mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-09-20 21:31:28 +02:00
MINOR: ssl: Add a way to globally disable ktls.
Add a new global option, "noktls", as well as a command line option, "-dT", to totally disable ktls usage, even if it is activated on servers or binds in the configuration. That makes it easier to quickly figure out if a problem is related to ktls or not.
This commit is contained in:
Olivier Houchard
Olivier Houchard
parent
5da3540988
commit
6f21c5631a
@ -1819,6 +1819,7 @@ The following keywords are supported in the "global" section :
|
|||||||
- noevports
|
- noevports
|
||||||
- nogetaddrinfo
|
- nogetaddrinfo
|
||||||
- nokqueue
|
- nokqueue
|
||||||
|
- noktls
|
||||||
- nopoll
|
- nopoll
|
||||||
- noreuseport
|
- noreuseport
|
||||||
- nosplice
|
- nosplice
|
||||||
@ -3791,6 +3792,10 @@ nokqueue
|
|||||||
equivalent to the command-line argument "-dk". The next polling system
|
equivalent to the command-line argument "-dk". The next polling system
|
||||||
used will generally be "poll". See also "nopoll".
|
used will generally be "poll". See also "nopoll".
|
||||||
|
|
||||||
|
noktls
|
||||||
|
Disables the use of ktls. It is equivalent to the command line argument
|
||||||
|
"-dT".
|
||||||
|
|
||||||
nopoll
|
nopoll
|
||||||
Disables the use of the "poll" event polling system. It is equivalent to the
|
Disables the use of the "poll" event polling system. It is equivalent to the
|
||||||
command-line argument "-dp". The next polling system used will be "select".
|
command-line argument "-dp". The next polling system used will be "select".
|
||||||
|
|||||||
@ -390,6 +390,10 @@ list of options is :
|
|||||||
using strace to see the forwarded data (which do not appear when using
|
using strace to see the forwarded data (which do not appear when using
|
||||||
splice()).
|
splice()).
|
||||||
|
|
||||||
|
-dT : disable the use of ktls. It is equivalent to the "global" section's
|
||||||
|
keyword "noktls". It is mostly useful when suspecting a bug related to
|
||||||
|
ktls.
|
||||||
|
|
||||||
-dV : disable SSL verify on the server side. It is equivalent to having
|
-dV : disable SSL verify on the server side. It is equivalent to having
|
||||||
"ssl-server-verify none" in the "global" section. This is useful when
|
"ssl-server-verify none" in the "global" section. This is useful when
|
||||||
trying to reproduce production issues out of the production
|
trying to reproduce production issues out of the production
|
||||||
|
|||||||
@ -85,6 +85,7 @@
|
|||||||
#define GTUNE_LISTENER_MQ_FAIR (1<<27)
|
#define GTUNE_LISTENER_MQ_FAIR (1<<27)
|
||||||
#define GTUNE_LISTENER_MQ_OPT (1<<28)
|
#define GTUNE_LISTENER_MQ_OPT (1<<28)
|
||||||
#define GTUNE_LISTENER_MQ_ANY (GTUNE_LISTENER_MQ_FAIR | GTUNE_LISTENER_MQ_OPT)
|
#define GTUNE_LISTENER_MQ_ANY (GTUNE_LISTENER_MQ_FAIR | GTUNE_LISTENER_MQ_OPT)
|
||||||
|
#define GTUNE_NO_KTLS (1<<29)
|
||||||
|
|
||||||
/* subsystem-specific debugging options for tune.debug */
|
/* subsystem-specific debugging options for tune.debug */
|
||||||
#define GDBG_CPU_AFFINITY (1U<< 0)
|
#define GDBG_CPU_AFFINITY (1U<< 0)
|
||||||
|
|||||||
@ -990,6 +990,21 @@ static int cfg_parse_global_mode(char **args, int section_type,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int cfg_parse_global_disable_ktls(char **args, int section_type,
|
||||||
|
struct proxy *curpx, const struct proxy *defpx,
|
||||||
|
const char *file, int line, char **err)
|
||||||
|
{
|
||||||
|
if (!(global.mode & MODE_DISCOVERY))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if (too_many_args(0, args, err, NULL))
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
global.tune.options |= GTUNE_NO_KTLS;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* Disable certain poller if set */
|
/* Disable certain poller if set */
|
||||||
static int cfg_parse_global_disable_poller(char **args, int section_type,
|
static int cfg_parse_global_disable_poller(char **args, int section_type,
|
||||||
struct proxy *curpx, const struct proxy *defpx,
|
struct proxy *curpx, const struct proxy *defpx,
|
||||||
@ -1767,6 +1782,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
|
|||||||
{ CFG_GLOBAL, "noepoll", cfg_parse_global_disable_poller, KWF_DISCOVERY },
|
{ CFG_GLOBAL, "noepoll", cfg_parse_global_disable_poller, KWF_DISCOVERY },
|
||||||
{ CFG_GLOBAL, "noevports", cfg_parse_global_disable_poller, KWF_DISCOVERY },
|
{ CFG_GLOBAL, "noevports", cfg_parse_global_disable_poller, KWF_DISCOVERY },
|
||||||
{ CFG_GLOBAL, "nokqueue", cfg_parse_global_disable_poller, KWF_DISCOVERY },
|
{ CFG_GLOBAL, "nokqueue", cfg_parse_global_disable_poller, KWF_DISCOVERY },
|
||||||
|
{ CFG_GLOBAL, "noktls", cfg_parse_global_disable_ktls, KWF_DISCOVERY },
|
||||||
{ CFG_GLOBAL, "nopoll", cfg_parse_global_disable_poller, KWF_DISCOVERY },
|
{ CFG_GLOBAL, "nopoll", cfg_parse_global_disable_poller, KWF_DISCOVERY },
|
||||||
{ CFG_GLOBAL, "pidfile", cfg_parse_global_pidfile, KWF_DISCOVERY },
|
{ CFG_GLOBAL, "pidfile", cfg_parse_global_pidfile, KWF_DISCOVERY },
|
||||||
{ CFG_GLOBAL, "prealloc-fd", cfg_parse_prealloc_fd },
|
{ CFG_GLOBAL, "prealloc-fd", cfg_parse_prealloc_fd },
|
||||||
|
|||||||
@ -708,6 +708,9 @@ static void usage(char *name)
|
|||||||
" -dF disable fast-forward\n"
|
" -dF disable fast-forward\n"
|
||||||
" -dI enable insecure fork\n"
|
" -dI enable insecure fork\n"
|
||||||
" -dZ disable zero-copy forwarding\n"
|
" -dZ disable zero-copy forwarding\n"
|
||||||
|
#if defined(HA_USE_KTLS)
|
||||||
|
" -dT disable kTLS\n"
|
||||||
|
#endif
|
||||||
" -sf/-st [pid ]* finishes/terminates old pids.\n"
|
" -sf/-st [pid ]* finishes/terminates old pids.\n"
|
||||||
" -x <unix_socket> get listening sockets from a unix socket\n"
|
" -x <unix_socket> get listening sockets from a unix socket\n"
|
||||||
" -S <bind>[,<bind options>...] new master CLI\n"
|
" -S <bind>[,<bind options>...] new master CLI\n"
|
||||||
@ -1588,6 +1591,11 @@ static void init_args(int argc, char **argv)
|
|||||||
trace_parse_cmd(NULL, NULL);
|
trace_parse_cmd(NULL, NULL);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#ifdef HA_USE_KTLS
|
||||||
|
else if (*flag == 'd' && flag[1] == 'T') {
|
||||||
|
global.tune.options |= GTUNE_NO_KTLS;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
else if (*flag == 'd')
|
else if (*flag == 'd')
|
||||||
arg_mode |= MODE_DEBUG;
|
arg_mode |= MODE_DEBUG;
|
||||||
else if (*flag == 'c' && flag[1] == 'c') {
|
else if (*flag == 'c' && flag[1] == 'c') {
|
||||||
|
|||||||
@ -5420,7 +5420,7 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
|
|||||||
HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.lock);
|
HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.lock);
|
||||||
|
|
||||||
#ifdef HA_USE_KTLS
|
#ifdef HA_USE_KTLS
|
||||||
if (srv->ssl_ctx.options & SRV_SSL_O_KTLS) {
|
if ((srv->ssl_ctx.options & SRV_SSL_O_KTLS) && !(global.tune.options & GTUNE_NO_KTLS)) {
|
||||||
#ifdef HAVE_VANILLA_OPENSSL
|
#ifdef HAVE_VANILLA_OPENSSL
|
||||||
SSL_set_options(ctx->ssl, SSL_OP_ENABLE_KTLS);
|
SSL_set_options(ctx->ssl, SSL_OP_ENABLE_KTLS);
|
||||||
#endif
|
#endif
|
||||||
@ -5465,7 +5465,7 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef HA_USE_KTLS
|
#ifdef HA_USE_KTLS
|
||||||
if (bc->ssl_conf.ktls) {
|
if (bc->ssl_conf.ktls && !(global.tune.options & GTUNE_NO_KTLS)) {
|
||||||
#ifdef HAVE_VANILLA_OPENSSL
|
#ifdef HAVE_VANILLA_OPENSSL
|
||||||
SSL_set_options(ctx->ssl, SSL_OP_ENABLE_KTLS);
|
SSL_set_options(ctx->ssl, SSL_OP_ENABLE_KTLS);
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user