diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h index 77a3eb055..ec57f8867 100644 --- a/include/haproxy/listener-t.h +++ b/include/haproxy/listener-t.h @@ -136,7 +136,7 @@ struct ssl_bind_conf { char *ca_verify_file; /* CAverify file to use on verify only */ char *crl_file; /* CRLfile to use on verify */ char *ciphers; /* cipher suite to use if non-null */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */ #endif char *curves; /* curves suite to use for ECDHE */ diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 0bc9ac07a..6b5a489e1 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -47,6 +47,10 @@ #define OpenSSL_version_num SSLeay #endif +#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) +#define HAVE_SSL_CTX_SET_CIPHERSUITES +#endif + #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL) /* Functions present in OpenSSL 0.9.8, older not tested */ static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length) diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h index 694cc3d96..0e66be693 100644 --- a/include/haproxy/server-t.h +++ b/include/haproxy/server-t.h @@ -309,7 +309,7 @@ struct server { int allocated_size; } * reused_sess; char *ciphers; /* cipher suite to use if non-null */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */ #endif int options; /* ssl options */ diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index 58faebe1f..c0f47cbb6 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -270,7 +270,7 @@ struct global_ssl { char *listen_default_ciphers; char *connect_default_ciphers; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES char *listen_default_ciphersuites; char *connect_default_ciphersuites; #endif diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 0d7c7c368..47e059297 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -203,7 +203,7 @@ static int ssl_parse_global_ciphers(char **args, int section_type, struct proxy return 0; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES /* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords * in global section. Returns <0 on alert, >0 on warning, 0 on success. */ @@ -613,7 +613,7 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err); } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES /* parse the "ciphersuites" bind keyword */ static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err) { @@ -1049,7 +1049,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin if (global_ssl.listen_default_curves && !conf->ssl_conf.curves) conf->ssl_conf.curves = strdup(global_ssl.listen_default_curves); #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites) conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites); #endif @@ -1362,7 +1362,7 @@ static void ssl_sock_init_srv(struct server *s) { if (global_ssl.connect_default_ciphers && !s->ssl_ctx.ciphers) s->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES if (global_ssl.connect_default_ciphersuites && !s->ssl_ctx.ciphersuites) s->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites); #endif @@ -1397,7 +1397,7 @@ static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct return 0; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES /* parse the "ciphersuites" server keyword */ static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) { @@ -1733,7 +1733,7 @@ struct ssl_bind_kw ssl_bind_kws[] = { { "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process ca-names and verify on client cert */ { "ca-verify-file", ssl_bind_parse_ca_verify_file, 1 }, /* set CAverify file to process verify on client cert */ { "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES { "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */ #endif { "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificate revocation list file use on client cert verify */ @@ -1758,7 +1758,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { { "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */ { "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */ { "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES { "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */ #endif { "crl-file", bind_parse_crl_file, 1 }, /* set certificate revocation list file use on client cert verify */ @@ -1808,7 +1808,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */ { "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */ { "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */ -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES { "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */ #endif { "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */ @@ -1877,7 +1877,7 @@ static struct cfg_kw_list cfg_kws = {ILH, { #if defined(SSL_CTX_set1_curves_list) { CFG_GLOBAL, "ssl-default-bind-curves", ssl_parse_global_curves }, #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES { CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites }, { CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites }, #endif diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index f72f60ea9..ba0979997 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -50,7 +50,7 @@ void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf) conf->crl_file = NULL; free(conf->ciphers); conf->ciphers = NULL; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES free(conf->ciphersuites); conf->ciphersuites = NULL; #endif @@ -109,7 +109,7 @@ struct ssl_bind_conf *crtlist_dup_ssl_conf(struct ssl_bind_conf *src) if (!dst->ciphers) goto error; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES if (src->ciphersuites) { dst->ciphersuites = strdup(src->ciphersuites); if (!dst->ciphersuites) @@ -832,7 +832,7 @@ static void dump_crtlist_sslconf(struct buffer *buf, const struct ssl_bind_conf chunk_appendf(buf, "ciphers %s", conf->ciphers); space++; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES if (conf->ciphersuites) { if (space) chunk_appendf(buf, " "); chunk_appendf(buf, "ciphersuites %s", conf->ciphersuites); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 5a0cd2b3d..b7d3b92b4 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -104,13 +104,9 @@ struct global_ssl global_ssl = { #ifdef CONNECT_DEFAULT_CIPHERS .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS, #endif -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) -#ifdef LISTEN_DEFAULT_CIPHERSUITES +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES .listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES, -#endif -#ifdef CONNECT_DEFAULT_CIPHERSUITES .connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES, -#endif #endif .listen_default_ssloptions = BC_SSL_O_NONE, .connect_default_ssloptions = SRV_SSL_O_NONE, @@ -4054,7 +4050,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ int verify = SSL_VERIFY_NONE; struct ssl_bind_conf __maybe_unused *ssl_conf_cur; const char *conf_ciphers; -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES const char *conf_ciphersuites; #endif const char *conf_curves = NULL; @@ -4162,7 +4158,7 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ cfgerr |= ERR_ALERT | ERR_FATAL; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites; if (conf_ciphersuites && !SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) { @@ -4619,7 +4615,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) cfgerr++; } -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES if (srv->ssl_ctx.ciphersuites && !SSL_CTX_set_ciphersuites(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) { ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n", @@ -6721,7 +6717,7 @@ static void __ssl_sock_init(void) global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers); if (global_ssl.connect_default_ciphers) global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers); -#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES if (global_ssl.listen_default_ciphersuites) global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites); if (global_ssl.connect_default_ciphersuites)