MINOR: ssl: add defines LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS.

These ones are used to set the default ciphers suite on "bind" lines and
"server" lines respectively, instead of using OpenSSL's defaults. These
are probably mainly useful for distro packagers.

Makefile

@@ -139,6 +139,11 @@ ADDLIB =
 # Use DEFINE=-Dxxx to set any tunable macro. Anything declared here will appear
 # in the build options reported by "haproxy -vv". Use SILENT_DEFINE if you do
 # not want to pollute the report with complex defines.
+# The following settings might be of interest when SSL is enabled :
+#   LISTEN_DEFAULT_CIPHERS is a cipher suite string used to set the default SSL
+#           ciphers on "bind" lines instead of using OpenSSL's defaults.
+#   CONNECT_DEFAULT_CIPHERS is a cipher suite string used to set the default
+#           SSL ciphers on "server" lines instead of using OpenSSL's defaults.
 DEFINE =
 SILENT_DEFINE =
 

include/common/defaults.h

@@ -188,4 +188,14 @@
 #define HCHK_DESC_LEN	128
 #endif
 
+/* ciphers used as defaults on connect */
+#ifndef CONNECT_DEFAULT_CIPHERS
+#define CONNECT_DEFAULT_CIPHERS NULL
+#endif
+
+/* ciphers used as defaults on listeners */
+#ifndef LISTEN_DEFAULT_CIPHERS
+#define LISTEN_DEFAULT_CIPHERS NULL
+#endif
+
 #endif /* _COMMON_DEFAULTS_H */

include/types/global.h

@@ -76,6 +76,8 @@ struct global {
 	int maxconn, hardmaxconn;
 #ifdef USE_OPENSSL
 	int maxsslconn;
+	char *listen_default_ciphers;
+	char *connect_default_ciphers;
 #endif
 	struct freq_ctr conn_per_sec;
 	int cps_lim, cps_max;

src/cfgparse.c

@@ -4313,6 +4313,9 @@ stats_error_parsing:
 #ifdef USE_OPENSSL
 				newsrv->use_ssl = 1;
 				cur_arg += 1;
+
+				if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
+					newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
 #else /* USE_OPENSSL */
 				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
 				      file, linenum, args[cur_arg]);
@@ -4324,6 +4327,9 @@ stats_error_parsing:
 #ifdef USE_OPENSSL
 				newsrv->check.use_ssl = 1;
 				cur_arg += 1;
+
+				if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
+					newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
 #else /* USE_OPENSSL */
 				Alert("parsing [%s:%d]: '%s' option not implemented.\n",
 				      file, linenum, args[cur_arg]);
@@ -4340,6 +4346,7 @@ stats_error_parsing:
 					goto out;
 				}
 
+				free(newsrv->ssl_ctx.ciphers);
 				newsrv->ssl_ctx.ciphers = strdup(args[cur_arg + 1]);
 
 				cur_arg += 2;

src/haproxy.c

@@ -125,8 +125,16 @@ struct global global = {
 		.sslcachesize = 20000,
 #endif
 	},
-#if defined (USE_OPENSSL) && defined(DEFAULT_MAXSSLCONN)
+#ifdef USE_OPENSSL
+#ifdef DEFAULT_MAXSSLCONN
 	.maxsslconn = DEFAULT_MAXSSLCONN,
+#endif
+#ifdef LISTEN_DEFAULT_CIPHERS
+	.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS,
+#endif
+#ifdef CONNECT_DEFAULT_CIPHERS
+	.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
+#endif
 #endif
 	/* others NULL OK */
 };

src/ssl_sock.c

@@ -1138,6 +1138,7 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct
 		return ERR_ALERT | ERR_FATAL;
 	}
 
+	free(conf->ciphers);
 	conf->ciphers = strdup(args[cur_arg + 1]);
 	return 0;
 }
@@ -1340,6 +1341,10 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
 	struct listener *l;
 
 	conf->is_ssl = 1;
+
+	if (global.listen_default_ciphers && !conf->ciphers)
+		conf->ciphers = strdup(global.listen_default_ciphers);
+
 	list_for_each_entry(l, &conf->listeners, by_bind)
 		l->xprt = &ssl_sock;