MINOR: config: add global directives to set default SSL ciphers

The ability to globally override the default client and server cipher
suites has been requested multiple times since the introduction of SSL.
This commit adds two new keywords to the global section for this :
  - ssl-default-bind-ciphers
  - ssl-default-server-ciphers

It is still possible to preset them at build time by setting the macros
LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7af752e47ede952a9c47f93d204c7c77c3eaf7f5..35dcf37e7c39de9af8215548ad08fd32ff410e24 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -629,6 +629,23 @@ stats bind-process [ all | odd | even | <number 1-32>[-<number 1-32>] ] ...
   warning will automatically be disabled when this setting is used, whatever
   the number of processes used.
 
+ssl-default-bind-ciphers <ciphers>
+  This setting is only available when support for OpenSSL was built in. It sets
+  the default string describing the list of cipher algorithms ("cipher suite")
+  that are negociated during the SSL/TLS handshake for all "bind" lines which
+  do not explicitly define theirs. The format of the string is defined in
+  "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
+  as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
+  "bind" keyword for more information.
+
+ssl-default-server-ciphers <ciphers>
+  This setting is only available when support for OpenSSL was built in. It
+  sets the default string describing the list of cipher algorithms that are
+  negociated during the SSL/TLS handshake with the server, for all "server"
+  lines which do not explicitly define theirs. The format of the string is
+  defined in "man 1 ciphers". Please check the "server" keyword for more
+  information.
+
 ssl-server-verify [none|required]
   The default behavior for SSL verify on servers side. If specified to 'none',
   servers certificates are not verified. The default is 'required' except if

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 462187a7568280179b7fac0f7fe0ad01fd3fd9d5..88231f9535cab87ee27d8cb633f860cf4122b29b 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -881,6 +881,36 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
                Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
                err_code |= ERR_ALERT | ERR_FATAL;
                goto out;
+#endif
+       }
+       else if (!strcmp(args[0], "ssl-default-bind-ciphers")) {
+#ifdef USE_OPENSSL
+               if (*(args[1]) == 0) {
+                       Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]);
+                       err_code |= ERR_ALERT | ERR_FATAL;
+                       goto out;
+               }
+               free(global.listen_default_ciphers);
+               global.listen_default_ciphers = strdup(args[1]);
+#else
+               Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+               err_code |= ERR_ALERT | ERR_FATAL;
+               goto out;
+#endif
+       }
+       else if (!strcmp(args[0], "ssl-default-server-ciphers")) {
+#ifdef USE_OPENSSL
+               if (*(args[1]) == 0) {
+                       Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]);
+                       err_code |= ERR_ALERT | ERR_FATAL;
+                       goto out;
+               }
+               free(global.connect_default_ciphers);
+               global.connect_default_ciphers = strdup(args[1]);
+#else
+               Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+               err_code |= ERR_ALERT | ERR_FATAL;
+               goto out;
 #endif
        }
        else if (!strcmp(args[0], "ssl-server-verify")) {

diff --git a/src/haproxy.c b/src/haproxy.c
index 182570570d6e71bfc79842b1a7a8ab727c8bc816..45d1bd74aa8dd16dea8a8ce8905a0108ecad37a5 100644 (file)
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -161,12 +161,6 @@ struct global global = {
 #ifdef DEFAULT_MAXSSLCONN
        .maxsslconn = DEFAULT_MAXSSLCONN,
 #endif
-#ifdef LISTEN_DEFAULT_CIPHERS
-       .listen_default_ciphers = LISTEN_DEFAULT_CIPHERS,
-#endif
-#ifdef CONNECT_DEFAULT_CIPHERS
-       .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
-#endif
 #endif
        /* others NULL OK */
 };

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5ac2b0653cc4931e50c9b0c7d1afd7612aa29b1d..3b96e37b5d712e4095569bd3448d7b129ac86285 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3628,6 +3628,17 @@ static void __ssl_sock_init(void)
 {
        STACK_OF(SSL_COMP)* cm;
 
+#ifdef LISTEN_DEFAULT_CIPHERS
+       global.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS;
+#endif
+#ifdef CONNECT_DEFAULT_CIPHERS
+       global.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS;
+#endif
+       if (global.listen_default_ciphers)
+               global.listen_default_ciphers = strdup(global.listen_default_ciphers);
+       if (global.connect_default_ciphers)
+               global.connect_default_ciphers = strdup(global.connect_default_ciphers);
+
        SSL_library_init();
        cm = SSL_COMP_get_compression_methods();
        sk_SSL_COMP_zero(cm);