diff --git a/doc/configuration.txt b/doc/configuration.txt index 7af752e47..35dcf37e7 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -629,6 +629,23 @@ stats bind-process [ all | odd | even | [-] ] ... warning will automatically be disabled when this setting is used, whatever the number of processes used. +ssl-default-bind-ciphers + This setting is only available when support for OpenSSL was built in. It sets + the default string describing the list of cipher algorithms ("cipher suite") + that are negociated during the SSL/TLS handshake for all "bind" lines which + do not explicitly define theirs. The format of the string is defined in + "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such + as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the + "bind" keyword for more information. + +ssl-default-server-ciphers + This setting is only available when support for OpenSSL was built in. It + sets the default string describing the list of cipher algorithms that are + negociated during the SSL/TLS handshake with the server, for all "server" + lines which do not explicitly define theirs. The format of the string is + defined in "man 1 ciphers". Please check the "server" keyword for more + information. + ssl-server-verify [none|required] The default behavior for SSL verify on servers side. If specified to 'none', servers certificates are not verified. The default is 'required' except if diff --git a/src/cfgparse.c b/src/cfgparse.c index 462187a75..88231f953 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -881,6 +881,36 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm) Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); err_code |= ERR_ALERT | ERR_FATAL; goto out; +#endif + } + else if (!strcmp(args[0], "ssl-default-bind-ciphers")) { +#ifdef USE_OPENSSL + if (*(args[1]) == 0) { + Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + free(global.listen_default_ciphers); + global.listen_default_ciphers = strdup(args[1]); +#else + Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif + } + else if (!strcmp(args[0], "ssl-default-server-ciphers")) { +#ifdef USE_OPENSSL + if (*(args[1]) == 0) { + Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + free(global.connect_default_ciphers); + global.connect_default_ciphers = strdup(args[1]); +#else + Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; #endif } else if (!strcmp(args[0], "ssl-server-verify")) { diff --git a/src/haproxy.c b/src/haproxy.c index 182570570..45d1bd74a 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -161,12 +161,6 @@ struct global global = { #ifdef DEFAULT_MAXSSLCONN .maxsslconn = DEFAULT_MAXSSLCONN, #endif -#ifdef LISTEN_DEFAULT_CIPHERS - .listen_default_ciphers = LISTEN_DEFAULT_CIPHERS, -#endif -#ifdef CONNECT_DEFAULT_CIPHERS - .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS, -#endif #endif /* others NULL OK */ }; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 5ac2b0653..3b96e37b5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3628,6 +3628,17 @@ static void __ssl_sock_init(void) { STACK_OF(SSL_COMP)* cm; +#ifdef LISTEN_DEFAULT_CIPHERS + global.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS; +#endif +#ifdef CONNECT_DEFAULT_CIPHERS + global.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS; +#endif + if (global.listen_default_ciphers) + global.listen_default_ciphers = strdup(global.listen_default_ciphers); + if (global.connect_default_ciphers) + global.connect_default_ciphers = strdup(global.connect_default_ciphers); + SSL_library_init(); cm = SSL_COMP_get_compression_methods(); sk_SSL_COMP_zero(cm);