mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-20 13:21:29 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: cfgparse: Add a new "ktls" option to bind and server.

Browse Source 
Add a new "ktls" option to bind and server. Valid values are "on" and
"off".
It currently does nothing, but when kTLS will be implemented, it will
enable or disable kTLS for the corresponding sockets.
It is marked as experimental for now.
This commit is contained in:
Olivier Houchard 2025-07-03 17:27:36 +02:00 committed by Olivier Houchard
parent 075e753802
commit e8674658ae
4 changed files with 74 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/configuration.txt
View File

@ -12178,6 +12178,7 @@ ssl-f-use [<sslbindconf> ...]*
- crl-file - crl-file
- curves - curves
- ecdhe - ecdhe
- ktls
- no-alpn - no-alpn
- no-ca-names - no-ca-names
- npn - npn
@ -16752,6 +16753,11 @@ interface <interface>
client IP addresses need to be able to reach frontends hosted on different client IP addresses need to be able to reach frontends hosted on different
interfaces. interfaces.
ktls <on|off> [ EXPERIMENTAL ]
Enables or disables ktls for those sockets. If enabled, kTLS will be used
if the kernel supports it and the cipher is compatible.
This is only available on linux.
label <label> label <label>
Sets an optional label for these sockets. It could be used group sockets by Sets an optional label for these sockets. It could be used group sockets by
label, independently of where the bind lines were declared. label, independently of where the bind lines were declared.
@ -17925,6 +17931,13 @@ init-state { fully-up | up | down | fully-down }
See also: "option tcp-check", "option httpchk" See also: "option tcp-check", "option httpchk"
ktls <on|off> [ EXPERIMENTAL ]
May be used in the following contexts: tcp, http, log, peers, ring
Enables or disables ktls for those sockets. If enabled, kTLS will be used
if the kernel supports it and the cipher is compatible.
This is only available on Linux.
log-bufsize <bufsize> log-bufsize <bufsize>
May be used in the following contexts: log May be used in the following contexts: log

1
include/haproxy/listener-t.h
View File

@ -140,6 +140,7 @@ struct ssl_bind_conf {
unsigned int verify:3; /* verify method (set of SSL_VERIFY_* flags) */ unsigned int verify:3; /* verify method (set of SSL_VERIFY_* flags) */
unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */ unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */
unsigned int early_data:1; /* early data allowed */ unsigned int early_data:1; /* early data allowed */
unsigned int ktls:1; /* use kTLS if available */
char *ca_file; /* CAfile to use on verify and ca-names */ char *ca_file; /* CAfile to use on verify and ca-names */
char *ca_verify_file; /* CAverify file to use on verify only */ char *ca_verify_file; /* CAverify file to use on verify only */
char *crl_file; /* CRLfile to use on verify */ char *crl_file; /* CRLfile to use on verify */

1
include/haproxy/server-t.h
View File

@ -204,6 +204,7 @@ enum srv_init_state {
#define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */ #define SRV_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
#define SRV_SSL_O_NO_REUSE 0x200 /* disable session reuse */ #define SRV_SSL_O_NO_REUSE 0x200 /* disable session reuse */
#define SRV_SSL_O_EARLY_DATA 0x400 /* Allow using early data */ #define SRV_SSL_O_EARLY_DATA 0x400 /* Allow using early data */
#define SRV_SSL_O_KTLS 0x800 /* Use kTLS if available */
/* log servers ring's protocols options */ /* log servers ring's protocols options */
enum srv_log_proto { enum srv_log_proto {

59
src/cfgparse-ssl.c
View File

@ -874,6 +874,36 @@ static int bind_parse_curves(char **args, int cur_arg, struct proxy *px, struct
return ssl_bind_parse_curves(args, cur_arg, px, &conf->ssl_conf, 0, err); return ssl_bind_parse_curves(args, cur_arg, px, &conf->ssl_conf, 0, err);
} }
/* parse the "ktls" bind keyword */
static int ssl_bind_parse_ktls(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err)
{
if (!*args[cur_arg + 1]) {
memprintf(err, "'%s' expects \"on\" or \"off\" as an argument.",
args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
if (!experimental_directives_allowed) {
memprintf(err, "'%s' directive is experimental, must be allowed via a global 'expose-experimental-directive'", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
if (!strcasecmp(args[cur_arg + 1], "on")) {
conf->ktls = 1;
} else if (!strcasecmp(args[cur_arg + 1], "off")) {
conf->ktls = 0;
} else {
memprintf(err, "'%s' expects \"on\" or \"off\" as an argument, got '%s'.",
args[cur_arg], args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
return 0;
}
static int bind_parse_ktls(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_ktls(args, cur_arg, px, &conf->ssl_conf, 0, err);
}
/* parse the "sigalgs" bind keyword */ /* parse the "sigalgs" bind keyword */
static int ssl_bind_parse_sigalgs(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err) static int ssl_bind_parse_sigalgs(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err)
{ {
@ -1890,6 +1920,32 @@ static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct
return 0; return 0;
} }
/* parse the "ktls" server keywod */
static int srv_parse_ktls(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
memprintf(err, "'%s' expects \"on\" or \"off\" as an argument.",
args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
if (!experimental_directives_allowed) {
memprintf(err, "'%s' directive is experimental, must be allowed via a global 'expose-experimental-directive'", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
if (!strcasecmp(args[*cur_arg + 1], "on")) {
newsrv->ssl_ctx.options |= SRV_SSL_O_KTLS;
} else if (!strcasecmp(args[*cur_arg + 1], "off")) {
newsrv->ssl_ctx.options &= ~SRV_SSL_O_KTLS;
} else {
memprintf(err, "'%s' expects \"on\" or \"off\" as an argument, got '%s'.",
args[*cur_arg], args[*cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
return 0;
}
/* parse the "allow-0rtt" server keyword */ /* parse the "allow-0rtt" server keyword */
static int srv_parse_allow_0rtt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) static int srv_parse_allow_0rtt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{ {
@ -2450,6 +2506,7 @@ struct ssl_crtlist_kw ssl_crtlist_kws[] = {
{ "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificate revocation list file use on client cert verify */ { "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificate revocation list file use on client cert verify */
{ "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */ { "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */
{ "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */ { "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
{ "ktls", ssl_bind_parse_ktls, 1 }, /* enables or disables kTLS */
{ "no-alpn", ssl_bind_parse_no_alpn, 0 }, /* disable sending ALPN */ { "no-alpn", ssl_bind_parse_no_alpn, 0 }, /* disable sending ALPN */
{ "no-ca-names", ssl_bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */ { "no-ca-names", ssl_bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */
{ "npn", ssl_bind_parse_npn, 1 }, /* set NPN supported protocols */ { "npn", ssl_bind_parse_npn, 1 }, /* set NPN supported protocols */
@ -2486,6 +2543,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
{ "force-tlsv12", bind_parse_tls_method_options, 0 }, /* force TLSv12 */ { "force-tlsv12", bind_parse_tls_method_options, 0 }, /* force TLSv12 */
{ "force-tlsv13", bind_parse_tls_method_options, 0 }, /* force TLSv13 */ { "force-tlsv13", bind_parse_tls_method_options, 0 }, /* force TLSv13 */
{ "generate-certificates", bind_parse_generate_certs, 0 }, /* enable the server certificates generation */ { "generate-certificates", bind_parse_generate_certs, 0 }, /* enable the server certificates generation */
{ "ktls", bind_parse_ktls, 1 }, /* enable or disable kTLS */
{ "no-alpn", bind_parse_no_alpn, 0 }, /* disable sending ALPN */ { "no-alpn", bind_parse_no_alpn, 0 }, /* disable sending ALPN */
{ "no-ca-names", bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */ { "no-ca-names", bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */
{ "no-sslv3", bind_parse_tls_method_options, 0 }, /* disable SSLv3 */ { "no-sslv3", bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
@ -2535,6 +2593,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
{ "force-tlsv11", srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv11 */ { "force-tlsv11", srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv11 */
{ "force-tlsv12", srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv12 */ { "force-tlsv12", srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv12 */
{ "force-tlsv13", srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv13 */ { "force-tlsv13", srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv13 */
{ "ktls", srv_parse_ktls, 1, 1, 1 }, /* enable or disable kTLS */
{ "no-check-ssl", srv_parse_no_check_ssl, 0, 1, 0 }, /* disable SSL for health checks */ { "no-check-ssl", srv_parse_no_check_ssl, 0, 1, 0 }, /* disable SSL for health checks */
{ "no-renegotiate", srv_parse_renegotiate, 0, 1, 1 }, /* Disable renegotiation */ { "no-renegotiate", srv_parse_renegotiate, 0, 1, 1 }, /* Disable renegotiation */
{ "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1, 0 }, /* do not send PROXY protocol header v2 with SSL info */ { "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1, 0 }, /* do not send PROXY protocol header v2 with SSL info */