mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-05-01 07:18:02 +00:00
MEDIUM: ssl: revert ssl/tls version settings relative to default-server.
Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. min-tlsxx and max-tlsxx can be overwrite on local definition. This directives should be the only ones needed in default-server. To simplify next patches (rework of tls versions settings with min/max) all ssl/tls version settings relative to default-server are reverted first: remove: 'sslv3', 'tls*', 'no-force-sslv3', 'no-force-tls*'. remove from default-server: 'no-sslv3', 'no-tls*'. Note: . force-tlsxx == min-tlsxx + max-tlsxx : would be ok in default-server. . no-tlsxx is keep for compatibility: should not be propagated to default-server.
This commit is contained in:
Emmanuel Hocdet
Willy Tarreau
parent
53ae85c38e
commit
6cb2d1e963
@ -10949,22 +10949,30 @@ force-sslv3
|
|||||||
This option enforces use of SSLv3 only when SSL is used to communicate with
|
This option enforces use of SSLv3 only when SSL is used to communicate with
|
||||||
the server. SSLv3 is generally less expensive than the TLS counterparts for
|
the server. SSLv3 is generally less expensive than the TLS counterparts for
|
||||||
high connection rates. This option is also available on global statement
|
high connection rates. This option is also available on global statement
|
||||||
"ssl-default-server-options". See also "no-force-sslv3", "no-tlsv*", "no-sslv3".
|
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
|
||||||
|
|
||||||
|
Supported in default-server: No
|
||||||
|
|
||||||
force-tlsv10
|
force-tlsv10
|
||||||
This option enforces use of TLSv1.0 only when SSL is used to communicate with
|
This option enforces use of TLSv1.0 only when SSL is used to communicate with
|
||||||
the server. This option is also available on global statement
|
the server. This option is also available on global statement
|
||||||
"ssl-default-server-options". See also "no-force-tlsv10", "no-tlsv*", "no-sslv3".
|
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
|
||||||
|
|
||||||
|
Supported in default-server: No
|
||||||
|
|
||||||
force-tlsv11
|
force-tlsv11
|
||||||
This option enforces use of TLSv1.1 only when SSL is used to communicate with
|
This option enforces use of TLSv1.1 only when SSL is used to communicate with
|
||||||
the server. This option is also available on global statement
|
the server. This option is also available on global statement
|
||||||
"ssl-default-server-options". See also "no-force-tlsv11", "no-tlsv*", "no-sslv3".
|
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
|
||||||
|
|
||||||
|
Supported in default-server: No
|
||||||
|
|
||||||
force-tlsv12
|
force-tlsv12
|
||||||
This option enforces use of TLSv1.2 only when SSL is used to communicate with
|
This option enforces use of TLSv1.2 only when SSL is used to communicate with
|
||||||
the server. This option is also available on global statement
|
the server. This option is also available on global statement
|
||||||
"ssl-default-server-options". See also "no-force-tlsv12", "no-tlsv*", "no-sslv3".
|
"ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
|
||||||
|
|
||||||
|
Supported in default-server: No
|
||||||
|
|
||||||
id <value>
|
id <value>
|
||||||
Set a persistent ID for the server. This ID must be positive and unique for
|
Set a persistent ID for the server. This ID must be positive and unique for
|
||||||
@ -11091,34 +11099,6 @@ no-check-ssl
|
|||||||
It may also be used as "default-server" setting to reset any previous
|
It may also be used as "default-server" setting to reset any previous
|
||||||
"default-server" "check-ssl" setting.
|
"default-server" "check-ssl" setting.
|
||||||
|
|
||||||
no-force-sslv3
|
|
||||||
This option may be used as "server" setting to reset any "force-sslv3"
|
|
||||||
setting which would have been inherited from "default-server" directive as
|
|
||||||
default value.
|
|
||||||
It may also be used as "default-server" setting to reset any previous
|
|
||||||
"default-server" "force-sslv3" setting.
|
|
||||||
|
|
||||||
no-force-tlsv10
|
|
||||||
This option may be used as "server" setting to reset any "force-tlsv10"
|
|
||||||
setting which would have been inherited from "default-server" directive as
|
|
||||||
default value.
|
|
||||||
It may also be used as "default-server" setting to reset any previous
|
|
||||||
"default-server" "force-tlsv10" setting.
|
|
||||||
|
|
||||||
no-force-tlsv11
|
|
||||||
This option may be used as "server" setting to reset any "force-tlsv11"
|
|
||||||
setting which would have been inherited from "default-server" directive as
|
|
||||||
default value.
|
|
||||||
It may also be used as "default-server" setting to reset any previous
|
|
||||||
"default-server" "force-tlsv11" setting.
|
|
||||||
|
|
||||||
no-force-tlsv12
|
|
||||||
This option may be used as "server" setting to reset any "force-tlsv12"
|
|
||||||
setting which would have been inherited from "default-server" directive as
|
|
||||||
default value.
|
|
||||||
It may also be used as "default-server" setting to reset any previous
|
|
||||||
"default-server" "force-tlsv12" setting.
|
|
||||||
|
|
||||||
no-send-proxy
|
no-send-proxy
|
||||||
This option may be used as "server" setting to reset any "send-proxy"
|
This option may be used as "server" setting to reset any "send-proxy"
|
||||||
setting which would have been inherited from "default-server" directive as
|
setting which would have been inherited from "default-server" directive as
|
||||||
@ -11165,6 +11145,8 @@ no-sslv3
|
|||||||
the server. Note that SSLv2 is disabled in the code and cannot be enabled
|
the server. Note that SSLv2 is disabled in the code and cannot be enabled
|
||||||
using any configuration option. See also "force-sslv3", "force-tlsv*".
|
using any configuration option. See also "force-sslv3", "force-tlsv*".
|
||||||
|
|
||||||
|
Supported in default-server: No
|
||||||
|
|
||||||
no-tls-tickets
|
no-tls-tickets
|
||||||
This setting is only available when support for OpenSSL was built in. It
|
This setting is only available when support for OpenSSL was built in. It
|
||||||
disables the stateless session resumption (RFC 5077 TLS Ticket
|
disables the stateless session resumption (RFC 5077 TLS Ticket
|
||||||
@ -11181,6 +11163,8 @@ no-tlsv10
|
|||||||
option is also available on global statement "ssl-default-server-options".
|
option is also available on global statement "ssl-default-server-options".
|
||||||
See also "tlsv10", "force-sslv3", "force-tlsv*".
|
See also "tlsv10", "force-sslv3", "force-tlsv*".
|
||||||
|
|
||||||
|
Supported in default-server: No
|
||||||
|
|
||||||
no-tlsv11
|
no-tlsv11
|
||||||
This option disables support for TLSv1.1 when SSL is used to communicate with
|
This option disables support for TLSv1.1 when SSL is used to communicate with
|
||||||
the server. Note that SSLv2 is disabled in the code and cannot be enabled
|
the server. Note that SSLv2 is disabled in the code and cannot be enabled
|
||||||
@ -11189,6 +11173,8 @@ no-tlsv11
|
|||||||
option is also available on global statement "ssl-default-server-options".
|
option is also available on global statement "ssl-default-server-options".
|
||||||
See also "tlsv11", "force-sslv3", "force-tlsv*".
|
See also "tlsv11", "force-sslv3", "force-tlsv*".
|
||||||
|
|
||||||
|
Supported in default-server: No
|
||||||
|
|
||||||
no-tlsv12
|
no-tlsv12
|
||||||
This option disables support for TLSv1.2 when SSL is used to communicate with
|
This option disables support for TLSv1.2 when SSL is used to communicate with
|
||||||
the server. Note that SSLv2 is disabled in the code and cannot be enabled
|
the server. Note that SSLv2 is disabled in the code and cannot be enabled
|
||||||
@ -11197,6 +11183,8 @@ no-tlsv12
|
|||||||
option is also available on global statement "ssl-default-server-options".
|
option is also available on global statement "ssl-default-server-options".
|
||||||
See also "tlsv12", "force-sslv3", "force-tlsv*".
|
See also "tlsv12", "force-sslv3", "force-tlsv*".
|
||||||
|
|
||||||
|
Supported in default-server: No
|
||||||
|
|
||||||
no-verifyhost
|
no-verifyhost
|
||||||
This option may be used as "server" setting to reset any "verifyhost"
|
This option may be used as "server" setting to reset any "verifyhost"
|
||||||
setting which would have been inherited from "default-server" directive as
|
setting which would have been inherited from "default-server" directive as
|
||||||
@ -11435,13 +11423,6 @@ ssl
|
|||||||
See the "no-ssl" to disable "ssl" option and "check-ssl" option to force
|
See the "no-ssl" to disable "ssl" option and "check-ssl" option to force
|
||||||
SSL health checks.
|
SSL health checks.
|
||||||
|
|
||||||
sslv3
|
|
||||||
This option may be used as "server" setting to reset any "no-sslv3"
|
|
||||||
setting which would have been inherited from "default-server" directive as
|
|
||||||
default value.
|
|
||||||
It may also be used as "default-server" setting to reset any previous
|
|
||||||
"default-server" "no-sslv3" setting.
|
|
||||||
|
|
||||||
ssl-reuse
|
ssl-reuse
|
||||||
This option may be used as "server" setting to reset any "no-ssl-reuse"
|
This option may be used as "server" setting to reset any "no-ssl-reuse"
|
||||||
setting which would have been inherited from "default-server" directive as
|
setting which would have been inherited from "default-server" directive as
|
||||||
@ -11478,27 +11459,6 @@ track [<proxy>/]<server>
|
|||||||
enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
|
enabled. If <proxy> is omitted the current one is used. If disable-on-404 is
|
||||||
used, it has to be enabled on both proxies.
|
used, it has to be enabled on both proxies.
|
||||||
|
|
||||||
tlsv10
|
|
||||||
This option may be used as "server" setting to reset any "no-tlsv10"
|
|
||||||
setting which would have been inherited from "default-server" directive as
|
|
||||||
default value.
|
|
||||||
It may also be used as "default-server" setting to reset any previous
|
|
||||||
"default-server" "no-tlsv10" setting.
|
|
||||||
|
|
||||||
tlsv11
|
|
||||||
This option may be used as "server" setting to reset any "no-tlsv11"
|
|
||||||
setting which would have been inherited from "default-server" directive as
|
|
||||||
default value.
|
|
||||||
It may also be used as "default-server" setting to reset any previous
|
|
||||||
"default-server" "no-tlsv11" setting.
|
|
||||||
|
|
||||||
tlsv12
|
|
||||||
This option may be used as "server" setting to reset any "no-tlsv12"
|
|
||||||
setting which would have been inherited from "default-server" directive as
|
|
||||||
default value.
|
|
||||||
It may also be used as "default-server" setting to reset any previous
|
|
||||||
"default-server" "no-tlsv12" setting.
|
|
||||||
|
|
||||||
tls-tickets
|
tls-tickets
|
||||||
This option may be used as "server" setting to reset any "no-tls-tickets"
|
This option may be used as "server" setting to reset any "no-tls-tickets"
|
||||||
setting which would have been inherited from "default-server" directive as
|
setting which would have been inherited from "default-server" directive as
|
||||||
|
|||||||
@ -6597,52 +6597,6 @@ static int srv_parse_no_check_ssl(char **args, int *cur_arg, struct proxy *px, s
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* parse the "no-force-sslv3" server keyword */
|
|
||||||
static int srv_parse_no_force_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
|
||||||
{
|
|
||||||
#ifndef OPENSSL_NO_SSL3
|
|
||||||
newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_SSLV3;
|
|
||||||
return 0;
|
|
||||||
#else
|
|
||||||
if (err)
|
|
||||||
memprintf(err, "'%s' : library does not support protocol SSLv3", args[*cur_arg]);
|
|
||||||
return ERR_ALERT | ERR_FATAL;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/* parse the "no-force-tlsv10" server keyword */
|
|
||||||
static int srv_parse_no_force_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
|
||||||
{
|
|
||||||
newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV10;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* parse the "no-force-tlsv11" server keyword */
|
|
||||||
static int srv_parse_no_force_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
|
||||||
{
|
|
||||||
#if SSL_OP_NO_TLSv1_1
|
|
||||||
newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV11;
|
|
||||||
return 0;
|
|
||||||
#else
|
|
||||||
if (err)
|
|
||||||
memprintf(err, "'%s' : library does not support protocol TLSv1.1", args[*cur_arg]);
|
|
||||||
return ERR_ALERT | ERR_FATAL;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/* parse the "no-force-tlsv12" server keyword */
|
|
||||||
static int srv_parse_no_force_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
|
||||||
{
|
|
||||||
#if SSL_OP_NO_TLSv1_2
|
|
||||||
newsrv->ssl_ctx.options &= ~SRV_SSL_O_USE_TLSV12;
|
|
||||||
return 0;
|
|
||||||
#else
|
|
||||||
if (err)
|
|
||||||
memprintf(err, "'%s' : library does not support protocol TLSv1.2", args[*cur_arg]);
|
|
||||||
return ERR_ALERT | ERR_FATAL;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/* parse the "no-send-proxy-v2-ssl" server keyword */
|
/* parse the "no-send-proxy-v2-ssl" server keyword */
|
||||||
static int srv_parse_no_send_proxy_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
static int srv_parse_no_send_proxy_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
||||||
{
|
{
|
||||||
@ -6765,34 +6719,6 @@ static int srv_parse_ssl_reuse(char **args, int *cur_arg, struct proxy *px, stru
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* parse the "sslv3" server keyword */
|
|
||||||
static int srv_parse_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
|
||||||
{
|
|
||||||
newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_SSLV3;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* parse the "tlsv10" server keyword */
|
|
||||||
static int srv_parse_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
|
||||||
{
|
|
||||||
newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV10;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* parse the "tlsv11" server keyword */
|
|
||||||
static int srv_parse_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
|
||||||
{
|
|
||||||
newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV11;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* parse the "tlsv12" server keyword */
|
|
||||||
static int srv_parse_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
|
||||||
{
|
|
||||||
newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV12;
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* parse the "tls-tickets" server keyword */
|
/* parse the "tls-tickets" server keyword */
|
||||||
static int srv_parse_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
static int srv_parse_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
|
||||||
{
|
{
|
||||||
@ -7538,28 +7464,20 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
|
|||||||
{ "force-tlsv11", srv_parse_force_tlsv11, 0, 1 }, /* force TLSv11 */
|
{ "force-tlsv11", srv_parse_force_tlsv11, 0, 1 }, /* force TLSv11 */
|
||||||
{ "force-tlsv12", srv_parse_force_tlsv12, 0, 1 }, /* force TLSv12 */
|
{ "force-tlsv12", srv_parse_force_tlsv12, 0, 1 }, /* force TLSv12 */
|
||||||
{ "no-check-ssl", srv_parse_no_check_ssl, 0, 1 }, /* disable SSL for health checks */
|
{ "no-check-ssl", srv_parse_no_check_ssl, 0, 1 }, /* disable SSL for health checks */
|
||||||
{ "no-force-sslv3", srv_parse_no_force_sslv3, 0, 1 }, /* do not force SSLv3 */
|
|
||||||
{ "no-force-tlsv10", srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
|
|
||||||
{ "no-force-tlsv11", srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
|
|
||||||
{ "no-force-tlsv12", srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
|
|
||||||
{ "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */
|
{ "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */
|
||||||
{ "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn, 0, 1 }, /* do not send PROXY protocol header v2 with CN */
|
{ "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn, 0, 1 }, /* do not send PROXY protocol header v2 with CN */
|
||||||
{ "no-ssl", srv_parse_no_ssl, 0, 1 }, /* disable SSL processing */
|
{ "no-ssl", srv_parse_no_ssl, 0, 1 }, /* disable SSL processing */
|
||||||
{ "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 1 }, /* disable session reuse */
|
{ "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 1 }, /* disable session reuse */
|
||||||
{ "no-sslv3", srv_parse_no_sslv3, 0, 1 }, /* disable SSLv3 */
|
{ "no-sslv3", srv_parse_no_sslv3, 0, 0 }, /* disable SSLv3 */
|
||||||
{ "no-tlsv10", srv_parse_no_tlsv10, 0, 1 }, /* disable TLSv10 */
|
{ "no-tlsv10", srv_parse_no_tlsv10, 0, 0 }, /* disable TLSv10 */
|
||||||
{ "no-tlsv11", srv_parse_no_tlsv11, 0, 1 }, /* disable TLSv11 */
|
{ "no-tlsv11", srv_parse_no_tlsv11, 0, 0 }, /* disable TLSv11 */
|
||||||
{ "no-tlsv12", srv_parse_no_tlsv12, 0, 1 }, /* disable TLSv12 */
|
{ "no-tlsv12", srv_parse_no_tlsv12, 0, 0 }, /* disable TLSv12 */
|
||||||
{ "no-tls-tickets", srv_parse_no_tls_tickets, 0, 1 }, /* disable session resumption tickets */
|
{ "no-tls-tickets", srv_parse_no_tls_tickets, 0, 1 }, /* disable session resumption tickets */
|
||||||
{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1 }, /* send PROXY protocol header v2 with SSL info */
|
{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1 }, /* send PROXY protocol header v2 with SSL info */
|
||||||
{ "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1 }, /* send PROXY protocol header v2 with CN */
|
{ "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1 }, /* send PROXY protocol header v2 with CN */
|
||||||
{ "sni", srv_parse_sni, 1, 1 }, /* send SNI extension */
|
{ "sni", srv_parse_sni, 1, 1 }, /* send SNI extension */
|
||||||
{ "ssl", srv_parse_ssl, 0, 1 }, /* enable SSL processing */
|
{ "ssl", srv_parse_ssl, 0, 1 }, /* enable SSL processing */
|
||||||
{ "ssl-reuse", srv_parse_ssl_reuse, 0, 1 }, /* enable session reuse */
|
{ "ssl-reuse", srv_parse_ssl_reuse, 0, 1 }, /* enable session reuse */
|
||||||
{ "sslv3", srv_parse_sslv3, 0, 1 }, /* enable SSLv3 */
|
|
||||||
{ "tlsv10", srv_parse_tlsv10, 0, 1 }, /* enable TLSv10 */
|
|
||||||
{ "tlsv11", srv_parse_tlsv11, 0, 1 }, /* enable TLSv11 */
|
|
||||||
{ "tlsv12", srv_parse_tlsv12, 0, 1 }, /* enable TLSv12 */
|
|
||||||
{ "tls-tickets", srv_parse_tls_tickets, 0, 1 }, /* enable session resumption tickets */
|
{ "tls-tickets", srv_parse_tls_tickets, 0, 1 }, /* enable session resumption tickets */
|
||||||
{ "verify", srv_parse_verify, 1, 1 }, /* set SSL verify method */
|
{ "verify", srv_parse_verify, 1, 1 }, /* set SSL verify method */
|
||||||
{ "verifyhost", srv_parse_verifyhost, 1, 1 }, /* require that SSL cert verifies for hostname */
|
{ "verifyhost", srv_parse_verifyhost, 1, 1 }, /* require that SSL cert verifies for hostname */
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user