms that are
@ -671,6 +680,11 @@ ssl-default-server-ciphers <ciphers>
defined in "man 1 ciphers". Please check the "server" keyword for more defined in "man 1 ciphers". Please check the "server" keyword for more
information. information.
ssl-default-server-options [<option>]...
This setting is only available when support for OpenSSL was built in. It sets
default ssl-options to force on all "server" lines. Please check the "server"
keyword to see available options.
ssl-server-verify [none|required] ssl-server-verify [none|required]
The default behavior for SSL verify on servers side. If specified to 'none', The default behavior for SSL verify on servers side. If specified to 'none',
servers certificates are not verified. The default is 'required' except if servers certificates are not verified. The default is 'required' except if
@ -8490,19 +8504,23 @@ defer-accept
force-sslv3 force-sslv3
This option enforces use of SSLv3 only on SSL connections instantiated from This option enforces use of SSLv3 only on SSL connections instantiated from
this listener. SSLv3 is generally less expensive than the TLS counterparts this listener. SSLv3 is generally less expensive than the TLS counterparts
for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*". for high connection rates. This option is also available on global statement
"ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
force-tlsv10 force-tlsv10
This option enforces use of TLSv1.0 only on SSL connections instantiated from This option enforces use of TLSv1.0 only on SSL connections instantiated from
this listener. See also "force-tls*", "no-sslv3", and "no-tls*". this listener. This option is also available on global statement
"ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
force-tlsv11 force-tlsv11
This option enforces use of TLSv1.1 only on SSL connections instantiated from This option enforces use of TLSv1.1 only on SSL connections instantiated from
this listener. See also "force-tls*", "no-sslv3", and "no-tls*". this listener. This option is also available on global statement
"ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
force-tlsv12 force-tlsv12
This option enforces use of TLSv1.2 only on SSL connections instantiated from This option enforces use of TLSv1.2 only on SSL connections instantiated from
this listener. See also "force-tls*", "no-sslv3", and "no-tls*". this listener. This option is also available on global statement
"ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
gid <gid> gid <gid>
Sets the group of the UNIX sockets to the designated system gid. It can also Sets the group of the UNIX sockets to the designated system gid. It can also
@ -8595,35 +8613,40 @@ no-sslv3
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables support for SSLv3 on any sockets instantiated from the listener when disables support for SSLv3 on any sockets instantiated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
be enabled using any configuration option. See also "force-tls*", be enabled using any configuration option. This option is also available on
global statement "ssl-default-bind-options". See also "force-tls*",
and "force-sslv3". and "force-sslv3".
no-tls-tickets no-tls-tickets
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage. session resumption is more expensive in CPU usage. This option is also
available on global statement "ssl-default-bind-options".
no-tlsv10 no-tlsv10
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.0 on any sockets instantiated from the listener disables support for TLSv1.0 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and when SSL is supported. Note that SSLv2 is forced disabled in the code and
cannot be enabled using any configuration option. See also "force-tls*", cannot be enabled using any configuration option. This option is also
and "force-sslv3". available on global statement "ssl-default-bind-options". See also
"force-tlsv*", and "force-sslv3".
no-tlsv11 no-tlsv11
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.1 on any sockets instantiated from the listener disables support for TLSv1.1 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and when SSL is supported. Note that SSLv2 is forced disabled in the code and
cannot be enabled using any configuration option. See also "force-tls*", cannot be enabled using any configuration option. This option is also
and "force-sslv3". available on global statement "ssl-default-bind-options". See also
"force-tlsv*", and "force-sslv3".
no-tlsv12 no-tlsv12
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.2 on any sockets instantiated from the listener disables support for TLSv1.2 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and when SSL is supported. Note that SSLv2 is forced disabled in the code and
cannot be enabled using any configuration option. See also "force-tls*", cannot be enabled using any configuration option. This option is also
and "force-sslv3". available on global statement "ssl-default-bind-options". See also
"force-tlsv*", and "force-sslv3".
npn <protocols> npn <protocols>
This enables the NPN TLS extension and advertises the specified protocol list This enables the NPN TLS extension and advertises the specified protocol list
@ -8956,25 +8979,29 @@ fall <count>
force-sslv3 force-sslv3
This option enforces use of SSLv3 only when SSL is used to communicate with This option enforces use of SSLv3 only when SSL is used to communicate with
the server. SSLv3 is generally less expensive than the TLS counterparts for the server. SSLv3 is generally less expensive than the TLS counterparts for
high connection rates. See also "no-tlsv*", "no-sslv3". high connection rates. This option is also available on global statement
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No Supported in default-server: No
force-tlsv10 force-tlsv10
This option enforces use of TLSv1.0 only when SSL is used to communicate with This option enforces use of TLSv1.0 only when SSL is used to communicate with
the server. See also "no-tlsv*", "no-sslv3". the server. This option is also available on global statement
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No Supported in default-server: No
force-tlsv11 force-tlsv11
This option enforces use of TLSv1.1 only when SSL is used to communicate with This option enforces use of TLSv1.1 only when SSL is used to communicate with
the server. See also "no-tlsv*", "no-sslv3". the server. This option is also available on global statement
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No Supported in default-server: No
force-tlsv12 force-tlsv12
This option enforces use of TLSv1.2 only when SSL is used to communicate with This option enforces use of TLSv1.2 only when SSL is used to communicate with
the server. See also "no-tlsv*", "no-sslv3". the server. This option is also available on global statement
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No Supported in default-server: No
@ -9062,7 +9089,8 @@ no-tls-tickets
This setting is only available when support for OpenSSL was built in. It This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless extension) and force to use stateful session resumption. Stateless
session resumption is more expensive in CPU usage for servers. session resumption is more expensive in CPU usage for servers. This option
is also available on global statement "ssl-default-server-options".
Supported in default-server: No Supported in default-server: No
@ -9070,8 +9098,9 @@ no-tlsv10
This option disables support for TLSv1.0 when SSL is used to communicate with This option disables support for TLSv1.0 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers. See often makes sense to disable it when communicating with local servers. This
also "force-sslv3", "force-tlsv*". option is also available on global statement "ssl-default-server-options".
See also "force-sslv3", "force-tlsv*".
Supported in default-server: No Supported in default-server: No
@ -9079,8 +9108,9 @@ no-tlsv11
This option disables support for TLSv1.1 when SSL is used to communicate with This option disables support for TLSv1.1 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers. See often makes sense to disable it when communicating with local servers. This
also "force-sslv3", "force-tlsv*". option is also available on global statement "ssl-default-server-options".
See also "force-sslv3", "force-tlsv*".
Supported in default-server: No Supported in default-server: No
@ -9088,8 +9118,9 @@ no-tlsv12
This option disables support for TLSv1.2 when SSL is used to communicate with This option disables support for TLSv1.2 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers. See often makes sense to disable it when communicating with local servers. This
also "force-sslv3", "force-tlsv*". option is also available on global statement "ssl-default-server-options".
See also "force-sslv3", "force-tlsv*".
Supported in default-server: No Supported in default-server: No

2
include/types/global.h
View File

@ -87,6 +87,8 @@ struct global {
int maxsslconn; int maxsslconn;
char *listen_default_ciphers; char *listen_default_ciphers;
char *connect_default_ciphers; char *connect_default_ciphers;
int listen_default_ssloptions;
int connect_default_ssloptions;
#endif #endif
unsigned int ssl_server_verify; /* default verify mode on servers side */ unsigned int ssl_server_verify; /* default verify mode on servers side */
struct freq_ctr conn_per_sec; struct freq_ctr conn_per_sec;

112
src/ssl_sock.c
View File

@ -56,6 +56,7 @@
#include <common/standard.h> #include <common/standard.h>
#include <common/ticks.h> #include <common/ticks.h>
#include <common/time.h> #include <common/time.h>
#include <common/cfgparse.h>
#include <ebsttree.h> #include <ebsttree.h>
@ -4117,6 +4118,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
if (global.listen_default_ciphers && !conf->ciphers) if (global.listen_default_ciphers && !conf->ciphers)
conf->ciphers = strdup(global.listen_default_ciphers); conf->ciphers = strdup(global.listen_default_ciphers);
conf->ssl_options |= global.listen_default_ssloptions;
list_for_each_entry(l, &conf->listeners, by_bind) list_for_each_entry(l, &conf->listeners, by_bind)
l->xprt = &ssl_sock; l->xprt = &ssl_sock;
@ -4181,6 +4183,7 @@ static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, stru
newsrv->check.use_ssl = 1; newsrv->check.use_ssl = 1;
if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers) if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers); newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
newsrv->ssl_ctx.options |= global.connect_default_ssloptions;
return 0; return 0;
} }
@ -4374,6 +4377,106 @@ static int srv_parse_verifyhost(char **args, int *cur_arg, struct proxy *px, str
return 0; return 0;
} }
/* parse the "ssl-default-bind-options" keyword in global section */
static int ssl_parse_default_bind_options(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err) {
int i = 1;
if (*(args[i]) == 0) {
memprintf(err, "global statement '%s' expects an option as an argument.", args[0]);
return -1;
}
while (*(args[i])) {
if (!strcmp(args[i], "no-sslv3"))
global.listen_default_ssloptions |= BC_SSL_O_NO_SSLV3;
else if (!strcmp(args[i], "no-tlsv10"))
global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV10;
else if (!strcmp(args[i], "no-tlsv11"))
global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV11;
else if (!strcmp(args[i], "no-tlsv12"))
global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV12;
else if (!strcmp(args[i], "force-sslv3"))
global.listen_default_ssloptions |= BC_SSL_O_USE_SSLV3;
else if (!strcmp(args[i], "force-tlsv10"))
global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV10;
else if (!strcmp(args[i], "force-tlsv11")) {
#if SSL_OP_NO_TLSv1_1
global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV11;
#else
memprintf(err, "'%s' '%s': library does not support protocol TLSv1.1", args[0], args[i]);
return -1;
#endif
}
else if (!strcmp(args[i], "force-tlsv12")) {
#if SSL_OP_NO_TLSv1_2
global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV12;
#else
memprintf(err, "'%s' '%s': library does not support protocol TLSv1.2", args[0], args[i]);
return -1;
#endif
}
else if (!strcmp(args[i], "no-tls-tickets"))
global.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS;
else {
memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
return -1;
}
i++;
}
return 0;
}
/* parse the "ssl-default-server-options" keyword in global section */
static int ssl_parse_default_server_options(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err) {
int i = 1;
if (*(args[i]) == 0) {
memprintf(err, "global statement '%s' expects an option as an argument.", args[0]);
return -1;
}
while (*(args[i])) {
if (!strcmp(args[i], "no-sslv3"))
global.connect_default_ssloptions |= SRV_SSL_O_NO_SSLV3;
else if (!strcmp(args[i], "no-tlsv10"))
global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV10;
else if (!strcmp(args[i], "no-tlsv11"))
global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV11;
else if (!strcmp(args[i], "no-tlsv12"))
global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV12;
else if (!strcmp(args[i], "force-sslv3"))
global.connect_default_ssloptions |= SRV_SSL_O_USE_SSLV3;
else if (!strcmp(args[i], "force-tlsv10"))
global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV10;
else if (!strcmp(args[i], "force-tlsv11")) {
#if SSL_OP_NO_TLSv1_1
global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV11;
#else
memprintf(err, "'%s' '%s': library does not support protocol TLSv1.1", args[0], args[i]);
return -1;
#endif
}
else if (!strcmp(args[i], "force-tlsv12")) {
#if SSL_OP_NO_TLSv1_2
global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV12;
#else
memprintf(err, "'%s' '%s': library does not support protocol TLSv1.2", args[0], args[i]);
return -1;
#endif
}
else if (!strcmp(args[i], "no-tls-tickets"))
global.connect_default_ssloptions |= SRV_SSL_O_NO_TLS_TICKETS;
else {
memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
return -1;
}
i++;
}
return 0;
}
/* Note: must not be declared <const> as its list will be overwritten. /* Note: must not be declared <const> as its list will be overwritten.
* Please take care of keeping this list alphabetically sorted. * Please take care of keeping this list alphabetically sorted.
*/ */
@ -4501,6 +4604,12 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
{ NULL, NULL, 0, 0 }, { NULL, NULL, 0, 0 },
}}; }};
static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options },
{ CFG_GLOBAL, "ssl-default-server-options", ssl_parse_default_server_options },
{ 0, NULL, NULL },
}};
/* transport-layer operations for SSL sockets */ /* transport-layer operations for SSL sockets */
struct xprt_ops ssl_sock = { struct xprt_ops ssl_sock = {
.snd_buf = ssl_sock_from_buf, .snd_buf = ssl_sock_from_buf,
@ -4528,6 +4637,8 @@ static void __ssl_sock_init(void)
global.listen_default_ciphers = strdup(global.listen_default_ciphers); global.listen_default_ciphers = strdup(global.listen_default_ciphers);
if (global.connect_default_ciphers) if (global.connect_default_ciphers)
global.connect_default_ciphers = strdup(global.connect_default_ciphers); global.connect_default_ciphers = strdup(global.connect_default_ciphers);
global.listen_default_ssloptions = BC_SSL_O_NONE;
global.connect_default_ssloptions = SRV_SSL_O_NONE;
SSL_library_init(); SSL_library_init();
cm = SSL_COMP_get_compression_methods(); cm = SSL_COMP_get_compression_methods();
@ -4536,6 +4647,7 @@ static void __ssl_sock_init(void)
acl_register_keywords(&acl_kws); acl_register_keywords(&acl_kws);
bind_register_keywords(&bind_kws); bind_register_keywords(&bind_kws);
srv_register_keywords(&srv_kws); srv_register_keywords(&srv_kws);
cfg_register_keywords(&cfg_kws);
} }
/* /*