From 610f04bbf6b9fa437101f376425e3f27ffef71d3 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Thu, 13 Feb 2014 11:36:41 +0100 Subject: [PATCH] MINOR: config: add global directives to set default SSL ciphers The ability to globally override the default client and server cipher suites has been requested multiple times since the introduction of SSL. This commit adds two new keywords to the global section for this : - ssl-default-bind-ciphers - ssl-default-server-ciphers It is still possible to preset them at build time by setting the macros LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS. --- doc/configuration.txt | 17 +++++++++++++++++ src/cfgparse.c | 30 ++++++++++++++++++++++++++++++ src/haproxy.c | 6 ------ src/ssl_sock.c | 11 +++++++++++ 4 files changed, 58 insertions(+), 6 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 7af752e47..35dcf37e7 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -629,6 +629,23 @@ stats bind-process [ all | odd | even | [-] ] ... warning will automatically be disabled when this setting is used, whatever the number of processes used. +ssl-default-bind-ciphers + This setting is only available when support for OpenSSL was built in. It sets + the default string describing the list of cipher algorithms ("cipher suite") + that are negociated during the SSL/TLS handshake for all "bind" lines which + do not explicitly define theirs. The format of the string is defined in + "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such + as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the + "bind" keyword for more information. + +ssl-default-server-ciphers + This setting is only available when support for OpenSSL was built in. It + sets the default string describing the list of cipher algorithms that are + negociated during the SSL/TLS handshake with the server, for all "server" + lines which do not explicitly define theirs. The format of the string is + defined in "man 1 ciphers". Please check the "server" keyword for more + information. + ssl-server-verify [none|required] The default behavior for SSL verify on servers side. If specified to 'none', servers certificates are not verified. The default is 'required' except if diff --git a/src/cfgparse.c b/src/cfgparse.c index 462187a75..88231f953 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -881,6 +881,36 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm) Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); err_code |= ERR_ALERT | ERR_FATAL; goto out; +#endif + } + else if (!strcmp(args[0], "ssl-default-bind-ciphers")) { +#ifdef USE_OPENSSL + if (*(args[1]) == 0) { + Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + free(global.listen_default_ciphers); + global.listen_default_ciphers = strdup(args[1]); +#else + Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif + } + else if (!strcmp(args[0], "ssl-default-server-ciphers")) { +#ifdef USE_OPENSSL + if (*(args[1]) == 0) { + Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + free(global.connect_default_ciphers); + global.connect_default_ciphers = strdup(args[1]); +#else + Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; #endif } else if (!strcmp(args[0], "ssl-server-verify")) { diff --git a/src/haproxy.c b/src/haproxy.c index 182570570..45d1bd74a 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -161,12 +161,6 @@ struct global global = { #ifdef DEFAULT_MAXSSLCONN .maxsslconn = DEFAULT_MAXSSLCONN, #endif -#ifdef LISTEN_DEFAULT_CIPHERS - .listen_default_ciphers = LISTEN_DEFAULT_CIPHERS, -#endif -#ifdef CONNECT_DEFAULT_CIPHERS - .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS, -#endif #endif /* others NULL OK */ }; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 5ac2b0653..3b96e37b5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3628,6 +3628,17 @@ static void __ssl_sock_init(void) { STACK_OF(SSL_COMP)* cm; +#ifdef LISTEN_DEFAULT_CIPHERS + global.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS; +#endif +#ifdef CONNECT_DEFAULT_CIPHERS + global.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS; +#endif + if (global.listen_default_ciphers) + global.listen_default_ciphers = strdup(global.listen_default_ciphers); + if (global.connect_default_ciphers) + global.connect_default_ciphers = strdup(global.connect_default_ciphers); + SSL_library_init(); cm = SSL_COMP_get_compression_methods(); sk_SSL_COMP_zero(cm);