mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 15:47:01 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: allow to change the client-sigalgs on server lines

Browse Source 
This patch introduces the "client-sigalgs" keyword for the server line,
which allows to configure the list of server signature algorithms
negociated during the handshake. Also available as
"ssl-default-server-client-sigalgs" in the global section.
This commit is contained in:
William Lallemand 2023-06-29 14:11:46 +02:00
parent 717f0ad995
commit 593c895eed
5 changed files with 73 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
doc/configuration.txt
View File

@ -1120,6 +1120,7 @@ The following keywords are supported in the "global" section :
- ssl-default-bind-sigalgs - ssl-default-bind-sigalgs
- ssl-default-server-ciphers - ssl-default-server-ciphers
- ssl-default-server-ciphersuites - ssl-default-server-ciphersuites
- ssl-default-server-client-sigalgs
- ssl-default-server-options - ssl-default-server-options
- ssl-default-server-sigalgs - ssl-default-server-sigalgs
- ssl-dh-param-file - ssl-dh-param-file
@ -2275,6 +2276,21 @@ ssl-default-server-ciphersuites <ciphersuites>
"ssl-default-server-ciphers" keyword. Please check the "server" keyword for "ssl-default-server-ciphers" keyword. Please check the "server" keyword for
more information. more information.
ssl-default-server-client-sigalgs <sigalgs>
This setting is only available when support for OpenSSL was built in. It sets
the default string describing the list of signature algorithms related to
client authentication for all "server" lines which do not explicitly define
theirs. The format of the string is a colon-delimited list of signature
algorithms. Each signature algorithm can use one of two forms: TLS1.3 signature
scheme names ("rsa_pss_rsae_sha256") or the public key algorithm + digest form
("ECDSA+SHA256"). A list can contain both forms. For more information on the
format, see SSL_CTX_set1_client_sigalgs(3). A list of signature algorithms is
also available in RFC8446 section 4.2.3 and in OpenSSL in the ssl/t1_lib.c
file. This setting is not applicable to TLSv1.1 and earlier versions of the
protocol as the signature algorithms aren't separately negotiated in these
versions. It is not recommended to change this setting unless compatibility
with a middlebox is required.
ssl-default-server-options [<option>]... ssl-default-server-options [<option>]...
This setting is only available when support for OpenSSL was built in. It sets This setting is only available when support for OpenSSL was built in. It sets
default ssl-options to force on all "server" lines. Please check the "server" default ssl-options to force on all "server" lines. Please check the "server"
@ -15898,6 +15914,13 @@ ciphersuites <ciphersuites>
For cipher configuration for TLSv1.2 and earlier, please check the "ciphers" For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
keyword. keyword.
client-sigalgs <sigalgs>
This setting is only available when support for OpenSSL was built in. It sets
the string describing the list of signature algorithms related to client
authentication that are negotiated . The format of the string is defined in
"man 3 SSL_CTX_set1_client_sigalgs" from the OpenSSL man pages. It is not
recommended to use this setting if no specific usecase was identified.
cookie <value> cookie <value>
The "cookie" parameter sets the cookie value assigned to the server to The "cookie" parameter sets the cookie value assigned to the server to
<value>. This value will be checked in incoming requests, and the first <value>. This value will be checked in incoming requests, and the first

1
include/haproxy/server-t.h
View File

@ -393,6 +393,7 @@ struct server {
char *crl_file; /* CRLfile to use on verify */ char *crl_file; /* CRLfile to use on verify */
char *client_crt; /* client certificate to send */ char *client_crt; /* client certificate to send */
char *sigalgs; /* Signature algorithms */ char *sigalgs; /* Signature algorithms */
char *client_sigalgs; /* Client Signature algorithms */
struct sample_expr *sni; /* sample expression for SNI */ struct sample_expr *sni; /* sample expression for SNI */
char *npn_str; /* NPN protocol string */ char *npn_str; /* NPN protocol string */
int npn_len; /* NPN protocol string length */ int npn_len; /* NPN protocol string length */

1
include/haproxy/ssl_sock-t.h
View File

@ -285,6 +285,7 @@ struct global_ssl {
#endif #endif
#if defined(SSL_CTX_set1_sigalgs_list) #if defined(SSL_CTX_set1_sigalgs_list)
char *listen_default_client_sigalgs; char *listen_default_client_sigalgs;
char *connect_default_client_sigalgs;
#endif #endif
int listen_default_ssloptions; int listen_default_ssloptions;
int connect_default_ssloptions; int connect_default_ssloptions;

36
src/cfgparse-ssl.c
View File

@ -355,7 +355,7 @@ static int ssl_parse_global_client_sigalgs(char **args, int section_type, struct
{ {
char **target; char **target;
target = &global_ssl.listen_default_client_sigalgs; target = (args[0][12] == 'b') ? &global_ssl.listen_default_client_sigalgs : &global_ssl.connect_default_client_sigalgs;
if (too_many_args(1, args, err, NULL)) if (too_many_args(1, args, err, NULL))
return -1; return -1;
@ -1661,6 +1661,14 @@ static int ssl_sock_init_srv(struct server *s)
} }
#endif #endif
#if defined(SSL_CTX_set1_client_sigalgs_list)
if (global_ssl.connect_default_client_sigalgs && !s->ssl_ctx.client_sigalgs) {
s->ssl_ctx.client_sigalgs = strdup(global_ssl.connect_default_client_sigalgs);
if (!s->ssl_ctx.client_sigalgs)
return 1;
}
#endif
return 0; return 0;
} }
@ -1716,6 +1724,30 @@ static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, s
} }
#endif #endif
/* parse the "client-sigalgs" server keyword */
static int srv_parse_client_sigalgs(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
#ifndef SSL_CTX_set1_client_sigalgs_list
memprintf(err, "'%s' : library does not support setting signature algorithms", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
char *arg;
arg = args[*cur_arg + 1];
if (!*arg) {
memprintf(err, "'%s' : missing signature algorithm list", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
newsrv->ssl_ctx.client_sigalgs = strdup(arg);
if (!newsrv->ssl_ctx.client_sigalgs) {
memprintf(err, "out of memory");
return ERR_ALERT | ERR_FATAL;
}
return 0;
#endif
}
/* parse the "crl-file" server keyword */ /* parse the "crl-file" server keyword */
static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{ {
@ -2216,6 +2248,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ "ciphersuites", srv_parse_ciphersuites, 1, 1, 1 }, /* select the cipher suite */ { "ciphersuites", srv_parse_ciphersuites, 1, 1, 1 }, /* select the cipher suite */
#endif #endif
{ "client-sigalgs", srv_parse_client_sigalgs, 1, 1, 1 }, /* signature algorithms */
{ "crl-file", srv_parse_crl_file, 1, 1, 1 }, /* set certificate revocation list file use on server cert verify */ { "crl-file", srv_parse_crl_file, 1, 1, 1 }, /* set certificate revocation list file use on server cert verify */
{ "crt", srv_parse_crt, 1, 1, 1 }, /* set client certificate */ { "crt", srv_parse_crt, 1, 1, 1 }, /* set client certificate */
{ "force-sslv3", srv_parse_tls_method_options, 0, 1, 1 }, /* force SSLv3 */ { "force-sslv3", srv_parse_tls_method_options, 0, 1, 1 }, /* force SSLv3 */
@ -2294,6 +2327,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
#endif #endif
#if defined(SSL_CTX_set1_client_sigalgs_list) #if defined(SSL_CTX_set1_client_sigalgs_list)
{ CFG_GLOBAL, "ssl-default-bind-client-sigalgs", ssl_parse_global_client_sigalgs }, { CFG_GLOBAL, "ssl-default-bind-client-sigalgs", ssl_parse_global_client_sigalgs },
{ CFG_GLOBAL, "ssl-default-server-client-sigalgs", ssl_parse_global_client_sigalgs },
#endif #endif
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites }, { CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },

14
src/ssl_sock.c
View File

@ -5050,7 +5050,9 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
#if defined(SSL_CTX_set1_sigalgs_list) #if defined(SSL_CTX_set1_sigalgs_list)
const char *conf_sigalgs = NULL; const char *conf_sigalgs = NULL;
#endif #endif
#if defined(SSL_CTX_set1_client_sigalgs_list)
const char *conf_client_sigalgs = NULL;
#endif
if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max)) if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
ha_warning("no-sslv3/no-tlsv1x are ignored for this server. " ha_warning("no-sslv3/no-tlsv1x are ignored for this server. "
@ -5199,6 +5201,16 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
} }
} }
#endif #endif
#if defined(SSL_CTX_set1_client_sigalgs_list)
conf_client_sigalgs = srv->ssl_ctx.client_sigalgs;
if (conf_client_sigalgs) {
if (!SSL_CTX_set1_client_sigalgs_list(ctx, conf_client_sigalgs)) {
ha_alert("Proxy '%s': unable to set SSL Client Signature Algorithm list to '%s' for server '%s'.\n",
curproxy->id, conf_client_sigalgs, srv->id);
cfgerr++;
}
}
#endif
return cfgerr; return cfgerr;
} }