mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-11-29 23:01:03 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl/cli: add negative filters to "show ssl sni"

Browse Source 
The 'show ssl sni' output can be confusing when using crt-list, because
the wildcards can be completed with negative filters, and they need to
be associated to the same line.

Having a negative filter on its line alone does not make much sense,
this patch adds a new 'Negative Filter' column that show the exception
applied on a wildcard from a crt-list line.
This commit is contained in:
William Lallemand 2024-12-10 11:19:15 +01:00
parent da28cd08f5
commit a6b3080966
2 changed files with 32 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
doc/management.txt
View File

@ -3777,6 +3777,10 @@ show ssl sni [-f <frontend>]
explicitely by 'default-crt' or is implicitely the first certificate of a bind explicitely by 'default-crt' or is implicitely the first certificate of a bind
line when no 'strict-sni' is used) shows the '*' character in the SNI column. line when no 'strict-sni' is used) shows the '*' character in the SNI column.
The 'Negative Filter' column is the list of negative filters associated to a
wildcard, this will show all negatives filters that are on the same crt-list
line. A dash character is displayed if there are none.
The 'Type' column shows the encryption algorithm type, it can be "rsa", "ecdsa" or "dsa". The 'Type' column shows the encryption algorithm type, it can be "rsa", "ecdsa" or "dsa".
The 'Filename' column can be either a filename from the configuration, or an The 'Filename' column can be either a filename from the configuration, or an
@ -3787,12 +3791,14 @@ show ssl sni [-f <frontend>]
Example: Example:
$ echo "@1 show ssl sni" | socat /var/run/haproxy-master.sock - | column -t -s $'\t' $ echo "@1 show ssl sni" | socat /var/run/haproxy-master.sock - | column -t -s $'\t'
# Frontend/Bind SNI Type Filename NotAfter NotBefore # Frontend/Bind SNI Negative Filter Type Filename NotAfter NotBefore
li1/haproxy.cfg:10021 machine10 rsa machine10.pem.rsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT li1/haproxy.cfg:10021 *.ex.lan !m1.ex.lan rsa example.lan.pem Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
li1/haproxy.cfg:10021 machine10 ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT li1/haproxy.cfg:10021 machine10 - ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
li1/haproxy.cfg:10021 localhost rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT li1/haproxy.cfg:10021 machine10 - rsa machine10.pem.rsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
li1/haproxy.cfg:10021 localhost ecdsa localhost.pem.ecdsa Jun 13 13:37:10 2024 GMT May 14 13:37:10 2024 GMT li1/haproxy.cfg:10021 machine10 - ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
li1/haproxy.cfg:10021 * rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT li1/haproxy.cfg:10021 localhost - rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT
li1/haproxy.cfg:10021 localhost - ecdsa localhost.pem.ecdsa Jun 13 13:37:10 2024 GMT May 14 13:37:10 2024 GMT
li1/haproxy.cfg:10021 * - rsa localhost.pem.rsa Jun 13 13:37:11 2024 GMT May 14 13:37:11 2024 GMT
show startup-logs show startup-logs
Dump all messages emitted during the startup of the current haproxy process, Dump all messages emitted during the startup of the current haproxy process,

25
src/ssl_ckch.c
View File

@ -1571,7 +1571,7 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
/* ctx->bind is NULL only once we finished dumping a frontend or when starting /* ctx->bind is NULL only once we finished dumping a frontend or when starting
* so let's dump the header in these cases*/ * so let's dump the header in these cases*/
if (ctx->bind == NULL && (ctx->onefrontend == 1 || (ctx->onefrontend == 0 && ctx->px == proxies_list))) if (ctx->bind == NULL && (ctx->onefrontend == 1 || (ctx->onefrontend == 0 && ctx->px == proxies_list)))
chunk_appendf(trash, "# Frontend/Bind\tSNI\tType\tFilename\tNotAfter\tNotBefore\n"); chunk_appendf(trash, "# Frontend/Bind\tSNI\tNegative Filter\tType\tFilename\tNotAfter\tNotBefore\n");
if (applet_putchk(appctx, trash) == -1) if (applet_putchk(appctx, trash) == -1)
goto yield; goto yield;
@ -1605,19 +1605,35 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
if (!n) if (!n)
continue; continue;
while (n) { for (; n; n = ebmb_next(n)) {
struct sni_ctx *sni; struct sni_ctx *sni;
const char *name; const char *name;
const char *certalg; const char *certalg;
int isneg = 0; /* is there any negative filters associated to this node */
chunk_appendf(trash, "%s/%s:%d\t", bind->frontend->id, bind->file, bind->line);
sni = ebmb_entry(n, struct sni_ctx, name); sni = ebmb_entry(n, struct sni_ctx, name);
if (sni->neg)
continue;
chunk_appendf(trash, "%s/%s:%d\t", bind->frontend->id, bind->file, bind->line);
name = (char *)sni->name.key; name = (char *)sni->name.key;
chunk_appendf(trash, "%s%s%s\t", sni->neg ? "!" : "", type ? "*" : "", name); chunk_appendf(trash, "%s%s%s\t", sni->neg ? "!" : "", type ? "*" : "", name);
/* we are looking at wildcards, let's check the negative filters */
if (type == 1) {
struct sni_ctx *sni_tmp;
list_for_each_entry(sni_tmp, &sni->ckch_inst->sni_ctx, by_ckch_inst) {
if (sni_tmp->neg) {
chunk_appendf(trash, "%s%s ", sni_tmp->neg ? "!" : "", (char *)sni_tmp->name.key);
isneg = 1;
}
}
}
chunk_appendf(trash, "%s\t", isneg ? "" : "-");
switch (sni->kinfo.sig) { switch (sni->kinfo.sig) {
case TLSEXT_signature_ecdsa: case TLSEXT_signature_ecdsa:
certalg = "ecdsa"; certalg = "ecdsa";
@ -1642,7 +1658,6 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
goto yield; goto yield;
} }
n = ebmb_next(n);
} }
ctx->n = NULL; ctx->n = NULL;
} }