From 2525b6bb92ec5fee18b775344de3ebcc1fab5516 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Thu, 18 Oct 2012 15:59:43 +0200 Subject: [PATCH] MINOR: conf: rename all ssl modules fetches using prefix 'ssl_fc' and 'ssl_c' SSL fetches were renamed : ssl_fc_* = Front Connection (attributes of the connection itself) ssl_c_* = Client side certificate --- doc/configuration.txt | 129 ++++++++++++++++++++++-------------------- src/ssl_sock.c | 82 +++++++++++++-------------- 2 files changed, 109 insertions(+), 102 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 9270e169c..c7c6b4ba5 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -8272,15 +8272,6 @@ during analysis. This requires that some data has been buffered, for instance through TCP request content inspection. Please see the "tcp-request content" keyword for more detailed information on the subject. -client_crt - Returns true if a client certificate is present in an incoming connection over - SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'. - -is_ssl - Returns true when the incoming connection was made via an SSL/TLS transport - layer and is locally deciphered. This means it has matched a socket declared - with a "bind" line having the "ssl" option. - rep_ssl_hello_type Returns true when data in the response buffer looks like a complete SSL (v3 or superior) hello message and handshake type is equal to . @@ -8364,14 +8355,47 @@ req_ssl_ver SSL transport layer, so this will not work with "bind" lines having the "ssl" option. -ssl_has_sni +ssl_c_ca_err + Returns true when the incoming connection was made over an SSL/TLS transport + layer, and the ID of the first error detected during verification of the + client certificate at depth > 0 matches the specified value (check man verify + for possible values). Note that error zero means no error was encountered + during this verification process. + +ssl_c_ca_err_depth + Returns true when the incoming connection was made over an SSL/TLS transport + layer, and the depth in the CA chain of the first error detected during the + verification of the client certificate matches the specified value. When no + error is found, depth 0 is returned. + +ssl_c_err + Returns true when the incoming connection was made over an SSL/TLS transport + layer, and the ID of the first error detected during verification at depth==0 + matches the specified value (check man verify for possible values). Note that + error zero means no error was encountered during this verification process. + +ssl_c_verify + Returns true when the incoming connection was made over an SSL/TLS transport + layer, and the verify result matches the specified value (check man verify + for possible values). Zero indicates no error was detected. + +ssl_fc + Returns true when the front connection was made via an SSL/TLS transport + layer and is locally deciphered. This means it has matched a socket declared + with a "bind" line having the "ssl" option. + +ssl_fc_has_crt + Returns true if a client certificate is present in an incoming connection over + SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'. + +ssl_fc_has_sni This is used to check for presence of a Server Name Indication TLS extension in an incoming connection was made over an SSL/TLS transport layer. Returns true when the incoming connection presents a TLS SNI field. This requires that the SSL library is build with support for TLS extensions enabled (check haproxy -vv). -ssl_npn +ssl_fc_npn Returns true when the incoming connection was made over an SSL/TLS transport layer which deciphered it and found a Next Protocol Negociation TLS extension sent by the client, matching the specified string. This requires that the SSL @@ -8380,17 +8404,18 @@ ssl_npn the "bind" line specifies a protocol list. Also, nothing forces the client to pick a protocol from this list, any other one may be requested. -ssl_sni +ssl_fc_sni Returns true when the incoming connection was made over an SSL/TLS transport layer which deciphered it and found a Server Name Indication TLS extension sent by the client, matching the specified string. In HTTPS, the SNI field (when present) is equal to the requested host name. This match is different from "req_ssl_sni" above in that it applies to the connection being deciphered by haproxy and not to SSL contents being blindly forwarded. - See also "ssl_sni_end" and "ssl_sni_req" below. This requires that the SSL - library is build with support for TLS extensions enabled (check haproxy -vv). + See also "ssl_fc_sni_end" and "ssl_fc_sni_req" below. This requires that the + SSL library is build with support for TLS extensions enabled (check + haproxy -vv). -ssl_sni_end +ssl_fc_sni_end Returns true when the incoming connection was made over an SSL/TLS transport layer which deciphered it and found a Server Name Indication TLS extension sent by the client, ending like the specified string. In HTTPS, the SNI field @@ -8400,7 +8425,7 @@ ssl_sni_end requires that the SSL library is build with support for TLS extensions enabled (check haproxy -vv). -ssl_sni_req +ssl_fc_sni_reg Returns true when the incoming connection was made over an SSL/TLS transport layer which deciphered it and found a Server Name Indication TLS extension sent by the client, matching the specified regex. In HTTPS, the SNI field @@ -8410,25 +8435,6 @@ ssl_sni_req requires that the SSL library is build with support for TLS extensions enabled (check haproxy -vv). -ssl_verify_caerr - Returns true when the incoming connection was made over an SSL/TLS transport - layer and the ID of the first error detected during verify at depth > 0 match - the errorID. - -ssl_verify_caerr_depth - Returns true when the incoming connection was made over an SSL/TLS transport - layer and the depth of the first error detected during verify match the - depth. - -ssl_verify_crterr - Returns true when the incoming connection was made over an SSL/TLS transport - layer and the ID of the first error detected during verify at depth == 0 - match the errorID. - -ssl_verify_result - Returns true when the incoming connection was made over an SSL/TLS transport - layer and the verify result match the errorID. - wait_end Waits for the end of the analysis period to return true. This may be used in conjunction with content analysis to avoid returning a wrong verdict early. @@ -8969,9 +8975,6 @@ The list of currently supported pattern fetch functions is the following : shared caches efficiency. Using this with a limited size stick table also allows one to collect statistics about most commonly requested objects by host/path. - client_crt - Returns 1 if a client certificate is present in an incoming - connection over SSL/TLS transport layer, otherwise 0. src This is the source IPv4 address of the client of the session. It is of type IPv4 and works on both IPv4 and IPv6 tables. @@ -9000,10 +9003,6 @@ The list of currently supported pattern fetch functions is the following : last one. A typical use is with the X-Forwarded-For header once converted to IP, associated with an IP stick-table. - is_ssl This checks the transport layer used by incoming connection, and - returns 1 if the connection was made via an SSL/TLS transport - layer, otherwise zero. - path This extracts the request's URL path (without the host part). A typical use is with prefetch-capable caches, and with portals which need to aggregate multiple information from databases and @@ -9031,41 +9030,49 @@ The list of currently supported pattern fetch functions is the following : that this function will be useful but it's available at no cost. It is of type integer and only works with such tables. - ssl_has_sni This checks the transport layer used by incoming connection, and + ssl_c_ca_err Returns the ID of the first error detected during verify of the + client certificate at depth > 0, or 0 if no error was detected. + + ssl_c_ca_err_depth + Returns the depth of the first error detected during verify. If + no error is encountered in the CA chain, zero is returned. + + ssl_c_err Returns the ID of the first error detected during verify of the + client certificate at depth == 0, or 0 if no errors. + + ssl_c_verify Returns the verify result errorID when the incoming connection + was made over an SSL/TLS transport layer, otherwise zero if no + error is encountered. + + ssl_fc This checks the transport layer used on the front connection, + and returns 1 if it was made via an SSL/TLS transport layer, + otherwise zero. + + ssl_fc_has_crt + Returns 1 if a client certificate is present in the front + connection over SSL/TLS transport layer, otherwise 0. + + ssl_fc_has_sni + This checks the transport layer used by the front connection, and returns 1 if the connection was made via an SSL/TLS transport layer and the client sent a Server Name Indication TLS extension, otherwise zero. This requires that the SSL library is build with support for TLS extensions enabled (check haproxy -vv). - ssl_npn This extracts the Next Protocol Negociation field from an + ssl_fc_npn This extracts the Next Protocol Negociation field from an incoming connection made via an SSL/TLS transport layer and locally deciphered by haproxy. The result is a string containing the protocol name advertised by the client. The SSL library must have been built with support for TLS extensions enabled (check - haproxy -vv). + haproxy -vv). See also the "npn" bind keyword. - ssl_sni This extracts the Server Name Indication field from an incoming + ssl_fc_sni This extracts the Server Name Indication field from an incoming connection made via an SSL/TLS transport layer and locally deciphered by haproxy. The result typically is a string matching the HTTPS host name (253 chars or less). The SSL library must have been built with support for TLS extensions enabled (check haproxy -vv). - ssl_verify_caerr - Returns the ID of the first error detected during verify at - depth > 0 or 0 if no errors. - - ssl_verify_caerr_depth - Returns the depth of the first error detected during verify. - - ssl_verify_crterr - Returns the ID of the first error detected during verify at - depth == 0 or 0 if no errors. - - ssl_verify_result - Returns the verify result errorID when the incoming connection - was made over an SSL/TLS transport layer. - url This extracts the request's URL as presented in the request. A typical use is with prefetch-capable caches, and with portals which need to aggregate multiple information from databases and diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 9c60679cb..ce0c67d37 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1099,8 +1099,8 @@ const char *ssl_sock_get_proto_version(struct connection *conn) /* boolean, returns true if client cert was present */ static int -smp_fetch_client_crt(struct proxy *px, struct session *l4, void *l7, unsigned int opt, - const struct arg *args, struct sample *smp) +smp_fetch_ssl_fc_has_crt(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) { if (!l4 || l4->si[0].conn.xprt != &ssl_sock) return 0; @@ -1118,9 +1118,9 @@ smp_fetch_client_crt(struct proxy *px, struct session *l4, void *l7, unsigned in } -/* boolean, returns true if transport layer is SSL */ +/* boolean, returns true if front conn. transport layer is SSL */ static int -smp_fetch_is_ssl(struct proxy *px, struct session *l4, void *l7, unsigned int opt, +smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt, const struct arg *args, struct sample *smp) { smp->type = SMP_T_BOOL; @@ -1128,10 +1128,10 @@ smp_fetch_is_ssl(struct proxy *px, struct session *l4, void *l7, unsigned int op return 1; } -/* boolean, returns true if transport layer is SSL */ +/* boolean, returns true if client present a SNI */ static int -smp_fetch_has_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt, - const struct arg *args, struct sample *smp) +smp_fetch_ssl_fc_has_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) { #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME smp->type = SMP_T_BOOL; @@ -1146,8 +1146,8 @@ smp_fetch_has_sni(struct proxy *px, struct session *l4, void *l7, unsigned int o #ifdef OPENSSL_NPN_NEGOTIATED static int -smp_fetch_ssl_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt, - const struct arg *args, struct sample *smp) +smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) { smp->flags = 0; smp->type = SMP_T_CSTR; @@ -1167,8 +1167,8 @@ smp_fetch_ssl_npn(struct proxy *px, struct session *l4, void *l7, unsigned int o #endif static int -smp_fetch_ssl_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt, - const struct arg *args, struct sample *smp) +smp_fetch_ssl_fc_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) { #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME smp->flags = 0; @@ -1188,9 +1188,9 @@ smp_fetch_ssl_sni(struct proxy *px, struct session *l4, void *l7, unsigned int o #endif } -/* integer, returns the first verify error ID in CA */ +/* integer, returns the first verify error in CA chain of client certificate chain. */ static int -smp_fetch_verify_caerr(struct proxy *px, struct session *l4, void *l7, unsigned int opt, +smp_fetch_ssl_c_ca_err(struct proxy *px, struct session *l4, void *l7, unsigned int opt, const struct arg *args, struct sample *smp) { if (!l4 || l4->si[0].conn.xprt != &ssl_sock) @@ -1208,9 +1208,9 @@ smp_fetch_verify_caerr(struct proxy *px, struct session *l4, void *l7, unsigned return 1; } -/* integer, returns the depth of the first verify error in CA */ +/* integer, returns the depth of the first verify error in CA chain of client certificate chain. */ static int -smp_fetch_verify_caerr_depth(struct proxy *px, struct session *l4, void *l7, unsigned int opt, +smp_fetch_ssl_c_ca_err_depth(struct proxy *px, struct session *l4, void *l7, unsigned int opt, const struct arg *args, struct sample *smp) { if (!l4 || l4->si[0].conn.xprt != &ssl_sock) @@ -1228,10 +1228,10 @@ smp_fetch_verify_caerr_depth(struct proxy *px, struct session *l4, void *l7, uns return 1; } -/* integer, returns the depth of the first verify error in CA */ +/* integer, returns the first verify error on client certificate */ static int -smp_fetch_verify_crterr(struct proxy *px, struct session *l4, void *l7, unsigned int opt, - const struct arg *args, struct sample *smp) +smp_fetch_ssl_c_err(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) { if (!l4 || l4->si[0].conn.xprt != &ssl_sock) return 0; @@ -1248,10 +1248,10 @@ smp_fetch_verify_crterr(struct proxy *px, struct session *l4, void *l7, unsigned return 1; } -/* integer, returns the verify result */ +/* integer, returns the verify result on client cert */ static int -smp_fetch_verify_result(struct proxy *px, struct session *l4, void *l7, unsigned int opt, - const struct arg *args, struct sample *smp) +smp_fetch_ssl_c_verify(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp) { if (!l4 || l4->si[0].conn.xprt != &ssl_sock) return 0; @@ -1755,17 +1755,17 @@ static int srv_parse_verify(char **args, int *cur_arg, struct proxy *px, struct * Please take care of keeping this list alphabetically sorted. */ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{ - { "client_crt", smp_fetch_client_crt, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES }, - { "is_ssl", smp_fetch_is_ssl, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES }, - { "ssl_has_sni", smp_fetch_has_sni, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_fc_has_crt", smp_fetch_ssl_fc_has_crt, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_fc_has_sni", smp_fetch_ssl_fc_has_sni, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES }, #ifdef OPENSSL_NPN_NEGOTIATED - { "ssl_npn", smp_fetch_ssl_npn, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_fc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES }, #endif - { "ssl_sni", smp_fetch_ssl_sni, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES }, - { "ssl_verify_caerr", smp_fetch_verify_caerr, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, - { "ssl_verify_caerr_depth", smp_fetch_verify_caerr_depth, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, - { "ssl_verify_crterr", smp_fetch_verify_crterr, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, - { "ssl_verify_result", smp_fetch_verify_result, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES }, + { "ssl_fc_sni", smp_fetch_ssl_fc_sni, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES }, { NULL, NULL, 0, 0, 0 }, }}; @@ -1773,19 +1773,19 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{ * Please take care of keeping this list alphabetically sorted. */ static struct acl_kw_list acl_kws = {{ },{ - { "client_crt", acl_parse_int, smp_fetch_client_crt, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, - { "is_ssl", acl_parse_int, smp_fetch_is_ssl, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, - { "ssl_has_sni", acl_parse_int, smp_fetch_has_sni, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 }, + { "ssl_c_ca_err", acl_parse_int, smp_fetch_ssl_c_ca_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_c_ca_err_depth", acl_parse_int, smp_fetch_ssl_c_ca_err_depth, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_fc", acl_parse_int, smp_fetch_ssl_fc, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_fc_has_crt", acl_parse_int, smp_fetch_ssl_fc_has_crt, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 }, + { "ssl_fc_has_sni", acl_parse_int, smp_fetch_ssl_fc_has_sni, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 }, #ifdef OPENSSL_NPN_NEGOTIATED - { "ssl_npn", acl_parse_str, smp_fetch_ssl_npn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_fc_npn", acl_parse_str, smp_fetch_ssl_fc_npn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, #endif - { "ssl_sni", acl_parse_str, smp_fetch_ssl_sni, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, - { "ssl_sni_end", acl_parse_str, smp_fetch_ssl_sni, acl_match_end, ACL_USE_L6REQ_PERMANENT, 0 }, - { "ssl_sni_reg", acl_parse_reg, smp_fetch_ssl_sni, acl_match_reg, ACL_USE_L6REQ_PERMANENT, 0 }, - { "ssl_verify_caerr", acl_parse_int, smp_fetch_verify_caerr, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, - { "ssl_verify_caerr_depth", acl_parse_int, smp_fetch_verify_caerr_depth, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, - { "ssl_verify_crterr", acl_parse_int, smp_fetch_verify_crterr, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, - { "ssl_verify_result", acl_parse_int, smp_fetch_verify_result, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_fc_sni", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 }, + { "ssl_fc_sni_end", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_end, ACL_USE_L6REQ_PERMANENT, 0 }, + { "ssl_fc_sni_reg", acl_parse_reg, smp_fetch_ssl_fc_sni, acl_match_reg, ACL_USE_L6REQ_PERMANENT, 0 }, { NULL, NULL, NULL, NULL }, }};