mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 23:56:57 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: ssl: add support for prefer-server-ciphers option

Browse Source 
I wrote a small path to add the SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSL option
to frontend, if the 'prefer-server-ciphers' keyword is set.

Example :
	bind 10.11.12.13 ssl /etc/haproxy/ssl/cert.pem ciphers RC4:HIGH:!aNULL:!MD5 prefer-server-ciphers

This option mitigate the effect of the BEAST Attack (as I understand), and it
equivalent to :
	- Apache HTTPd SSLHonorCipherOrder option.
	- Nginx ssl_prefer_server_ciphers option.

[WT: added a test for the support of the option]
This commit is contained in:
David BERARD 2012-09-04 15:15:13 +02:00 committed by Willy Tarreau
parent ff9f7698fc
commit e566ecbea8
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/types/protocols.h
View File

@ -137,6 +137,7 @@ struct listener {
char *ciphers; /* cipher suite to use if non-null */ char *ciphers; /* cipher suite to use if non-null */
int nosslv3; /* disable SSLv3 */ int nosslv3; /* disable SSLv3 */
int notlsv1; /* disable TLSv1 */ int notlsv1; /* disable TLSv1 */
int prefer_server_ciphers; /* Prefer server ciphers */
} ssl_ctx; } ssl_ctx;
#endif #endif
/* warning: this struct is huge, keep it at the bottom */ /* warning: this struct is huge, keep it at the bottom */

23
src/cfgparse.c
View File

@ -1889,6 +1889,23 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
#endif #endif
} }
if (!strcmp(args[cur_arg], "prefer-server-ciphers")) { /* Prefert server ciphers */
#if defined (USE_OPENSSL) && defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
struct listener *l;
for (l = curproxy->listen; l != last_listen; l = l->next)
l->ssl_ctx.prefer_server_ciphers = 1;
cur_arg += 1;
continue;
#else
Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n",
file, linenum, args[0], args[cur_arg]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
#endif
}
if (!strcmp(args[cur_arg], "accept-proxy")) { /* expect a 'PROXY' line first */ if (!strcmp(args[cur_arg], "accept-proxy")) { /* expect a 'PROXY' line first */
struct listener *l; struct listener *l;
@ -6794,6 +6811,10 @@ int check_config_validity()
} }
#ifdef USE_OPENSSL #ifdef USE_OPENSSL
#ifndef SSL_OP_CIPHER_SERVER_PREFERENCE /* needs OpenSSL >= 0.9.7 */
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0
#endif
#ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION /* needs OpenSSL >= 0.9.7 */ #ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION /* needs OpenSSL >= 0.9.7 */
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
#endif #endif
@ -6827,6 +6848,8 @@ int check_config_validity()
ssloptions |= SSL_OP_NO_SSLv3; ssloptions |= SSL_OP_NO_SSLv3;
if (listener->ssl_ctx.notlsv1) if (listener->ssl_ctx.notlsv1)
ssloptions |= SSL_OP_NO_TLSv1; ssloptions |= SSL_OP_NO_TLSv1;
if (listener->ssl_ctx.prefer_server_ciphers)
ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
SSL_CTX_set_options(listener->ssl_ctx.ctx, ssloptions); SSL_CTX_set_options(listener->ssl_ctx.ctx, ssloptions);
SSL_CTX_set_mode(listener->ssl_ctx.ctx, sslmode); SSL_CTX_set_mode(listener->ssl_ctx.ctx, sslmode);
SSL_CTX_set_verify(listener->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_verify(listener->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);