global
log stdout local0
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
defaults
mode http
- tune.ssl.maxrecord
- tune.ssl.default-dh-param
- tune.ssl.ssl-ctx-cache-size
- - tune.ssl.capture-cipherlist-size
+ - tune.ssl.capture-buffer-size
+ - tune.ssl.capture-cipherlist-size (deprecated)
- tune.vars.global-max-size
- tune.vars.proc-max-size
- tune.vars.reqres-max-size
dynamically is expensive, they are cached. The default cache size is set to
1000 entries.
-tune.ssl.capture-cipherlist-size <number>
+tune.ssl.capture-buffer-size <number>
+tune.ssl.capture-cipherlist-size <number> (deprecated)
Sets the maximum size of the buffer used for capturing client hello cipher
list, extensions list, elliptic curves list and elliptic curve point
formats. If the value is 0 (default value) the capture is disabled,
ssl_fc_cipherlist_bin([<filter_option>]) : binary
Returns the binary form of the client hello cipher list. The maximum
returned value length is limited by the shared capture buffer size
- controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
+ controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output
ssl_fc_cipherlist_hex([<filter_option>]) : string
Returns the binary form of the client hello cipher list encoded as
hexadecimal. The maximum returned value length is limited by the shared
- capture buffer size controlled by "tune.ssl.capture-cipherlist-size"
- setting. Setting <filter_option> allows to filter returned data. Accepted
- values:
+ capture buffer size controlled by "tune.ssl.capture-buffer-size" setting.
+ Setting <filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output
ssl_fc_cipherlist_str([<filter_option>]) : string
Returns the decoded text form of the client hello cipher list. The maximum
returned value length is limited by the shared capture buffer size
- controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
+ controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output
ssl_fc_cipherlist_xxh : integer
Returns a xxh64 of the cipher list. This hash can return only if the value
- "tune.ssl.capture-cipherlist-size" is set greater than 0, however the hash
- take into account all the data of the cipher list.
+ "tune.ssl.capture-buffer-size" is set greater than 0, however the hash take
+ into account all the data of the cipher list.
ssl_fc_ecformats_bin : binary
Return the binary form of the client hello supported elliptic curve point
formats. The maximum returned value length is limited by the shared capture
- buffer size controlled by "tune.ssl.capture-cipherlist-size" setting.
+ buffer size controlled by "tune.ssl.capture-buffer-size" setting.
Example:
http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\
ssl_fc_eclist_bin([<filter_option>]) : binary
Returns the binary form of the client hello supported elliptic curves. The
maximum returned value length is limited by the shared capture buffer size
- controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
+ controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of supported elliptic curves (default)
1 : exclude GREASE (RFC8701) values from the output
ssl_fc_extlist_bin([<filter_option>]) : binary
Returns the binary form of the client hello extension list. The maximum
returned value length is limited by the shared capture buffer size
- controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
+ controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of extensions (default)
1 : exclude GREASE (RFC8701) values from the output
ssl_fc_protocol_hello_id : integer
The version of the TLS protocol by which the client wishes to communicate
during the session as indicated in client hello message. This value can
- return only if the value "tune.ssl.capture-cipherlist-size" is set greater
- than 0.
+ return only if the value "tune.ssl.capture-buffer-size" is set greater than
+ 0.
Example:
http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\
unsigned int max_record; /* SSL max record size */
unsigned int default_dh_param; /* SSL maximum DH parameter size */
int ctx_cache; /* max number of entries in the ssl_ctx cache. */
- int capture_cipherlist; /* Size of the cipherlist buffer. */
+ int capture_buffer_size; /* Size of the capture buffer. */
int keylog; /* activate keylog */
int extra_files; /* which files not defined in the configuration file are we looking for */
int extra_files_noext; /* whether we remove the extension when looking up a extra file */
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
ssl-load-extra-del-ext
stats socket "${tmpdir}/h1/stats" level admin
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
nbthread 1
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
crt-base ${testdir}
defaults
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
ca-base ${testdir}
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
crt-base ${testdir}
defaults
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
listen frt
mode http
target = &global_ssl.ctx_cache;
else if (strcmp(args[0], "maxsslconn") == 0)
target = &global.maxsslconn;
- else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0)
- target = &global_ssl.capture_cipherlist;
+ else if (strcmp(args[0], "tune.ssl.capture-buffer-size") == 0)
+ target = &global_ssl.capture_buffer_size;
+ else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0) {
+ target = &global_ssl.capture_buffer_size;
+ ha_warning("parsing [%s:%d]: '%s' is deprecated and will be removed in version 2.7. Please use 'tune.ssl.capture-buffer-size' instead.\n",
+ file, line, args[0]);
+ }
else {
memprintf(err, "'%s' keyword not unhandled (please report this bug).", args[0]);
return -1;
return 0;
}
-static int ssl_parse_global_capture_cipherlist(char **args, int section_type, struct proxy *curpx,
- const struct proxy *defpx, const char *file, int line,
- char **err)
+static int ssl_parse_global_capture_buffer(char **args, int section_type, struct proxy *curpx,
+ const struct proxy *defpx, const char *file, int line,
+ char **err)
{
int ret;
return -1;
}
- pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_cipherlist, MEM_F_SHARED);
+ pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_buffer_size, MEM_F_SHARED);
if (!pool_head_ssl_capture) {
memprintf(err, "Out of memory error.");
return -1;
{ CFG_GLOBAL, "tune.ssl.lifetime", ssl_parse_global_lifetime },
{ CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int },
{ CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int },
- { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
+ { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_buffer },
+ { CFG_GLOBAL, "tune.ssl.capture-buffer-size", ssl_parse_global_capture_buffer },
{ CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog },
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
#endif
.default_dh_param = SSL_DEFAULT_DH_PARAM,
.ctx_cache = DEFAULT_SSL_CTX_CACHE,
- .capture_cipherlist = 0,
+ .capture_buffer_size = 0,
.extra_files = SSL_GF_ALL,
.extra_files_noext = 0,
#ifdef HAVE_SSL_KEYLOG
if (!ssl_sock_register_msg_callback(ssl_sock_parse_heartbeat))
return ERR_ABORT;
#endif
- if (global_ssl.capture_cipherlist > 0) {
+ if (global_ssl.capture_buffer_size > 0) {
if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello))
return ERR_ABORT;
}
capture->xxh64 = XXH64(msg, rec_len, 0);
/* Capture the ciphersuite. */
- capture->ciphersuite_len = MIN(global_ssl.capture_cipherlist, rec_len);
+ capture->ciphersuite_len = MIN(global_ssl.capture_buffer_size, rec_len);
capture->ciphersuite_offset = 0;
memcpy(capture->data, msg, capture->ciphersuite_len);
msg += rec_len;
/* Parse each extension */
while (msg + 4 < extensions_end) {
/* Add 2 bytes of extension_id */
- if (global_ssl.capture_cipherlist >= offset + 2) {
+ if (global_ssl.capture_buffer_size >= offset + 2) {
capture->data[offset++] = msg[0];
capture->data[offset++] = msg[1];
capture->extensions_len += 2;
if (ec_start) {
rec_len = ec_len;
- if (offset + rec_len > global_ssl.capture_cipherlist)
- rec_len = global_ssl.capture_cipherlist - offset;
+ if (offset + rec_len > global_ssl.capture_buffer_size)
+ rec_len = global_ssl.capture_buffer_size - offset;
memcpy(capture->data + offset, ec_start, rec_len);
capture->ec_offset = offset;
capture->ec_len = rec_len;
}
if (ec_formats_start) {
rec_len = ec_formats_len;
- if (offset + rec_len > global_ssl.capture_cipherlist)
- rec_len = global_ssl.capture_cipherlist - offset;
+ if (offset + rec_len > global_ssl.capture_buffer_size)
+ rec_len = global_ssl.capture_buffer_size - offset;
memcpy(capture->data + offset, ec_formats_start, rec_len);
capture->ec_formats_offset = offset;
capture->ec_formats_len = rec_len;
projects / thirdparty / haproxy.git / commitdiff
