- ssl-default-server-ciphers
- ssl-default-server-ciphersuites
- ssl-default-server-options
+ - ssl-default-server-sigalgs
- ssl-dh-param-file
- ssl-propquery
- ssl-provider
default ssl-options to force on all "server" lines. Please check the "server"
keyword to see available options.
+ssl-default-server-sigalgs <sigalgs>
+ This setting is only available when support for OpenSSL was built in. It
+ sets the default string describing the list of signature algorithms that
+ are negotiated during the TLSv1.2 and TLSv1.3 handshake for all "server" lines
+ which do not explicitly define theirs. The format of the string is a
+ colon-delimited list of signature algorithms. Each signature algorithm can
+ use one of two forms: TLS1.3 signature scheme names ("rsa_pss_rsae_sha256")
+ or the public key algorithm + digest form ("ECDSA+SHA256"). A list
+ can contain both forms. For more information on the format,
+ see SSL_CTX_set1_sigalgs(3). A list of signature algorithms is also
+ available in RFC8446 section 4.2.3 and in OpenSSL in the ssl/t1_lib.c file.
+ This setting is not applicable to TLSv1.1 and earlier versions of the
+ protocol as the signature algorithms aren't separately negotiated in these
+ versions. It is not recommended to change this setting unless compatibility
+ with a middlebox is required.
+
ssl-dh-param-file <file>
This setting is only available when support for OpenSSL was built in. It sets
the default DH parameters that are used during the SSL/TLS handshake when
peer C 127.0.0.1:40003 shard 2
peer D 127.0.0.1:40004 shard 3
+sigalgs <sigalgs>
+ This setting is only available when support for OpenSSL was built in. It sets
+ the string describing the list of signature algorithms that are negotiated
+ during the TLSv1.2 and TLSv1.3 handshake. The format of the string is defined
+ in "man 3 SSL_CTX_set1_sigalgs" from the OpenSSL man pages. It is not
+ recommended to use this setting unless compatibility with a middlebox is
+ required.
slowstart <start_time_in_ms>
The "slowstart" parameter for a server accepts a value in milliseconds which
#if defined(SSL_CTX_set1_sigalgs_list)
/*
- * parse the "ssl-default-bind-sigalgs" keyword in a global section.
+ * parse the "ssl-default-bind-sigalgs" and "ssl-default-server-sigalgs" keyword in a global section.
* Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_sigalgs(char **args, int section_type, struct proxy *curpx,
{
char **target;
- target = &global_ssl.listen_default_sigalgs;
+ target = (args[0][12] == 'b') ? &global_ssl.listen_default_sigalgs : &global_ssl.connect_default_sigalgs;
if (too_many_args(1, args, err, NULL))
return -1;
if (!s->ssl_ctx.methods.max)
s->ssl_ctx.methods.max = global_ssl.connect_default_sslmethods.max;
+#if defined(SSL_CTX_set1_sigalgs_list)
+ if (global_ssl.connect_default_sigalgs && !s->ssl_ctx.sigalgs) {
+ s->ssl_ctx.sigalgs = strdup(global_ssl.connect_default_sigalgs);
+ if (!s->ssl_ctx.sigalgs)
+ return 1;
+ }
+#endif
+
return 0;
}
return 0;
}
+/* parse the "sigalgs" server keyword */
+static int srv_parse_sigalgs(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+#ifndef SSL_CTX_set1_sigalgs_list
+ memprintf(err, "'%s' : library does not support setting signature algorithms", args[*cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+#else
+ char *arg;
+
+ arg = args[*cur_arg + 1];
+ if (!*arg) {
+ memprintf(err, "'%s' : missing signature algorithm list", args[*cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+ }
+ newsrv->ssl_ctx.sigalgs = strdup(arg);
+ if (!newsrv->ssl_ctx.sigalgs) {
+ memprintf(err, "out of memory");
+ return ERR_ALERT | ERR_FATAL;
+ }
+ return 0;
+#endif
+}
+
/* parse the "sni" server keyword */
static int srv_parse_sni(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
{ "npn", srv_parse_npn, 1, 1, 1 }, /* Set NPN supported protocols */
{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1, 1 }, /* send PROXY protocol header v2 with SSL info */
{ "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1, 1 }, /* send PROXY protocol header v2 with CN */
+ { "sigalgs", srv_parse_sigalgs, 1, 1, 1 }, /* signature algorithms */
{ "sni", srv_parse_sni, 1, 1, 1 }, /* send SNI extension */
{ "ssl", srv_parse_ssl, 0, 1, 1 }, /* enable SSL processing */
{ "ssl-min-ver", srv_parse_tls_method_minmax, 1, 1, 1 }, /* minimum version */
#endif
#if defined(SSL_CTX_set1_sigalgs_list)
{ CFG_GLOBAL, "ssl-default-bind-sigalgs", ssl_parse_global_sigalgs },
+ { CFG_GLOBAL, "ssl-default-server-sigalgs", ssl_parse_global_sigalgs },
#endif
#if defined(SSL_CTX_set1_client_sigalgs_list)
{ CFG_GLOBAL, "ssl-default-bind-client-sigalgs", ssl_parse_global_client_sigalgs },
const struct tls_version_filter *conf_ssl_methods = &srv->ssl_ctx.methods;
int i, min, max, hole;
int flags = MC_SSL_O_ALL;
+#if defined(SSL_CTX_set1_sigalgs_list)
+ const char *conf_sigalgs = NULL;
+#endif
+
if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
ha_warning("no-sslv3/no-tlsv1x are ignored for this server. "
SSL_CTX_set_alpn_protos(ctx, (unsigned char *)srv->ssl_ctx.alpn_str, srv->ssl_ctx.alpn_len);
#endif
+#if defined(SSL_CTX_set1_sigalgs_list)
+ conf_sigalgs = srv->ssl_ctx.sigalgs;
+ if (conf_sigalgs) {
+ if (!SSL_CTX_set1_sigalgs_list(ctx, conf_sigalgs)) {
+ ha_alert("Proxy '%s': unable to set SSL Signature Algorithm list to '%s' for server '%s'.\n",
+ curproxy->id, conf_sigalgs, srv->id);
+ cfgerr++;
+ }
+ }
+#endif
return cfgerr;
}
projects / thirdparty / haproxy.git / commitdiff
