MEDIUM: ssl: add support for prefer-server-ciphers option

I wrote a small path to add the SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSL option to frontend, if the 'prefer-server-ciphers' keyword is set. Example : bind 10.11.12.13 ssl /etc/haproxy/ssl/cert.pem ciphers RC4:HIGH:!aNULL:!MD5 prefer-server-ciphers This option mitigate the effect of the BEAST Attack (as I understand), and it equivalent to : - Apache HTTPd SSLHonorCipherOrder option. - Nginx ssl_prefer_server_ciphers option. [WT: added a test for the support of the option]
2024-12-14 15:34:35 +00:00 · 2012-09-04 15:15:13 +02:00 · 2012-09-04 15:15:13 +02:00 · e566ecbea8
commit e566ecbea8
parent ff9f7698fc
2 changed files with 24 additions and 0 deletions
--- a/include/types/protocols.h
+++ b/include/types/protocols.h
@ -137,6 +137,7 @@ struct listener {
 		char *ciphers;		/* cipher suite to use if non-null */
 		int nosslv3;		/* disable SSLv3 */
 		int notlsv1;		/* disable TLSv1 */
+		int prefer_server_ciphers; /* Prefer server ciphers */
 	} ssl_ctx;
 #endif
 	/* warning: this struct is huge, keep it at the bottom */
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -1889,6 +1889,23 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
 #endif
 			}

+			if (!strcmp(args[cur_arg], "prefer-server-ciphers")) { /* Prefert server ciphers */
+#if defined (USE_OPENSSL) && defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
+				struct listener *l;
+
+				for (l = curproxy->listen; l != last_listen; l = l->next)
+					l->ssl_ctx.prefer_server_ciphers = 1;
+
+				cur_arg += 1;
+				continue;
+#else
+				Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n",
+				      file, linenum, args[0], args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif
+			}
+
 			if (!strcmp(args[cur_arg], "accept-proxy")) { /* expect a 'PROXY' line first */
 				struct listener *l;

@ -6794,6 +6811,10 @@ out_uri_auth_compat:
 			}

 #ifdef USE_OPENSSL
+#ifndef SSL_OP_CIPHER_SERVER_PREFERENCE                 /* needs OpenSSL >= 0.9.7 */
+#define SSL_OP_CIPHER_SERVER_PREFERENCE 0
+#endif
+
 #ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	/* needs OpenSSL >= 0.9.7 */
 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
 #endif
@ -6827,6 +6848,8 @@ out_uri_auth_compat:
 					ssloptions |= SSL_OP_NO_SSLv3;
 				if (listener->ssl_ctx.notlsv1)
 					ssloptions |= SSL_OP_NO_TLSv1;
+				if (listener->ssl_ctx.prefer_server_ciphers)
+					ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 				SSL_CTX_set_options(listener->ssl_ctx.ctx, ssloptions);
 				SSL_CTX_set_mode(listener->ssl_ctx.ctx, sslmode);
 				SSL_CTX_set_verify(listener->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);