diff --git a/include/types/listener.h b/include/types/listener.h index 997a59720..b815cc337 100644 --- a/include/types/listener.h +++ b/include/types/listener.h @@ -140,7 +140,8 @@ struct ssl_bind_conf { #endif char *curves; /* curves suite to use for ECDHE */ char *ecdhe; /* named curve to use for ECDHE */ - struct tls_version_filter ssl_methods; /* ssl methods */ + struct tls_version_filter ssl_methods_cfg; /* original ssl methods found in configuration */ + struct tls_version_filter ssl_methods; /* actual ssl methods used at runtime */ #endif }; diff --git a/reg-tests/ssl/add_ssl_crt-list.vtc b/reg-tests/ssl/add_ssl_crt-list.vtc index 28666195e..b5ca7797a 100644 --- a/reg-tests/ssl/add_ssl_crt-list.vtc +++ b/reg-tests/ssl/add_ssl_crt-list.vtc @@ -70,7 +70,7 @@ shell { echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" - printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" - echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" - - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - + printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" - printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" - @@ -85,7 +85,7 @@ haproxy h1 -cli { haproxy h1 -cli { send "show ssl crt-list ${testdir}/localhost.crt-list" # check the options and the filters in any order - expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt).*\\](?=.*!www.test1.com)(?=.*localhost).*" + expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*" } client c1 -connect ${h1_clearlst_sock} { diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 374ca920b..5c3688110 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -809,12 +809,20 @@ static int parse_tls_method_minmax(char **args, int cur_arg, struct tls_version_ static int ssl_bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err) { + int ret; + #if (HA_OPENSSL_VERSION_NUMBER < 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) ha_warning("crt-list: ssl-min-ver and ssl-max-ver are not supported with this Openssl version (skipped).\n"); #endif - return parse_tls_method_minmax(args, cur_arg, &conf->ssl_methods, err); -} + ret = parse_tls_method_minmax(args, cur_arg, &conf->ssl_methods_cfg, err); + if (ret != ERR_NONE) + return ret; + conf->ssl_methods.min = conf->ssl_methods_cfg.min; + conf->ssl_methods.max = conf->ssl_methods_cfg.max; + + return ret; +} static int bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { return parse_tls_method_minmax(args, cur_arg, &conf->ssl_conf.ssl_methods, err); diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index 25d84457f..baeb81d47 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -702,15 +702,15 @@ static void dump_crtlist_sslconf(struct buffer *buf, const struct ssl_bind_conf /* the crt-lists only support ssl-min-ver and ssl-max-ver */ /* XXX: this part need to be revamp so we don't dump the default settings */ - if (conf->ssl_methods.min) { + if (conf->ssl_methods_cfg.min) { if (space) chunk_appendf(buf, " "); - chunk_appendf(buf, "ssl-min-ver %s", methodVersions[conf->ssl_methods.min].name); + chunk_appendf(buf, "ssl-min-ver %s", methodVersions[conf->ssl_methods_cfg.min].name); space++; } - if (conf->ssl_methods.max) { + if (conf->ssl_methods_cfg.max) { if (space) chunk_appendf(buf, " "); - chunk_appendf(buf, "ssl-max-ver %s", methodVersions[conf->ssl_methods.max].name); + chunk_appendf(buf, "ssl-max-ver %s", methodVersions[conf->ssl_methods_cfg.max].name); space++; }