mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-27 07:02:11 +00:00
MINOR: ssl: split config and runtime variable for ssl-{min,max}-ver
In the CLI command 'show ssl crt-list', the ssl-min-ver and the ssl-min-max arguments were always displayed because the dumped versions were the actual version computed and used by haproxy, instead of the version found in the configuration. To fix the problem, this patch separates the variables to have one with the configured version, and one with the actual version used. The dump only shows the configured version.
This commit is contained in:
parent
13dd45178e
commit
8177ad9895
@ -140,7 +140,8 @@ struct ssl_bind_conf {
|
|||||||
#endif
|
#endif
|
||||||
char *curves; /* curves suite to use for ECDHE */
|
char *curves; /* curves suite to use for ECDHE */
|
||||||
char *ecdhe; /* named curve to use for ECDHE */
|
char *ecdhe; /* named curve to use for ECDHE */
|
||||||
struct tls_version_filter ssl_methods; /* ssl methods */
|
struct tls_version_filter ssl_methods_cfg; /* original ssl methods found in configuration */
|
||||||
|
struct tls_version_filter ssl_methods; /* actual ssl methods used at runtime */
|
||||||
#endif
|
#endif
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -70,7 +70,7 @@ shell {
|
|||||||
echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
|
echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
|
||||||
printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
|
||||||
echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
|
echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
|
||||||
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
|
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
|
||||||
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
|
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
|
||||||
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
|
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
|
||||||
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
|
printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
|
||||||
@ -85,7 +85,7 @@ haproxy h1 -cli {
|
|||||||
haproxy h1 -cli {
|
haproxy h1 -cli {
|
||||||
send "show ssl crt-list ${testdir}/localhost.crt-list"
|
send "show ssl crt-list ${testdir}/localhost.crt-list"
|
||||||
# check the options and the filters in any order
|
# check the options and the filters in any order
|
||||||
expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt).*\\](?=.*!www.test1.com)(?=.*localhost).*"
|
expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*"
|
||||||
}
|
}
|
||||||
|
|
||||||
client c1 -connect ${h1_clearlst_sock} {
|
client c1 -connect ${h1_clearlst_sock} {
|
||||||
|
@ -809,12 +809,20 @@ static int parse_tls_method_minmax(char **args, int cur_arg, struct tls_version_
|
|||||||
|
|
||||||
static int ssl_bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
static int ssl_bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
|
||||||
{
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
#if (HA_OPENSSL_VERSION_NUMBER < 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL)
|
#if (HA_OPENSSL_VERSION_NUMBER < 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL)
|
||||||
ha_warning("crt-list: ssl-min-ver and ssl-max-ver are not supported with this Openssl version (skipped).\n");
|
ha_warning("crt-list: ssl-min-ver and ssl-max-ver are not supported with this Openssl version (skipped).\n");
|
||||||
#endif
|
#endif
|
||||||
return parse_tls_method_minmax(args, cur_arg, &conf->ssl_methods, err);
|
ret = parse_tls_method_minmax(args, cur_arg, &conf->ssl_methods_cfg, err);
|
||||||
}
|
if (ret != ERR_NONE)
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
conf->ssl_methods.min = conf->ssl_methods_cfg.min;
|
||||||
|
conf->ssl_methods.max = conf->ssl_methods_cfg.max;
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
static int bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
static int bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||||
{
|
{
|
||||||
return parse_tls_method_minmax(args, cur_arg, &conf->ssl_conf.ssl_methods, err);
|
return parse_tls_method_minmax(args, cur_arg, &conf->ssl_conf.ssl_methods, err);
|
||||||
|
@ -702,15 +702,15 @@ static void dump_crtlist_sslconf(struct buffer *buf, const struct ssl_bind_conf
|
|||||||
|
|
||||||
/* the crt-lists only support ssl-min-ver and ssl-max-ver */
|
/* the crt-lists only support ssl-min-ver and ssl-max-ver */
|
||||||
/* XXX: this part need to be revamp so we don't dump the default settings */
|
/* XXX: this part need to be revamp so we don't dump the default settings */
|
||||||
if (conf->ssl_methods.min) {
|
if (conf->ssl_methods_cfg.min) {
|
||||||
if (space) chunk_appendf(buf, " ");
|
if (space) chunk_appendf(buf, " ");
|
||||||
chunk_appendf(buf, "ssl-min-ver %s", methodVersions[conf->ssl_methods.min].name);
|
chunk_appendf(buf, "ssl-min-ver %s", methodVersions[conf->ssl_methods_cfg.min].name);
|
||||||
space++;
|
space++;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (conf->ssl_methods.max) {
|
if (conf->ssl_methods_cfg.max) {
|
||||||
if (space) chunk_appendf(buf, " ");
|
if (space) chunk_appendf(buf, " ");
|
||||||
chunk_appendf(buf, "ssl-max-ver %s", methodVersions[conf->ssl_methods.max].name);
|
chunk_appendf(buf, "ssl-max-ver %s", methodVersions[conf->ssl_methods_cfg.max].name);
|
||||||
space++;
|
space++;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user