From: Willy Tarreau Date: Thu, 13 Feb 2014 10:36:41 +0000 (+0100) Subject: MINOR: config: add global directives to set default SSL ciphers X-Git-Tag: v1.5-dev23~164 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=610f04bbf6b9fa437101f376425e3f27ffef71d3;p=thirdparty%2Fhaproxy.git MINOR: config: add global directives to set default SSL ciphers The ability to globally override the default client and server cipher suites has been requested multiple times since the introduction of SSL. This commit adds two new keywords to the global section for this : - ssl-default-bind-ciphers - ssl-default-server-ciphers It is still possible to preset them at build time by setting the macros LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 7af752e47e..35dcf37e7c 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -629,6 +629,23 @@ stats bind-process [ all | odd | even | [-] ] ... warning will automatically be disabled when this setting is used, whatever the number of processes used. +ssl-default-bind-ciphers + This setting is only available when support for OpenSSL was built in. It sets + the default string describing the list of cipher algorithms ("cipher suite") + that are negociated during the SSL/TLS handshake for all "bind" lines which + do not explicitly define theirs. The format of the string is defined in + "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such + as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the + "bind" keyword for more information. + +ssl-default-server-ciphers + This setting is only available when support for OpenSSL was built in. It + sets the default string describing the list of cipher algorithms that are + negociated during the SSL/TLS handshake with the server, for all "server" + lines which do not explicitly define theirs. The format of the string is + defined in "man 1 ciphers". Please check the "server" keyword for more + information. + ssl-server-verify [none|required] The default behavior for SSL verify on servers side. If specified to 'none', servers certificates are not verified. The default is 'required' except if diff --git a/src/cfgparse.c b/src/cfgparse.c index 462187a756..88231f9535 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -881,6 +881,36 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm) Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); err_code |= ERR_ALERT | ERR_FATAL; goto out; +#endif + } + else if (!strcmp(args[0], "ssl-default-bind-ciphers")) { +#ifdef USE_OPENSSL + if (*(args[1]) == 0) { + Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + free(global.listen_default_ciphers); + global.listen_default_ciphers = strdup(args[1]); +#else + Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; +#endif + } + else if (!strcmp(args[0], "ssl-default-server-ciphers")) { +#ifdef USE_OPENSSL + if (*(args[1]) == 0) { + Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + free(global.connect_default_ciphers); + global.connect_default_ciphers = strdup(args[1]); +#else + Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; #endif } else if (!strcmp(args[0], "ssl-server-verify")) { diff --git a/src/haproxy.c b/src/haproxy.c index 182570570d..45d1bd74aa 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -161,12 +161,6 @@ struct global global = { #ifdef DEFAULT_MAXSSLCONN .maxsslconn = DEFAULT_MAXSSLCONN, #endif -#ifdef LISTEN_DEFAULT_CIPHERS - .listen_default_ciphers = LISTEN_DEFAULT_CIPHERS, -#endif -#ifdef CONNECT_DEFAULT_CIPHERS - .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS, -#endif #endif /* others NULL OK */ }; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 5ac2b0653c..3b96e37b5d 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3628,6 +3628,17 @@ static void __ssl_sock_init(void) { STACK_OF(SSL_COMP)* cm; +#ifdef LISTEN_DEFAULT_CIPHERS + global.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS; +#endif +#ifdef CONNECT_DEFAULT_CIPHERS + global.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS; +#endif + if (global.listen_default_ciphers) + global.listen_default_ciphers = strdup(global.listen_default_ciphers); + if (global.connect_default_ciphers) + global.connect_default_ciphers = strdup(global.connect_default_ciphers); + SSL_library_init(); cm = SSL_COMP_get_compression_methods(); sk_SSL_COMP_zero(cm);