MEDIUM: ssl: add support for prefer-server-ciphers option

I wrote a small path to add the SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSL option
to frontend, if the 'prefer-server-ciphers' keyword is set.

Example :
	bind 10.11.12.13 ssl /etc/haproxy/ssl/cert.pem ciphers RC4:HIGH:!aNULL:!MD5 prefer-server-ciphers

This option mitigate the effect of the BEAST Attack (as I understand), and it
equivalent to :
	- Apache HTTPd SSLHonorCipherOrder option.
	- Nginx ssl_prefer_server_ciphers option.

[WT: added a test for the support of the option]

diff --git a/include/types/protocols.h b/include/types/protocols.h
index b075ef6a83270e024ea3bec27849bcf7c784afb1..1d962eaa995e26c7a7ecd5bd0d04ab1310da0251 100644 (file)
--- a/include/types/protocols.h
+++ b/include/types/protocols.h
@@ -137,6 +137,7 @@ struct listener {
                char *ciphers;          /* cipher suite to use if non-null */
                int nosslv3;            /* disable SSLv3 */
                int notlsv1;            /* disable TLSv1 */
+               int prefer_server_ciphers; /* Prefer server ciphers */
        } ssl_ctx;
 #endif
        /* warning: this struct is huge, keep it at the bottom */

diff --git a/src/cfgparse.c b/src/cfgparse.c
index f5061b31737cc6c48bf15039fc3b684cde0cc4f3..6ff166e99be883faaa9428fe306caebb403fe4bc 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -1889,6 +1889,23 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
 #endif
                        }
 
+                       if (!strcmp(args[cur_arg], "prefer-server-ciphers")) { /* Prefert server ciphers */
+#if defined (USE_OPENSSL) && defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
+                               struct listener *l;
+
+                               for (l = curproxy->listen; l != last_listen; l = l->next)
+                                       l->ssl_ctx.prefer_server_ciphers = 1;
+
+                               cur_arg += 1;
+                               continue;
+#else
+                               Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n",
+                                     file, linenum, args[0], args[cur_arg]);
+                               err_code |= ERR_ALERT | ERR_FATAL;
+                               goto out;
+#endif
+                       }
+
                        if (!strcmp(args[cur_arg], "accept-proxy")) { /* expect a 'PROXY' line first */
                                struct listener *l;
 
@@ -6794,6 +6811,10 @@ out_uri_auth_compat:
                        }
 
 #ifdef USE_OPENSSL
+#ifndef SSL_OP_CIPHER_SERVER_PREFERENCE                 /* needs OpenSSL >= 0.9.7 */
+#define SSL_OP_CIPHER_SERVER_PREFERENCE 0
+#endif
+
 #ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION  /* needs OpenSSL >= 0.9.7 */
 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
 #endif
@@ -6827,6 +6848,8 @@ out_uri_auth_compat:
                                        ssloptions |= SSL_OP_NO_SSLv3;
                                if (listener->ssl_ctx.notlsv1)
                                        ssloptions |= SSL_OP_NO_TLSv1;
+                               if (listener->ssl_ctx.prefer_server_ciphers)
+                                       ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
                                SSL_CTX_set_options(listener->ssl_ctx.ctx, ssloptions);
                                SSL_CTX_set_mode(listener->ssl_ctx.ctx, sslmode);
                                SSL_CTX_set_verify(listener->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);