It may also be used as "default-server" setting to reset any previous
"default-server" "check-ssl" setting.
+no-renegotiate
+ May be used in the following contexts: tcp, http, log
+
+ This setting is only available when support for OpenSSL was built in. It
+ disables the renegotiation mechanisms, be it the legacy unsafe one or the
+ more recent "secure renegotation" one (RFC 5746 TLS Renegotiation Indication
+ Extension) for the given SSL backend. This option is also available on global
+ statement "ssl-default-server-options".
+ Renegotiation is not posible anymore in TLS 1.3.
+ If neither "renegotiate" nor "no-renegotiate" is specified, the SSL library's
+ default behavior is kept.
+ Note that for instance OpenSSL library enables secure renegotiation by
+ default while AWS-LC disable it.
+ See also "renegotiate".
+
no-send-proxy
May be used in the following contexts: tcp, http
Example : server srv1 192.168.1.1:80 redir http://image1.mydomain.com check
+renegotiate
+ May be used in the following contexts: tcp, http, log
+
+ This option enables the secure renegotiation mechanism (RFC 5746 TLS
+ Renegotiation Indication Extension) for a given SSL backend. It does not mean
+ that renegotiation requests will be sent by the SSL client, it only allows
+ backends to renegotiate when servers request it. It still requires that the
+ underlying SSL library actually supports renegotiation.
+ This option is also available on global statement "ssl-default-server-options".
+ Renegotiation is not posible anymore in TLS 1.3.
+ If neither "renegotiate" nor "no-renegotiate" is specified, the SSL library's
+ default behavior is kept.
+ Note that for instance OpenSSL library enables secure renegotiation by
+ default while AWS-LC disable it.
+
rise <count>
May be used in the following contexts: tcp, http, log
}
+/* parse the "renegotiate" server keyword */
+static int srv_parse_renegotiate(char **args, int *cur_arg, struct proxy *px,
+ struct server *newsrv, char **err)
+{
+
+#if !defined(OPENSSL_IS_AWSLC) && !defined(SSL_OP_NO_RENEGOTIATION)
+ memprintf(err, "'%s' not supported for your SSL library (%s), either SSL_OP_NO_RENEGOTIATION or SSL_set_renegotiate_mode() must be defined.",
+ args[0], OPENSSL_VERSION_TEXT);
+ return -1;
+#endif
+
+ if (strncmp(*args, "no-", 3) == 0)
+ newsrv->ssl_ctx.renegotiate = SSL_RENEGOTIATE_OFF;
+ else
+ newsrv->ssl_ctx.renegotiate = SSL_RENEGOTIATE_ON;
+
+ return 0;
+}
+
/* common function to init ssl_ctx */
static int ssl_sock_init_srv(struct server *s)
{
}
#endif
+ if (global_ssl.renegotiate && !s->ssl_ctx.renegotiate)
+ s->ssl_ctx.renegotiate = global_ssl.renegotiate;
+
return 0;
}
return -1;
}
}
+ else if (strcmp(args[i], "renegotiate") == 0 || strcmp(args[i], "no-renegotiate") == 0) {
+#if !defined(OPENSSL_IS_AWSLC) && !defined(SSL_OP_NO_RENEGOTIATION)
+ memprintf(err, "'%s' not supported for your SSL library (%s), either SSL_OP_NO_RENEGOTIATION or SSL_set_renegotiate_mode() must be defined.",
+ args[i], OPENSSL_VERSION_TEXT);
+ return -1;
+#else
+ global_ssl.renegotiate = (*args[i] == 'n') ? SSL_RENEGOTIATE_OFF : SSL_RENEGOTIATE_ON;
+#endif
+ }
else if (parse_tls_method_options(args[i], &global_ssl.connect_default_sslmethods, err)) {
memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
return -1;
{ "force-tlsv12", srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv12 */
{ "force-tlsv13", srv_parse_tls_method_options, 0, 1, 1 }, /* force TLSv13 */
{ "no-check-ssl", srv_parse_no_check_ssl, 0, 1, 0 }, /* disable SSL for health checks */
+ { "no-renegotiate", srv_parse_renegotiate, 0, 1, 1 }, /* Disable renegotiation */
{ "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1, 0 }, /* do not send PROXY protocol header v2 with SSL info */
{ "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn, 0, 1, 0 }, /* do not send PROXY protocol header v2 with CN */
{ "no-ssl", srv_parse_no_ssl, 0, 1, 0 }, /* disable SSL processing */
{ "no-tlsv13", srv_parse_tls_method_options, 0, 0, 1 }, /* disable TLSv13 */
{ "no-tls-tickets", srv_parse_no_tls_tickets, 0, 1, 1 }, /* disable session resumption tickets */
{ "npn", srv_parse_npn, 1, 1, 1 }, /* Set NPN supported protocols */
+ { "renegotiate", srv_parse_renegotiate, 0, 1, 1 }, /* Allow secure renegotiation */
{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1, 1 }, /* send PROXY protocol header v2 with SSL info */
{ "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1, 1 }, /* send PROXY protocol header v2 with CN */
{ "sigalgs", srv_parse_sigalgs, 1, 1, 1 }, /* signature algorithms */
#ifdef HAVE_ACME
.acme_scheduler = 1,
#endif
+ .renegotiate = SSL_RENEGOTIATE_DFLT,
};
if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
options |= SSL_OP_NO_TICKET;
+
+#ifdef SSL_OP_NO_RENEGOTIATION
+ if (srv->ssl_ctx.renegotiate == SSL_RENEGOTIATE_OFF)
+ options |= SSL_OP_NO_RENEGOTIATION;
+ else if (srv->ssl_ctx.renegotiate == SSL_RENEGOTIATE_ON)
+ options &= ~SSL_OP_NO_RENEGOTIATION;
+#endif
+
SSL_CTX_set_options(ctx, options);
#ifdef SSL_MODE_ASYNC
goto err;
SSL_set_connect_state(ctx->ssl);
+
+#if defined(OPENSSL_IS_AWSLC) || defined(OPENSSL_IS_BORINGSSL)
+ if (srv->ssl_ctx.renegotiate == SSL_RENEGOTIATE_ON)
+ SSL_set_renegotiate_mode(ctx->ssl, ssl_renegotiate_freely);
+#endif
+
HA_RWLOCK_RDLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.lock);
if (srv->ssl_ctx.reused_sess[tid].ptr) {
/* let's recreate a session from (ptr,size) and assign
projects / thirdparty / haproxy.git / commitdiff
