MINOR: ssl: add defines LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS.

These ones are used to set the default ciphers suite on "bind" lines and
"server" lines respectively, instead of using OpenSSL's defaults. These
are probably mainly useful for distro packagers.

diff --git a/Makefile b/Makefile
index f0533a70af8aaaa042d42748f5c8d8dc17a54219..653c083cef264c329415888c7249b5e37bda1799 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -139,6 +139,11 @@ ADDLIB =
 # Use DEFINE=-Dxxx to set any tunable macro. Anything declared here will appear
 # in the build options reported by "haproxy -vv". Use SILENT_DEFINE if you do
 # not want to pollute the report with complex defines.
+# The following settings might be of interest when SSL is enabled :
+#   LISTEN_DEFAULT_CIPHERS is a cipher suite string used to set the default SSL
+#           ciphers on "bind" lines instead of using OpenSSL's defaults.
+#   CONNECT_DEFAULT_CIPHERS is a cipher suite string used to set the default
+#           SSL ciphers on "server" lines instead of using OpenSSL's defaults.
 DEFINE =
 SILENT_DEFINE =
 

diff --git a/include/common/defaults.h b/include/common/defaults.h
index b49044e50bb9469effbc8fede8f58d970201f0b4..3a67d3353f1f36068238feb38f0016b4121ae75d 100644 (file)
--- a/include/common/defaults.h
+++ b/include/common/defaults.h
@@ -188,4 +188,14 @@
 #define HCHK_DESC_LEN  128
 #endif
 
+/* ciphers used as defaults on connect */
+#ifndef CONNECT_DEFAULT_CIPHERS
+#define CONNECT_DEFAULT_CIPHERS NULL
+#endif
+
+/* ciphers used as defaults on listeners */
+#ifndef LISTEN_DEFAULT_CIPHERS
+#define LISTEN_DEFAULT_CIPHERS NULL
+#endif
+
 #endif /* _COMMON_DEFAULTS_H */

diff --git a/include/types/global.h b/include/types/global.h
index 3efe933e57d46c1c3108c94c049116c1aadeda5e..d7c6cfd477d844788583b2426487bd659d519ef9 100644 (file)
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -76,6 +76,8 @@ struct global {
        int maxconn, hardmaxconn;
 #ifdef USE_OPENSSL
        int maxsslconn;
+       char *listen_default_ciphers;
+       char *connect_default_ciphers;
 #endif
        struct freq_ctr conn_per_sec;
        int cps_lim, cps_max;

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 88c6300329b8811471c0fe61d356b55af48799ce..9d47dae20f66bafdf70c6f6c0a04b04a1a684399 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4313,6 +4313,9 @@ stats_error_parsing:
 #ifdef USE_OPENSSL
                                newsrv->use_ssl = 1;
                                cur_arg += 1;
+
+                               if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
+                                       newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
 #else /* USE_OPENSSL */
                                Alert("parsing [%s:%d]: '%s' option not implemented.\n",
                                      file, linenum, args[cur_arg]);
@@ -4324,6 +4327,9 @@ stats_error_parsing:
 #ifdef USE_OPENSSL
                                newsrv->check.use_ssl = 1;
                                cur_arg += 1;
+
+                               if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
+                                       newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
 #else /* USE_OPENSSL */
                                Alert("parsing [%s:%d]: '%s' option not implemented.\n",
                                      file, linenum, args[cur_arg]);
@@ -4340,6 +4346,7 @@ stats_error_parsing:
                                        goto out;
                                }
 
+                               free(newsrv->ssl_ctx.ciphers);
                                newsrv->ssl_ctx.ciphers = strdup(args[cur_arg + 1]);
 
                                cur_arg += 2;

diff --git a/src/haproxy.c b/src/haproxy.c
index d2f5d45e89307ede403c1eac5db97bfac44de1bb..1cad8e4cc39869f7979cf7d2473d6345e78385fe 100644 (file)
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -125,8 +125,16 @@ struct global global = {
                .sslcachesize = 20000,
 #endif
        },
-#if defined (USE_OPENSSL) && defined(DEFAULT_MAXSSLCONN)
+#ifdef USE_OPENSSL
+#ifdef DEFAULT_MAXSSLCONN
        .maxsslconn = DEFAULT_MAXSSLCONN,
+#endif
+#ifdef LISTEN_DEFAULT_CIPHERS
+       .listen_default_ciphers = LISTEN_DEFAULT_CIPHERS,
+#endif
+#ifdef CONNECT_DEFAULT_CIPHERS
+       .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
+#endif
 #endif
        /* others NULL OK */
 };

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index af90018a551e7f1b5afe383cb461ee86b7c85241..055bc6fe56eab4398de632afd84efccc624060d2 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1138,6 +1138,7 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct
                return ERR_ALERT | ERR_FATAL;
        }
 
+       free(conf->ciphers);
        conf->ciphers = strdup(args[cur_arg + 1]);
        return 0;
 }
@@ -1340,6 +1341,10 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
        struct listener *l;
 
        conf->is_ssl = 1;
+
+       if (global.listen_default_ciphers && !conf->ciphers)
+               conf->ciphers = strdup(global.listen_default_ciphers);
+
        list_for_each_entry(l, &conf->listeners, by_bind)
                l->xprt = &ssl_sock;