- ssl-default-bind-sigalgs
- ssl-default-server-ciphers
- ssl-default-server-ciphersuites
+ - ssl-default-server-client-sigalgs
- ssl-default-server-options
- ssl-default-server-sigalgs
- ssl-dh-param-file
"ssl-default-server-ciphers" keyword. Please check the "server" keyword for
more information.
+ssl-default-server-client-sigalgs <sigalgs>
+ This setting is only available when support for OpenSSL was built in. It sets
+ the default string describing the list of signature algorithms related to
+ client authentication for all "server" lines which do not explicitly define
+ theirs. The format of the string is a colon-delimited list of signature
+ algorithms. Each signature algorithm can use one of two forms: TLS1.3 signature
+ scheme names ("rsa_pss_rsae_sha256") or the public key algorithm + digest form
+ ("ECDSA+SHA256"). A list can contain both forms. For more information on the
+ format, see SSL_CTX_set1_client_sigalgs(3). A list of signature algorithms is
+ also available in RFC8446 section 4.2.3 and in OpenSSL in the ssl/t1_lib.c
+ file. This setting is not applicable to TLSv1.1 and earlier versions of the
+ protocol as the signature algorithms aren't separately negotiated in these
+ versions. It is not recommended to change this setting unless compatibility
+ with a middlebox is required.
+
ssl-default-server-options [<option>]...
This setting is only available when support for OpenSSL was built in. It sets
default ssl-options to force on all "server" lines. Please check the "server"
For cipher configuration for TLSv1.2 and earlier, please check the "ciphers"
keyword.
+client-sigalgs <sigalgs>
+ This setting is only available when support for OpenSSL was built in. It sets
+ the string describing the list of signature algorithms related to client
+ authentication that are negotiated . The format of the string is defined in
+ "man 3 SSL_CTX_set1_client_sigalgs" from the OpenSSL man pages. It is not
+ recommended to use this setting if no specific usecase was identified.
+
cookie <value>
The "cookie" parameter sets the cookie value assigned to the server to
<value>. This value will be checked in incoming requests, and the first
char *crl_file; /* CRLfile to use on verify */
char *client_crt; /* client certificate to send */
char *sigalgs; /* Signature algorithms */
+ char *client_sigalgs; /* Client Signature algorithms */
struct sample_expr *sni; /* sample expression for SNI */
char *npn_str; /* NPN protocol string */
int npn_len; /* NPN protocol string length */
#endif
#if defined(SSL_CTX_set1_sigalgs_list)
char *listen_default_client_sigalgs;
+ char *connect_default_client_sigalgs;
#endif
int listen_default_ssloptions;
int connect_default_ssloptions;
{
char **target;
- target = &global_ssl.listen_default_client_sigalgs;
+ target = (args[0][12] == 'b') ? &global_ssl.listen_default_client_sigalgs : &global_ssl.connect_default_client_sigalgs;
if (too_many_args(1, args, err, NULL))
return -1;
}
#endif
+#if defined(SSL_CTX_set1_client_sigalgs_list)
+ if (global_ssl.connect_default_client_sigalgs && !s->ssl_ctx.client_sigalgs) {
+ s->ssl_ctx.client_sigalgs = strdup(global_ssl.connect_default_client_sigalgs);
+ if (!s->ssl_ctx.client_sigalgs)
+ return 1;
+ }
+#endif
+
return 0;
}
}
#endif
+/* parse the "client-sigalgs" server keyword */
+static int srv_parse_client_sigalgs(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+#ifndef SSL_CTX_set1_client_sigalgs_list
+ memprintf(err, "'%s' : library does not support setting signature algorithms", args[*cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+#else
+ char *arg;
+
+ arg = args[*cur_arg + 1];
+ if (!*arg) {
+ memprintf(err, "'%s' : missing signature algorithm list", args[*cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+ }
+ newsrv->ssl_ctx.client_sigalgs = strdup(arg);
+ if (!newsrv->ssl_ctx.client_sigalgs) {
+ memprintf(err, "out of memory");
+ return ERR_ALERT | ERR_FATAL;
+ }
+ return 0;
+#endif
+}
+
+
/* parse the "crl-file" server keyword */
static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ "ciphersuites", srv_parse_ciphersuites, 1, 1, 1 }, /* select the cipher suite */
#endif
+ { "client-sigalgs", srv_parse_client_sigalgs, 1, 1, 1 }, /* signature algorithms */
{ "crl-file", srv_parse_crl_file, 1, 1, 1 }, /* set certificate revocation list file use on server cert verify */
{ "crt", srv_parse_crt, 1, 1, 1 }, /* set client certificate */
{ "force-sslv3", srv_parse_tls_method_options, 0, 1, 1 }, /* force SSLv3 */
#endif
#if defined(SSL_CTX_set1_client_sigalgs_list)
{ CFG_GLOBAL, "ssl-default-bind-client-sigalgs", ssl_parse_global_client_sigalgs },
+ { CFG_GLOBAL, "ssl-default-server-client-sigalgs", ssl_parse_global_client_sigalgs },
#endif
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },
#if defined(SSL_CTX_set1_sigalgs_list)
const char *conf_sigalgs = NULL;
#endif
-
+#if defined(SSL_CTX_set1_client_sigalgs_list)
+ const char *conf_client_sigalgs = NULL;
+#endif
if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
ha_warning("no-sslv3/no-tlsv1x are ignored for this server. "
}
}
#endif
+#if defined(SSL_CTX_set1_client_sigalgs_list)
+ conf_client_sigalgs = srv->ssl_ctx.client_sigalgs;
+ if (conf_client_sigalgs) {
+ if (!SSL_CTX_set1_client_sigalgs_list(ctx, conf_client_sigalgs)) {
+ ha_alert("Proxy '%s': unable to set SSL Client Signature Algorithm list to '%s' for server '%s'.\n",
+ curproxy->id, conf_client_sigalgs, srv->id);
+ cfgerr++;
+ }
+ }
+#endif
return cfgerr;
}
projects / thirdparty / haproxy.git / commitdiff
