mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2026-03-15 20:12:08 +01:00
90064ac88b
This patch impacts both the QUIC frontends and listeners. Note that "ssl-default-bind-ciphersuites", "ssl-default-bind-curves", are not ignored by QUIC by the frontend. This is also the case for the backends with "ssl-default-server-ciphersuites" and "ssl-default-server-curves". These settings are set by ssl_sock_prepare_ctx() for the frontends and by ssl_sock_prepare_srv_ssl_ctx() for the backends. But ssl_quic_initial_ctx() first sets the default QUIC frontends (see <quic_ciphers> and <quic_groups>) before these ssl_sock.c function are called, leading some TLS stack to refuse them if they do not support them. This is the case for some OpenSSL 3.5 stack with FIPS support. They do not support X25519. To fix this, set the default QUIC ciphersuites and curves only if not already set by the settings mentioned above. Rename <quic_ciphers> global variable to <default_quic_ciphersuites> and <quic_groups> to <default_quic_curves> to reflect the OpenSSL API naming. These options are taken into an account by ssl_quic_initial_ctx() which inspects these four variable before calling SSL_CTX_set_ciphersuites() with <default_quic_ciphersuites> as parameter and SSL_CTX_set_curves() with <default_quic_curves> as parameter if needed, that is to say, if no ciphersuites and curves were set by "ssl-default-bind-ciphersuites", "ssl-default-bind-curves" as global options or "ciphersuites", "curves" as "bind" line options. Note that the bind_conf struct is not modified when no "ciphersuites" or "curves" option are used on "bind" lines. On backend side, rely on ssl_sock_init_srv() to set the server ciphersuites and curves. This function is modified to use respectively <default_quic_ciphersuites> and <default_quic_curves> if no ciphersuites and curves were set by "ssl-default-server-ciphersuites", "ssl-default-server-curves" as global options or "ciphersuites", "curves" as "server" line options. Thank to @rwagoner for having reported this issue in GH #3194 when using an OpenSSL 3.5.4 stack with FIPS support. Must be backported as far as 2.6
24 lines
658 B
C
24 lines
658 B
C
/*
|
|
* include/haproxy/quic_ssl-t.h
|
|
* Definitions for QUIC over TLS/SSL api types, constants and flags.
|
|
*
|
|
* Copyright (C) 2023
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*
|
|
*/
|
|
|
|
#ifndef _HAPROXY_QUIC_SSL_T_H
|
|
#define _HAPROXY_QUIC_SSL_T_H
|
|
|
|
#include <haproxy/pool-t.h>
|
|
|
|
extern struct pool_head *pool_head_quic_ssl_sock_ctx;
|
|
extern const char *default_quic_ciphersuites;
|
|
extern const char *default_quic_curves;
|
|
|
|
#endif /* _HAPROXY_QUIC_SSL_T_H */
|