RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-04 23:29:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: set ssl-min-ver in ambiguous configurations

Browse Source 
Using ssl-max-ver without ssl-min-ver is ambiguous.

When the ssl-min-ver is not configured, and ssl-max-ver is set to a
value lower than the default ssl-min-ver (which is TLSv1.2 currently),
set the ssl-min-ver to the value of ssl-max-ver, and emit a warning.
This commit is contained in:
William Lallemand 2020-06-02 10:52:24 +02:00 committed by William Lallemand
parent 975564784f
commit 50df1cb1e5
2 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/configuration.txt
View File

@ -12568,13 +12568,16 @@ ssl
ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
This option enforces use of <version> or lower on SSL connections instantiated
from this listener. This option is also available on global statement
from this listener. Using this setting without "ssl-min-ver" can be
ambiguous because the default ssl-min-ver value could change in future HAProxy
versions. This option is also available on global statement
"ssl-default-bind-options". See also "ssl-min-ver".
ssl-min-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
This option enforces use of <version> or upper on SSL connections instantiated
from this listener. This option is also available on global statement
"ssl-default-bind-options". See also "ssl-max-ver".
This option enforces use of <version> or upper on SSL connections
instantiated from this listener. The default value is "TLSv1.2". This option
is also available on global statement "ssl-default-bind-options".
See also "ssl-max-ver".
strict-sni
This setting is only available when support for OpenSSL was built in. The

16
src/ssl_sock.c
View File

@ -3650,6 +3650,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
int i, min, max, hole;
int flags = MC_SSL_O_ALL;
int cfgerr = 0;
const int default_min_ver = CONF_TLSV12;
ctx = SSL_CTX_new(SSLv23_server_method());
bind_conf->initial_ctx = ctx;
@ -3663,9 +3664,18 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
min = conf_ssl_methods->min;
max = conf_ssl_methods->max;
/* start with TLSv12 to remove SSLv3,TLSv10,TLSv11 per default */
if (!min && (!max || max >= CONF_TLSV12))
min = CONF_TLSV12;
/* default minimum is TLSV12, */
if (!min) {
if (!max || (max >= default_min_ver)) {
min = default_min_ver;
} else {
ha_warning("Proxy '%s': Ambiguous configuration for bind '%s' at [%s:%d]: the ssl-min-ver value is not configured and the ssl-max-ver value is lower than the default ssl-min-ver value (%s). "
"Setting the ssl-min-ver to %s. Use 'ssl-min-ver' to fix this.\n",
bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line, methodVersions[default_min_ver].name, methodVersions[max].name);
min = max;
}
}
/* Real min and max should be determinate with configuration and openssl's capabilities */
if (min)
flags |= (methodVersions[min].flag - 1);