MINOR: ssl: split config and runtime variable for ssl-{min,max}-ver

In the CLI command 'show ssl crt-list', the ssl-min-ver and the
ssl-min-max arguments were always displayed because the dumped versions
were the actual version computed and used by haproxy, instead of the
version found in the configuration.

To fix the problem, this patch separates the variables to have one with
the configured version, and one with the actual version used. The dump
only shows the configured version.

diff --git a/include/types/listener.h b/include/types/listener.h
index 997a597206d5a91cc2ec0ab6d5b5fef8b40682c0..b815cc337af0edd54343f823a6a6ee931223d97b 100644 (file)
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -140,7 +140,8 @@ struct ssl_bind_conf {
 #endif
        char *curves;              /* curves suite to use for ECDHE */
        char *ecdhe;               /* named curve to use for ECDHE */
-       struct tls_version_filter ssl_methods; /* ssl methods */
+       struct tls_version_filter ssl_methods_cfg; /* original ssl methods found in configuration */
+       struct tls_version_filter ssl_methods; /* actual ssl methods used at runtime */
 #endif
 };
 

diff --git a/reg-tests/ssl/add_ssl_crt-list.vtc b/reg-tests/ssl/add_ssl_crt-list.vtc
index 28666195e8123795fe53d5d9e4a9f9efa9fd194d..b5ca7797a8cb5f9758c5dad7a7478ffa10c7189e 100644 (file)
--- a/reg-tests/ssl/add_ssl_crt-list.vtc
+++ b/reg-tests/ssl/add_ssl_crt-list.vtc
@@ -70,7 +70,7 @@ shell {
     echo "new ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
     printf "set ssl cert ${testdir}/ecdsa.pem <<\n$(cat ${testdir}/ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
     echo "commit ssl cert ${testdir}/ecdsa.pem" | socat "${tmpdir}/h1/stats" -
-    printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
+    printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [ssl-min-ver SSLv3 verify none allow-0rtt] localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
     printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem [verify none allow-0rtt]\n\n" | socat "${tmpdir}/h1/stats" -
     printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem localhost !www.test1.com\n\n" | socat "${tmpdir}/h1/stats" -
     printf "add ssl crt-list ${testdir}/localhost.crt-list <<\n${testdir}/ecdsa.pem\n\n" | socat "${tmpdir}/h1/stats" -
@@ -85,7 +85,7 @@ haproxy h1 -cli {
 haproxy h1 -cli {
     send "show ssl crt-list ${testdir}/localhost.crt-list"
     # check the options and the filters in any order
-    expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt).*\\](?=.*!www.test1.com)(?=.*localhost).*"
+    expect ~ ".*${testdir}/ecdsa.pem \\[(?=.*verify none)(?=.*allow-0rtt)(?=.*ssl-min-ver SSLv3).*\\](?=.*!www.test1.com)(?=.*localhost).*"
 }
 
 client c1 -connect ${h1_clearlst_sock} {

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 374ca920b1e8cca2500922c726173511e1a2cee7..5c3688110f8dd5405de6bfbdf2a427f2f672a306 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -809,12 +809,20 @@ static int parse_tls_method_minmax(char **args, int cur_arg, struct tls_version_
 
 static int ssl_bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
 {
+       int ret;
+
 #if (HA_OPENSSL_VERSION_NUMBER < 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL)
        ha_warning("crt-list: ssl-min-ver and ssl-max-ver are not supported with this Openssl version (skipped).\n");
 #endif
-       return parse_tls_method_minmax(args, cur_arg, &conf->ssl_methods, err);
-}
+       ret = parse_tls_method_minmax(args, cur_arg, &conf->ssl_methods_cfg, err);
+       if (ret != ERR_NONE)
+               return ret;
 
+       conf->ssl_methods.min = conf->ssl_methods_cfg.min;
+       conf->ssl_methods.max = conf->ssl_methods_cfg.max;
+
+       return ret;
+}
 static int bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
        return parse_tls_method_minmax(args, cur_arg, &conf->ssl_conf.ssl_methods, err);

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index 25d84457f98ceaa19284945860f3be748a7c9f01..baeb81d47bfe5e7a3448489d4ae3a7fc10bbaab5 100644 (file)
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -702,15 +702,15 @@ static void dump_crtlist_sslconf(struct buffer *buf, const struct ssl_bind_conf
 
        /* the crt-lists only support ssl-min-ver and ssl-max-ver */
        /* XXX: this part need to be revamp so we don't dump the default settings */
-       if (conf->ssl_methods.min) {
+       if (conf->ssl_methods_cfg.min) {
                if (space) chunk_appendf(buf, " ");
-               chunk_appendf(buf, "ssl-min-ver %s", methodVersions[conf->ssl_methods.min].name);
+               chunk_appendf(buf, "ssl-min-ver %s", methodVersions[conf->ssl_methods_cfg.min].name);
                space++;
        }
 
-       if (conf->ssl_methods.max) {
+       if (conf->ssl_methods_cfg.max) {
                if (space) chunk_appendf(buf, " ");
-               chunk_appendf(buf, "ssl-max-ver %s", methodVersions[conf->ssl_methods.max].name);
+               chunk_appendf(buf, "ssl-max-ver %s", methodVersions[conf->ssl_methods_cfg.max].name);
                space++;
        }