mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-07 23:56:57 +02:00
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version'
ssl_c_version : version of the cert presented by the client (integer) ssl_f_version : version of the cert presented by the frontend (integer)
This commit is contained in:
Emeric Brun
Willy Tarreau
parent
8d5984010e
commit
a7359fd6dd
@ -8384,11 +8384,21 @@ ssl_c_verify <integer>
|
|||||||
layer, and the verify result matches the specified value (check man verify
|
layer, and the verify result matches the specified value (check man verify
|
||||||
for possible values). Zero indicates no error was detected.
|
for possible values). Zero indicates no error was detected.
|
||||||
|
|
||||||
|
ssl_c_version <integer>
|
||||||
|
Returns true when the incoming connection was made over an SSL/TLS transport
|
||||||
|
layer, and the version of the certificate presented by the client matches
|
||||||
|
the value.
|
||||||
|
|
||||||
ssl_f_serial <hexa>
|
ssl_f_serial <hexa>
|
||||||
Returns true when the incoming connection was made over an SSL/TLS transport
|
Returns true when the incoming connection was made over an SSL/TLS transport
|
||||||
layer, and the serial of the certificate presented by the frontend matches
|
layer, and the serial of the certificate presented by the frontend matches
|
||||||
the value written in hexa.
|
the value written in hexa.
|
||||||
|
|
||||||
|
ssl_f_version <integer>
|
||||||
|
Returns true when the incoming connection was made over an SSL/TLS transport
|
||||||
|
layer, and the version of the certificate presented by the frontend matches
|
||||||
|
the value.
|
||||||
|
|
||||||
ssl_fc
|
ssl_fc
|
||||||
Returns true when the front connection was made via an SSL/TLS transport
|
Returns true when the front connection was made via an SSL/TLS transport
|
||||||
layer and is locally deciphered. This means it has matched a socket declared
|
layer and is locally deciphered. This means it has matched a socket declared
|
||||||
@ -9074,10 +9084,20 @@ The list of currently supported pattern fetch functions is the following :
|
|||||||
was made over an SSL/TLS transport layer, otherwise zero if no
|
was made over an SSL/TLS transport layer, otherwise zero if no
|
||||||
error is encountered.
|
error is encountered.
|
||||||
|
|
||||||
|
ssl_c_version
|
||||||
|
Returns the version of the certificate presented by the client
|
||||||
|
when the incoming connection was made over an SSL/TLS transport
|
||||||
|
layer.
|
||||||
|
|
||||||
ssl_f_serial Returns the serial of the certificate presented by the frontend
|
ssl_f_serial Returns the serial of the certificate presented by the frontend
|
||||||
when the incoming connection was made over an SSL/TLS transport
|
when the incoming connection was made over an SSL/TLS transport
|
||||||
layer.
|
layer.
|
||||||
|
|
||||||
|
ssl_f_version
|
||||||
|
Returns the version of the certificate presented by the frontend
|
||||||
|
when the incoming connection was made over an SSL/TLS transport
|
||||||
|
layer.
|
||||||
|
|
||||||
ssl_fc This checks the transport layer used on the front connection,
|
ssl_fc This checks the transport layer used on the front connection,
|
||||||
and returns 1 if it was made via an SSL/TLS transport layer,
|
and returns 1 if it was made via an SSL/TLS transport layer,
|
||||||
otherwise zero.
|
otherwise zero.
|
||||||
|
|||||||
@ -1173,6 +1173,33 @@ smp_fetch_ssl_c_serial(struct proxy *px, struct session *l4, void *l7, unsigned
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* integer, returns the client certificate version */
|
||||||
|
static int
|
||||||
|
smp_fetch_ssl_c_version(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
|
||||||
|
const struct arg *args, struct sample *smp)
|
||||||
|
{
|
||||||
|
X509 *crt;
|
||||||
|
|
||||||
|
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if (!(l4->si[0].conn.flags & CO_FL_CONNECTED)) {
|
||||||
|
smp->flags |= SMP_F_MAY_CHANGE;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* SSL_get_peer_certificate returns a ptr on allocated X509 struct */
|
||||||
|
crt = SSL_get_peer_certificate(l4->si[0].conn.xprt_ctx);
|
||||||
|
if (!crt)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
smp->data.uint = (unsigned int)(1 + X509_get_version(crt));
|
||||||
|
X509_free(crt);
|
||||||
|
smp->type = SMP_T_UINT;
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
/* boolean, returns true if front conn. transport layer is SSL */
|
/* boolean, returns true if front conn. transport layer is SSL */
|
||||||
static int
|
static int
|
||||||
smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
|
smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
|
||||||
@ -1231,6 +1258,32 @@ smp_fetch_ssl_f_serial(struct proxy *px, struct session *l4, void *l7, unsigned
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* integer, returns the frontend certificate version */
|
||||||
|
static int
|
||||||
|
smp_fetch_ssl_f_version(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
|
||||||
|
const struct arg *args, struct sample *smp)
|
||||||
|
{
|
||||||
|
X509 *crt;
|
||||||
|
|
||||||
|
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if (!(l4->si[0].conn.flags & CO_FL_CONNECTED)) {
|
||||||
|
smp->flags |= SMP_F_MAY_CHANGE;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* SSL_get_certificate returns a ptr on an SSL * internal sub struct */
|
||||||
|
crt = SSL_get_certificate(l4->si[0].conn.xprt_ctx);
|
||||||
|
if (!crt)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
smp->data.uint = (unsigned int)(1 + X509_get_version(crt));
|
||||||
|
smp->type = SMP_T_UINT;
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
|
smp_fetch_ssl_fc_cipher(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
|
||||||
const struct arg *args, struct sample *smp)
|
const struct arg *args, struct sample *smp)
|
||||||
@ -1947,7 +2000,9 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{
|
|||||||
{ "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
|
{ "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
|
||||||
{ "ssl_c_serial", smp_fetch_ssl_c_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES },
|
{ "ssl_c_serial", smp_fetch_ssl_c_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES },
|
||||||
{ "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
|
{ "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
|
||||||
|
{ "ssl_c_version", smp_fetch_ssl_c_version, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
|
||||||
{ "ssl_f_serial", smp_fetch_ssl_f_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES },
|
{ "ssl_f_serial", smp_fetch_ssl_f_serial, 0, NULL, SMP_T_BIN, SMP_CAP_REQ|SMP_CAP_RES },
|
||||||
|
{ "ssl_f_version", smp_fetch_ssl_f_version, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
|
||||||
{ "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
|
{ "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
|
||||||
{ "ssl_fc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
|
{ "ssl_fc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
|
||||||
{ "ssl_fc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
|
{ "ssl_fc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
|
||||||
@ -1972,7 +2027,9 @@ static struct acl_kw_list acl_kws = {{ },{
|
|||||||
{ "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
{ "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
||||||
{ "ssl_c_serial", acl_parse_bin, smp_fetch_ssl_c_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
{ "ssl_c_serial", acl_parse_bin, smp_fetch_ssl_c_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
||||||
{ "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
{ "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
||||||
|
{ "ssl_c_version", acl_parse_int, smp_fetch_ssl_c_version, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
||||||
{ "ssl_f_serial", acl_parse_bin, smp_fetch_ssl_f_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
{ "ssl_f_serial", acl_parse_bin, smp_fetch_ssl_f_serial, acl_match_bin, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
||||||
|
{ "ssl_f_version", acl_parse_int, smp_fetch_ssl_f_version, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
||||||
{ "ssl_fc", acl_parse_int, smp_fetch_ssl_fc, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
{ "ssl_fc", acl_parse_int, smp_fetch_ssl_fc, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
||||||
{ "ssl_fc_alg_keysize", acl_parse_str, smp_fetch_ssl_fc_alg_keysize, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
{ "ssl_fc_alg_keysize", acl_parse_str, smp_fetch_ssl_fc_alg_keysize, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
||||||
{ "ssl_fc_cipher", acl_parse_str, smp_fetch_ssl_fc_cipher, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
{ "ssl_fc_cipher", acl_parse_str, smp_fetch_ssl_fc_cipher, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user