mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-03-25 04:17:42 +00:00
MEDIUM: ssl: remove ssl-options from crt-list
ssl-options are link to the initial negotiation environnement worn by default_ctx. Remove it from crt-list to avoid any confusion.
This commit is contained in:
Emmanuel Hocdet
Willy Tarreau
parent
5bf77329b6
commit
4608ed9511
@ -10269,7 +10269,7 @@ crt-list <file>
|
||||
<crtfile> [\[<sslbindconf> ...\]] [[!]<snifilter> ...]
|
||||
|
||||
sslbindconf support "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe",
|
||||
"curves", "ciphers" configuration and ssl options (see "ssl-default-bind-options").
|
||||
"curves", "ciphers" configuration.
|
||||
It override the configuration set in bind line for the certificate.
|
||||
|
||||
Wildcards are supported in the SNI filter. Negative filter are also supported,
|
||||
|
||||
@ -132,7 +132,6 @@ struct ssl_bind_conf {
|
||||
char *ciphers; /* cipher suite to use if non-null */
|
||||
char *curves; /* curves suite to use for ECDHE */
|
||||
char *ecdhe; /* named curve to use for ECDHE */
|
||||
int ssl_options; /* ssl options */
|
||||
#endif
|
||||
};
|
||||
|
||||
@ -145,6 +144,7 @@ struct bind_conf {
|
||||
SSL_CTX *default_ctx; /* SSL context of first/default certificate */
|
||||
struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
|
||||
int strict_sni; /* refuse negotiation if sni doesn't match a certificate */
|
||||
int ssl_options; /* ssl options */
|
||||
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */
|
||||
struct eb_root sni_w_ctx; /* sni_ctx tree of all known certs wildcards sorted by name */
|
||||
struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */
|
||||
|
||||
@ -120,7 +120,7 @@
|
||||
#define HASH_FUNCT EVP_sha256
|
||||
#endif /* OPENSSL_NO_SHA256 */
|
||||
|
||||
static SSL_CTX *ssl_sock_new_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf);
|
||||
static SSL_CTX *ssl_sock_new_ctx(struct bind_conf *bind_conf);
|
||||
|
||||
/* server and bind verify method, it uses a global value as default */
|
||||
enum {
|
||||
@ -2536,7 +2536,7 @@ static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_con
|
||||
|
||||
if (cur_ctx == NULL) {
|
||||
/* need to create SSL_CTX */
|
||||
cur_ctx = ssl_sock_new_ctx(bind_conf, ssl_conf);
|
||||
cur_ctx = ssl_sock_new_ctx(bind_conf);
|
||||
if (cur_ctx == NULL) {
|
||||
memprintf(err, "%sunable to allocate SSL context.\n",
|
||||
err && *err ? *err : "");
|
||||
@ -2762,7 +2762,7 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
|
||||
int ret;
|
||||
SSL_CTX *ctx;
|
||||
|
||||
ctx = ssl_sock_new_ctx(bind_conf, ssl_conf);
|
||||
ctx = ssl_sock_new_ctx(bind_conf);
|
||||
if (!ctx) {
|
||||
memprintf(err, "%sunable to allocate SSL context for cert '%s'.\n",
|
||||
err && *err ? *err : "", path);
|
||||
@ -3178,7 +3178,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct
|
||||
|
||||
/* create an SSL_CTX according method wanted */
|
||||
static SSL_CTX *
|
||||
ssl_sock_new_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf)
|
||||
ssl_sock_new_ctx(struct bind_conf *bind_conf)
|
||||
{
|
||||
SSL_CTX *ctx = NULL;
|
||||
long ssloptions =
|
||||
@ -3194,7 +3194,7 @@ ssl_sock_new_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf)
|
||||
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
|
||||
SSL_MODE_RELEASE_BUFFERS |
|
||||
SSL_MODE_SMALL_BUFFERS;
|
||||
int conf_ssl_options = bind_conf->ssl_conf.ssl_options | (ssl_conf ? ssl_conf->ssl_options : 0);
|
||||
int conf_ssl_options = bind_conf->ssl_options;
|
||||
|
||||
#if SSL_OP_NO_TLSv1_2
|
||||
if (!ctx && conf_ssl_options & BC_SSL_O_USE_TLSV12)
|
||||
@ -6105,7 +6105,7 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str
|
||||
}
|
||||
|
||||
/* parse the "force-sslv3" bind keyword */
|
||||
static int ssl_bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||
static int bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
#ifndef OPENSSL_NO_SSL3
|
||||
conf->ssl_options |= BC_SSL_O_USE_SSLV3;
|
||||
@ -6116,24 +6116,16 @@ static int ssl_bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px
|
||||
return ERR_ALERT | ERR_FATAL;
|
||||
#endif
|
||||
}
|
||||
static int bind_parse_force_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
return ssl_bind_parse_force_sslv3(args, cur_arg, px, &conf->ssl_conf, err);
|
||||
}
|
||||
|
||||
/* parse the "force-tlsv10" bind keyword */
|
||||
static int ssl_bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||
static int bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->ssl_options |= BC_SSL_O_USE_TLSV10;
|
||||
return 0;
|
||||
}
|
||||
static int bind_parse_force_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
return ssl_bind_parse_force_tlsv10(args, cur_arg, px, &conf->ssl_conf, err);
|
||||
}
|
||||
|
||||
/* parse the "force-tlsv11" bind keyword */
|
||||
static int ssl_bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||
static int bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
#if SSL_OP_NO_TLSv1_1
|
||||
conf->ssl_options |= BC_SSL_O_USE_TLSV11;
|
||||
@ -6144,13 +6136,9 @@ static int ssl_bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *p
|
||||
return ERR_ALERT | ERR_FATAL;
|
||||
#endif
|
||||
}
|
||||
static int bind_parse_force_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
return ssl_bind_parse_force_tlsv11(args, cur_arg, px, &conf->ssl_conf, err);
|
||||
}
|
||||
|
||||
/* parse the "force-tlsv12" bind keyword */
|
||||
static int ssl_bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||
static int bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
#if SSL_OP_NO_TLSv1_2
|
||||
conf->ssl_options |= BC_SSL_O_USE_TLSV12;
|
||||
@ -6161,65 +6149,41 @@ static int ssl_bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *p
|
||||
return ERR_ALERT | ERR_FATAL;
|
||||
#endif
|
||||
}
|
||||
static int bind_parse_force_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
return ssl_bind_parse_force_tlsv12(args, cur_arg, px, &conf->ssl_conf, err);
|
||||
}
|
||||
|
||||
/* parse the "no-tls-tickets" bind keyword */
|
||||
static int ssl_bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||
static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS;
|
||||
return 0;
|
||||
}
|
||||
static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
return ssl_bind_parse_no_tls_tickets(args, cur_arg, px, &conf->ssl_conf, err);
|
||||
}
|
||||
|
||||
/* parse the "no-sslv3" bind keyword */
|
||||
static int ssl_bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||
static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->ssl_options |= BC_SSL_O_NO_SSLV3;
|
||||
return 0;
|
||||
}
|
||||
static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
return ssl_bind_parse_no_sslv3(args, cur_arg, px, &conf->ssl_conf, err);
|
||||
}
|
||||
|
||||
/* parse the "no-tlsv10" bind keyword */
|
||||
static int ssl_bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||
static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->ssl_options |= BC_SSL_O_NO_TLSV10;
|
||||
return 0;
|
||||
}
|
||||
static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
return ssl_bind_parse_no_tlsv10(args, cur_arg, px, &conf->ssl_conf, err);
|
||||
}
|
||||
|
||||
/* parse the "no-tlsv11" bind keyword */
|
||||
static int ssl_bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||
static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->ssl_options |= BC_SSL_O_NO_TLSV11;
|
||||
return 0;
|
||||
}
|
||||
static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
return ssl_bind_parse_no_tlsv11(args, cur_arg, px, &conf->ssl_conf, err);
|
||||
}
|
||||
|
||||
/* parse the "no-tlsv12" bind keyword */
|
||||
static int ssl_bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||
static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->ssl_options |= BC_SSL_O_NO_TLSV12;
|
||||
return 0;
|
||||
}
|
||||
static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
return ssl_bind_parse_no_tlsv12(args, cur_arg, px, &conf->ssl_conf, err);
|
||||
}
|
||||
|
||||
/* parse the "npn" bind keyword */
|
||||
static int ssl_bind_parse_npn(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||
@ -6341,7 +6305,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
|
||||
|
||||
if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
|
||||
conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
|
||||
conf->ssl_conf.ssl_options |= global_ssl.listen_default_ssloptions;
|
||||
conf->ssl_options |= global_ssl.listen_default_ssloptions;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -7386,15 +7350,6 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
|
||||
{ "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
|
||||
{ "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */
|
||||
{ "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
|
||||
{ "force-sslv3", ssl_bind_parse_force_sslv3, 0 }, /* force SSLv3 */
|
||||
{ "force-tlsv10", ssl_bind_parse_force_tlsv10, 0 }, /* force TLSv10 */
|
||||
{ "force-tlsv11", ssl_bind_parse_force_tlsv11, 0 }, /* force TLSv11 */
|
||||
{ "force-tlsv12", ssl_bind_parse_force_tlsv12, 0 }, /* force TLSv12 */
|
||||
{ "no-sslv3", ssl_bind_parse_no_sslv3, 0 }, /* disable SSLv3 */
|
||||
{ "no-tlsv10", ssl_bind_parse_no_tlsv10, 0 }, /* disable TLSv10 */
|
||||
{ "no-tlsv11", ssl_bind_parse_no_tlsv11, 0 }, /* disable TLSv11 */
|
||||
{ "no-tlsv12", ssl_bind_parse_no_tlsv12, 0 }, /* disable TLSv12 */
|
||||
{ "no-tls-tickets", ssl_bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */
|
||||
{ "npn", ssl_bind_parse_npn, 1 }, /* set NPN supported protocols */
|
||||
{ "verify", ssl_bind_parse_verify, 1 }, /* set SSL verify method */
|
||||
{ NULL, NULL, 0 },
|
||||
|
||||
Loading…
Reference in New Issue
Block a user