mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 15:17:01 +02:00
Code Issues Projects Releases Wiki Activity
20,963 Commits 15 Branches 393 Tags 179 MiB
C 98.1%
Shell 0.8%
Makefile 0.5%
Lua 0.2%
Python 0.2%
23093c72f1
Go to file
William Lallemand 23093c72f1 BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA 
When using TLSv1.3, the signature algorithms extension is used to chose
the right ECDSA or RSA certificate.

However there was an old test for previous version of TLS (< 1.3) which
was testing if the cipher is compatible with ECDSA when an ECDSA
signature algorithm is used. This test was relying on
SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa to verify if the
cipher is still good.

Problem is, with TLSv1.3, all ciphersuites are compatible with any
authentication algorithm, but SSL_CIPHER_get_auth_nid(cipher) does not
return NID_auth_ecdsa, but NID_auth_any.

Because of this, with TLSv1.3 when both ECDSA and RSA certificates are
available for a domain, the ECDSA one is not chosen in priority.

This patch also introduces a test on the cipher IDs for the signaling
ciphersuites, because they would always return NID_auth_any, and are not
relevent for this selection.

This patch fixes issue #2300.

Must be backported in all stable versions.
2023-10-26 19:17:13 +02:00
.github CI: github: add awslc 1.16.0 to the push CI 2023-10-11 11:38:27 +02:00
addons MEDIUM: tree-wide: logsrv struct becomes logger 2023-10-13 10:05:06 +02:00
admin MINOR: acme.sh: add the deploy script for acme.sh in admin directory 2023-04-26 17:32:15 +02:00
dev DEV: sslkeylogger: handle file opening error 2023-10-03 15:23:35 +02:00
doc MINOR: lua: change tune.lua.log.stderr default from 'on' to 'auto' 2023-10-25 07:49:03 +02:00
examples EXAMPLES: maintain haproxy 2.8 retrocompatibility for lua mailers script 2023-07-11 16:04:22 +02:00
include MEDIUM: quic: count quic_conn for global sslconns 2023-10-26 15:35:58 +02:00
reg-tests MINOR: sample: Added support for Arrays in sample_conv_json_query in sample.c 2023-10-20 18:42:05 +02:00
scripts CI: ssl: add git id support for wolfssl download 2023-10-10 10:34:17 +02:00
src BUG/MINOR: ssl: suboptimal certificate selection with TLSv1.3 and dual ECDSA/RSA 2023-10-26 19:17:13 +02:00
tests Revert "MAJOR: import: update mt_list to support exponential back-off" 2023-09-15 17:13:43 +02:00
.cirrus.yml CI: cirrus-ci: display gdb bt if any 2023-09-22 08:28:30 +02:00
.gitattributes MINOR: Configure the cpp userdiff driver for *.[ch] in .gitattributes 2021-02-22 18:17:57 +01:00
.gitignore CONTRIB: Add vi file extensions to .gitignore 2023-06-02 18:14:34 +02:00
.mailmap DOC: update Tim's address in .mailmap 2021-09-16 09:14:14 +02:00
.travis.yml CI: travis-ci: temporarily disable arm64 builds 2021-08-07 07:28:15 +02:00
BRANCHES DOC: fix some spelling issues over multiple files 2021-01-08 14:53:47 +01:00
BSDmakefile BUILD: makefile: commit the tiny FreeBSD makefile stub 2023-05-24 17:17:36 +02:00
CHANGELOG [RELEASE] Released version 2.9-dev8 2023-10-20 21:36:47 +02:00
CONTRIBUTING CLEANUP: assorted typo fixes in the code and comments 2021-08-16 12:37:59 +02:00
INSTALL BUILD: ssl: Build with new cryptographic library AWS-LC 2023-09-04 18:19:18 +02:00
LICENSE LICENSE: add licence exception for OpenSSL 2012-09-07 13:52:26 +02:00
MAINTAINERS CLEANUP: assorted typo fixes in the code and comments 2022-11-30 14:02:36 +01:00
Makefile BUILD: ssl: Build with new cryptographic library AWS-LC 2023-09-04 18:19:18 +02:00
README DOC: create a BRANCHES file to explain the life cycle 2019-06-15 22:00:14 +02:00
SUBVERS BUILD: use format tags in VERDATE and SUBVERS files 2013-12-10 11:22:49 +01:00
VERDATE [RELEASE] Released version 2.9-dev8 2023-10-20 21:36:47 +02:00
VERSION [RELEASE] Released version 2.9-dev8 2023-10-20 21:36:47 +02:00

README 

The HAProxy documentation has been split into a number of different files for
ease of use.

Please refer to the following files depending on what you're looking for :

  - INSTALL for instructions on how to build and install HAProxy
  - BRANCHES to understand the project's life cycle and what version to use
  - LICENSE for the project's license
  - CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory :

  - doc/intro.txt for a quick introduction on HAProxy
  - doc/configuration.txt for the configuration's reference manual
  - doc/lua.txt for the Lua's reference manual
  - doc/SPOE.txt for how to use the SPOE engine
  - doc/network-namespaces.txt for how to use network namespaces under Linux
  - doc/management.txt for the management guide
  - doc/regression-testing.txt for how to use the regression testing suite
  - doc/peers.txt for the peers protocol reference
  - doc/coding-style.txt for how to adopt HAProxy's coding style
  - doc/internals for developer-specific documentation (not all up to date)