From: William Lallemand Date: Sat, 29 Oct 2016 16:09:35 +0000 (+0200) Subject: REORG: cli: move ssl CLI functions to ssl_sock.c X-Git-Tag: v1.7.0~61 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32af203b75;p=thirdparty%2Fhaproxy.git REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI. --- diff --git a/include/types/cli.h b/include/types/cli.h index 35c2c67cbf..4f1a84d611 100644 --- a/include/types/cli.h +++ b/include/types/cli.h @@ -121,8 +121,6 @@ enum { STAT_CLI_O_PAT, /* list all entries of a pattern */ STAT_CLI_O_MLOOK, /* lookup a map entry */ STAT_CLI_O_POOLS, /* dump memory pools */ - STAT_CLI_O_TLSK, /* list all TLS ticket keys references */ - STAT_CLI_O_TLSK_ENT, /* list all TLS ticket keys entries for a reference */ STAT_CLI_O_RESOLVERS,/* dump a resolver's section nameservers counters */ STAT_CLI_O_SERVERS_STATE, /* dump server state and changing information */ STAT_CLI_O_BACKEND, /* dump backend list */ diff --git a/src/cli.c b/src/cli.c index e15fc8af73..7565c80391 100644 --- a/src/cli.c +++ b/src/cli.c @@ -146,9 +146,6 @@ static int stats_dump_resolvers_to_buffer(struct stream_interface *si); static int stats_pats_list(struct stream_interface *si); static int stats_pat_list(struct stream_interface *si); static int stats_map_lookup(struct stream_interface *si); -#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) -static int stats_tlskeys_list(struct stream_interface *si); -#endif static int dump_servers_state(struct stream_interface *si, struct chunk *buf); @@ -193,10 +190,6 @@ static const char stats_sock_usage_msg[] = " add map : add map entry\n" " del map : delete map entry\n" " clear map : clear the content of this map\n" - " set ssl : set statement for ssl\n" -#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) - " show tls-keys [id|*]: show tls keys references or dump tls ticket keys when id specified\n" -#endif ""; static const char stats_permission_denied_msg[] = @@ -999,50 +992,6 @@ static struct server *expect_server_admin(struct stream *s, struct stream_interf return sv; } -/* This function is used with TLS ticket keys management. It permits to browse - * each reference. The variable must contain the current node, - * point to the root node. - */ -#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) -static inline -struct tls_keys_ref *tlskeys_list_get_next(struct tls_keys_ref *getnext, struct list *end) -{ - struct tls_keys_ref *ref = getnext; - - while (1) { - - /* Get next list entry. */ - ref = LIST_NEXT(&ref->list, struct tls_keys_ref *, list); - - /* If the entry is the last of the list, return NULL. */ - if (&ref->list == end) - return NULL; - - return ref; - } -} - -static inline -struct tls_keys_ref *tlskeys_ref_lookup_ref(const char *reference) -{ - int id; - char *error; - - /* If the reference starts by a '#', this is numeric id. */ - if (reference[0] == '#') { - /* Try to convert the numeric id. If the conversion fails, the lookup fails. */ - id = strtol(reference + 1, &error, 10); - if (*error != '\0') - return NULL; - - /* Perform the unique id lookup. */ - return tlskeys_ref_lookupid(id); - } - - /* Perform the string lookup. */ - return tlskeys_ref_lookup(reference); -} -#endif /* This function is used with map and acl management. It permits to browse * each reference. The variable must contain the current node, @@ -1308,39 +1257,6 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line) else if (strcmp(args[1], "table") == 0) { stats_sock_table_request(si, args, STAT_CLI_O_TAB); } - else if (strcmp(args[1], "tls-keys") == 0) { -#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) - appctx->ctx.tlskeys.dump_all = 0; - /* no parameter, shows only file list */ - if (!*args[2]) { - appctx->ctx.tlskeys.dump_all = 1; - appctx->st2 = STAT_ST_INIT; - appctx->st0 = STAT_CLI_O_TLSK; - return 1; - } - - if (args[2][0] == '*') { - /* list every TLS ticket keys */ - appctx->ctx.tlskeys.ref = NULL; - appctx->ctx.tlskeys.dump_all = 1; - } else { - appctx->ctx.tlskeys.ref = tlskeys_ref_lookup_ref(args[2]); - if(!appctx->ctx.tlskeys.ref) { - appctx->ctx.cli.msg = "'show tls-keys' unable to locate referenced filename\n"; - appctx->st0 = STAT_CLI_PRINT; - return 1; - } - } - appctx->st2 = STAT_ST_INIT; - appctx->st0 = STAT_CLI_O_TLSK_ENT; - -#else - appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL " - "that doesn't support specifying TLS ticket keys\n"; - appctx->st0 = STAT_CLI_PRINT; -#endif - return 1; - } else if (strcmp(args[1], "map") == 0 || strcmp(args[1], "acl") == 0) { @@ -2032,88 +1948,7 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line) /* The set is done, send message. */ appctx->st0 = STAT_CLI_PROMPT; return 1; - } -#ifdef USE_OPENSSL - else if (strcmp(args[1], "ssl") == 0) { - if (strcmp(args[2], "ocsp-response") == 0) { -#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) - char *err = NULL; - - /* Expect one parameter: the new response in base64 encoding */ - if (!*args[3]) { - appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n"; - appctx->st0 = STAT_CLI_PRINT; - return 1; - } - - trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size); - if (trash.len < 0) { - appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n"; - appctx->st0 = STAT_CLI_PRINT; - return 1; - } - - if (ssl_sock_update_ocsp_response(&trash, &err)) { - if (err) { - memprintf(&err, "%s.\n", err); - appctx->ctx.cli.err = err; - appctx->st0 = STAT_CLI_PRINT_FREE; - } - return 1; - } - appctx->ctx.cli.msg = "OCSP Response updated!"; - appctx->st0 = STAT_CLI_PRINT; - return 1; -#else - appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL that doesn't support OCSP stapling.\n"; - appctx->st0 = STAT_CLI_PRINT; - return 1; -#endif - } - else if (strcmp(args[2], "tls-key") == 0) { -#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) - /* Expect two parameters: the filename and the new new TLS key in encoding */ - if (!*args[3] || !*args[4]) { - appctx->ctx.cli.msg = "'set ssl tls-key' expects a filename and the new TLS key in base64 encoding.\n"; - appctx->st0 = STAT_CLI_PRINT; - return 1; - } - - appctx->ctx.tlskeys.ref = tlskeys_ref_lookup_ref(args[3]); - if(!appctx->ctx.tlskeys.ref) { - appctx->ctx.cli.msg = "'set ssl tls-key' unable to locate referenced filename\n"; - appctx->st0 = STAT_CLI_PRINT; - return 1; - } - - trash.len = base64dec(args[4], strlen(args[4]), trash.str, trash.size); - if (trash.len != sizeof(struct tls_sess_key)) { - appctx->ctx.cli.msg = "'set ssl tls-key' received invalid base64 encoded TLS key.\n"; - appctx->st0 = STAT_CLI_PRINT; - return 1; - } - - memcpy(appctx->ctx.tlskeys.ref->tlskeys + ((appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 2) % TLS_TICKETS_NO), trash.str, trash.len); - appctx->ctx.tlskeys.ref->tls_ticket_enc_index = (appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 1) % TLS_TICKETS_NO; - - appctx->ctx.cli.msg = "TLS ticket key updated!"; - appctx->st0 = STAT_CLI_PRINT; - return 1; -#else - appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL " - "that doesn't support specifying TLS ticket keys\n"; - appctx->st0 = STAT_CLI_PRINT; - return 1; -#endif - } - else { - appctx->ctx.cli.msg = "'set ssl' only supports 'ocsp-response'.\n"; - appctx->st0 = STAT_CLI_PRINT; - return 1; - } - } -#endif - else { /* unknown "set" parameter */ + } else { /* unknown "set" parameter */ return 0; } } @@ -2690,16 +2525,6 @@ static void cli_io_handler(struct appctx *appctx) if (stats_dump_pools_to_buffer(si)) appctx->st0 = STAT_CLI_PROMPT; break; -#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) - case STAT_CLI_O_TLSK: - if (stats_tlskeys_list(si)) - appctx->st0 = STAT_CLI_PROMPT; - break; - case STAT_CLI_O_TLSK_ENT: - if (stats_tlskeys_list(si)) - appctx->st0 = STAT_CLI_PROMPT; - break; -#endif case STAT_CLI_O_ENV: /* environment dump */ if (stats_dump_env_to_buffer(si)) appctx->st0 = STAT_CLI_PROMPT; @@ -3457,101 +3282,6 @@ static int stats_dump_full_sess_to_buffer(struct stream_interface *si, struct st return 1; } -#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) -static int stats_tlskeys_list(struct stream_interface *si) { - struct appctx *appctx = __objt_appctx(si->end); - - switch (appctx->st2) { - case STAT_ST_INIT: - /* Display the column headers. If the message cannot be sent, - * quit the fucntion with returning 0. The function is called - * later and restart at the state "STAT_ST_INIT". - */ - chunk_reset(&trash); - - if (appctx->st0 == STAT_CLI_O_TLSK_ENT) - chunk_appendf(&trash, "# id secret\n"); - else - chunk_appendf(&trash, "# id (file)\n"); - - if (bi_putchk(si_ic(si), &trash) == -1) { - si_applet_cant_put(si); - return 0; - } - - appctx->ctx.tlskeys.dump_keys_index = 0; - - /* Now, we start the browsing of the references lists. - * Note that the following call to LIST_ELEM return bad pointer. The only - * available field of this pointer is . It is used with the function - * tlskeys_list_get_next() for retruning the first available entry - */ - if (appctx->ctx.tlskeys.ref == NULL) { - appctx->ctx.tlskeys.ref = LIST_ELEM(&tlskeys_reference, struct tls_keys_ref *, list); - appctx->ctx.tlskeys.ref = tlskeys_list_get_next(appctx->ctx.tlskeys.ref, &tlskeys_reference); - } - - appctx->st2 = STAT_ST_LIST; - /* fall through */ - - case STAT_ST_LIST: - while (appctx->ctx.tlskeys.ref) { - int head = appctx->ctx.tlskeys.ref->tls_ticket_enc_index; - - chunk_reset(&trash); - if (appctx->st0 == STAT_CLI_O_TLSK_ENT && appctx->ctx.tlskeys.dump_keys_index == 0) - chunk_appendf(&trash, "# "); - if (appctx->ctx.tlskeys.dump_keys_index == 0) - chunk_appendf(&trash, "%d (%s)\n", appctx->ctx.tlskeys.ref->unique_id, - appctx->ctx.tlskeys.ref->filename); - if (appctx->st0 == STAT_CLI_O_TLSK_ENT) { - while (appctx->ctx.tlskeys.dump_keys_index < TLS_TICKETS_NO) { - struct chunk *t2 = get_trash_chunk(); - - chunk_reset(t2); - /* should never fail here because we dump only a key in the t2 buffer */ - t2->len = a2base64((char *)(appctx->ctx.tlskeys.ref->tlskeys + (head + 2 + appctx->ctx.tlskeys.dump_keys_index) % TLS_TICKETS_NO), - sizeof(struct tls_sess_key), t2->str, t2->size); - chunk_appendf(&trash, "%d.%d %s\n", appctx->ctx.tlskeys.ref->unique_id, appctx->ctx.tlskeys.dump_keys_index, t2->str); - - if (bi_putchk(si_ic(si), &trash) == -1) { - /* let's try again later from this stream. We add ourselves into - * this stream's users so that it can remove us upon termination. - */ - si_applet_cant_put(si); - return 0; - } - appctx->ctx.tlskeys.dump_keys_index++; - } - appctx->ctx.tlskeys.dump_keys_index = 0; - } - if (bi_putchk(si_ic(si), &trash) == -1) { - /* let's try again later from this stream. We add ourselves into - * this stream's users so that it can remove us upon termination. - */ - si_applet_cant_put(si); - return 0; - } - - if (appctx->ctx.tlskeys.dump_all == 0) /* don't display everything if not necessary */ - break; - - /* get next list entry and check the end of the list */ - appctx->ctx.tlskeys.ref = tlskeys_list_get_next(appctx->ctx.tlskeys.ref, &tlskeys_reference); - - } - - appctx->st2 = STAT_ST_FIN; - /* fall through */ - - default: - appctx->st2 = STAT_ST_FIN; - return 1; - } - return 0; -} -#endif - static int stats_pats_list(struct stream_interface *si) { struct appctx *appctx = __objt_appctx(si->end); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index c0e4d75fc6..62c89af9fe 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -69,12 +69,17 @@ #include +#include +#include #include #include +#include #include #include +#include #include +#include #include #include #include @@ -83,6 +88,7 @@ #include #include #include +#include #include #include #include @@ -5977,6 +5983,270 @@ static int ssl_parse_default_server_options(char **args, int section_type, struc return 0; } +/* This function is used with TLS ticket keys management. It permits to browse + * each reference. The variable must contain the current node, + * point to the root node. + */ +#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) +static inline +struct tls_keys_ref *tlskeys_list_get_next(struct tls_keys_ref *getnext, struct list *end) +{ + struct tls_keys_ref *ref = getnext; + + while (1) { + + /* Get next list entry. */ + ref = LIST_NEXT(&ref->list, struct tls_keys_ref *, list); + + /* If the entry is the last of the list, return NULL. */ + if (&ref->list == end) + return NULL; + + return ref; + } +} + +static inline +struct tls_keys_ref *tlskeys_ref_lookup_ref(const char *reference) +{ + int id; + char *error; + + /* If the reference starts by a '#', this is numeric id. */ + if (reference[0] == '#') { + /* Try to convert the numeric id. If the conversion fails, the lookup fails. */ + id = strtol(reference + 1, &error, 10); + if (*error != '\0') + return NULL; + + /* Perform the unique id lookup. */ + return tlskeys_ref_lookupid(id); + } + + /* Perform the string lookup. */ + return tlskeys_ref_lookup(reference); +} +#endif + + +#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) + +static int cli_io_handler_tlskeys_files(struct appctx *appctx); + +static inline int cli_io_handler_tlskeys_entries(struct appctx *appctx) { + return cli_io_handler_tlskeys_files(appctx); +} + +static int cli_io_handler_tlskeys_files(struct appctx *appctx) { + + struct stream_interface *si = appctx->owner; + + switch (appctx->st2) { + case STAT_ST_INIT: + /* Display the column headers. If the message cannot be sent, + * quit the fucntion with returning 0. The function is called + * later and restart at the state "STAT_ST_INIT". + */ + chunk_reset(&trash); + + if (appctx->io_handler == cli_io_handler_tlskeys_entries) + chunk_appendf(&trash, "# id secret\n"); + else + chunk_appendf(&trash, "# id (file)\n"); + + if (bi_putchk(si_ic(si), &trash) == -1) { + si_applet_cant_put(si); + return 0; + } + + appctx->ctx.tlskeys.dump_keys_index = 0; + + /* Now, we start the browsing of the references lists. + * Note that the following call to LIST_ELEM return bad pointer. The only + * available field of this pointer is . It is used with the function + * tlskeys_list_get_next() for retruning the first available entry + */ + if (appctx->ctx.tlskeys.ref == NULL) { + appctx->ctx.tlskeys.ref = LIST_ELEM(&tlskeys_reference, struct tls_keys_ref *, list); + appctx->ctx.tlskeys.ref = tlskeys_list_get_next(appctx->ctx.tlskeys.ref, &tlskeys_reference); + } + + appctx->st2 = STAT_ST_LIST; + /* fall through */ + + case STAT_ST_LIST: + while (appctx->ctx.tlskeys.ref) { + int head = appctx->ctx.tlskeys.ref->tls_ticket_enc_index; + + chunk_reset(&trash); + if (appctx->io_handler == cli_io_handler_tlskeys_entries && appctx->ctx.tlskeys.dump_keys_index == 0) + chunk_appendf(&trash, "# "); + if (appctx->ctx.tlskeys.dump_keys_index == 0) + chunk_appendf(&trash, "%d (%s)\n", appctx->ctx.tlskeys.ref->unique_id, + appctx->ctx.tlskeys.ref->filename); + if (appctx->io_handler == cli_io_handler_tlskeys_entries) { + while (appctx->ctx.tlskeys.dump_keys_index < TLS_TICKETS_NO) { + struct chunk *t2 = get_trash_chunk(); + + chunk_reset(t2); + /* should never fail here because we dump only a key in the t2 buffer */ + t2->len = a2base64((char *)(appctx->ctx.tlskeys.ref->tlskeys + (head + 2 + appctx->ctx.tlskeys.dump_keys_index) % TLS_TICKETS_NO), + sizeof(struct tls_sess_key), t2->str, t2->size); + chunk_appendf(&trash, "%d.%d %s\n", appctx->ctx.tlskeys.ref->unique_id, appctx->ctx.tlskeys.dump_keys_index, t2->str); + + if (bi_putchk(si_ic(si), &trash) == -1) { + /* let's try again later from this stream. We add ourselves into + * this stream's users so that it can remove us upon termination. + */ + si_applet_cant_put(si); + return 0; + } + appctx->ctx.tlskeys.dump_keys_index++; + } + appctx->ctx.tlskeys.dump_keys_index = 0; + } + if (bi_putchk(si_ic(si), &trash) == -1) { + /* let's try again later from this stream. We add ourselves into + * this stream's users so that it can remove us upon termination. + */ + si_applet_cant_put(si); + return 0; + } + + if (appctx->ctx.tlskeys.dump_all == 0) /* don't display everything if not necessary */ + break; + + /* get next list entry and check the end of the list */ + appctx->ctx.tlskeys.ref = tlskeys_list_get_next(appctx->ctx.tlskeys.ref, &tlskeys_reference); + + } + + appctx->st2 = STAT_ST_FIN; + /* fall through */ + + default: + appctx->st2 = STAT_ST_FIN; + return 1; + } + return 0; +} + +#endif + +static int cli_parse_show_tlskeys(char **args, struct appctx *appctx, void *private) +{ + appctx->ctx.tlskeys.dump_all = 0; + /* no parameter, shows only file list */ + if (!*args[2]) { + appctx->ctx.tlskeys.dump_all = 1; + appctx->st2 = STAT_ST_INIT; + appctx->st0 = STAT_CLI_O_CUSTOM; + appctx->io_handler = cli_io_handler_tlskeys_files; + + return 1; + } + + if (args[2][0] == '*') { + /* list every TLS ticket keys */ + appctx->ctx.tlskeys.ref = NULL; + appctx->ctx.tlskeys.dump_all = 1; + } else { + appctx->ctx.tlskeys.ref = tlskeys_ref_lookup_ref(args[2]); + if(!appctx->ctx.tlskeys.ref) { + appctx->ctx.cli.msg = "'show tls-keys' unable to locate referenced filename\n"; + appctx->st0 = STAT_CLI_PRINT; + return 1; + } + } + appctx->st2 = STAT_ST_INIT; + appctx->st0 = STAT_CLI_O_CUSTOM; + appctx->io_handler = cli_io_handler_tlskeys_entries; + return 1; +} + + +static int cli_parse_set_tlskeys(char **args, struct appctx *appctx, void *private) +{ + /* Expect two parameters: the filename and the new new TLS key in encoding */ + if (!*args[3] || !*args[4]) { + appctx->ctx.cli.msg = "'set ssl tls-key' expects a filename and the new TLS key in base64 encoding.\n"; + appctx->st0 = STAT_CLI_PRINT; + return 1; + } + + appctx->ctx.tlskeys.ref = tlskeys_ref_lookup_ref(args[3]); + if(!appctx->ctx.tlskeys.ref) { + appctx->ctx.cli.msg = "'set ssl tls-key' unable to locate referenced filename\n"; + appctx->st0 = STAT_CLI_PRINT; + return 1; + } + + trash.len = base64dec(args[4], strlen(args[4]), trash.str, trash.size); + if (trash.len != sizeof(struct tls_sess_key)) { + appctx->ctx.cli.msg = "'set ssl tls-key' received invalid base64 encoded TLS key.\n"; + appctx->st0 = STAT_CLI_PRINT; + return 1; + } + + memcpy(appctx->ctx.tlskeys.ref->tlskeys + ((appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 2) % TLS_TICKETS_NO), trash.str, trash.len); + appctx->ctx.tlskeys.ref->tls_ticket_enc_index = (appctx->ctx.tlskeys.ref->tls_ticket_enc_index + 1) % TLS_TICKETS_NO; + + appctx->ctx.cli.msg = "TLS ticket key updated!"; + appctx->st0 = STAT_CLI_PRINT; + return 1; + +} + +static int cli_parse_set_ocspresponse(char **args, struct appctx *appctx, void *private) +{ +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) + char *err = NULL; + + /* Expect one parameter: the new response in base64 encoding */ + if (!*args[3]) { + appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n"; + appctx->st0 = STAT_CLI_PRINT; + return 1; + } + + trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size); + if (trash.len < 0) { + appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n"; + appctx->st0 = STAT_CLI_PRINT; + return 1; + } + + if (ssl_sock_update_ocsp_response(&trash, &err)) { + if (err) { + memprintf(&err, "%s.\n", err); + appctx->ctx.cli.err = err; + appctx->st0 = STAT_CLI_PRINT_FREE; + } + return 1; + } + appctx->ctx.cli.msg = "OCSP Response updated!"; + appctx->st0 = STAT_CLI_PRINT; + return 1; +#else + appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL that doesn't support OCSP stapling.\n"; + appctx->st0 = STAT_CLI_PRINT; + return 1; +#endif + +} + +/* register cli keywords */ +static struct cli_kw_list cli_kws = {{ },{ +#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) + { { "show", "tls-keys", NULL }, "show tls-keys [id|*]: show tls keys references or dump tls ticket keys when id specified", cli_parse_show_tlskeys, NULL }, + { { "set", "ssl", "tls-keys", NULL }, NULL, cli_parse_set_tlskeys, NULL }, + { { "set", "ssl", "ocsp-response", NULL }, NULL, cli_parse_set_ocspresponse, NULL }, +#endif + { { NULL }, NULL, NULL, NULL } +}}; + + + /* Note: must not be declared as its list will be overwritten. * Please take care of keeping this list alphabetically sorted. */ @@ -6171,6 +6441,7 @@ static void __ssl_sock_init(void) bind_register_keywords(&bind_kws); srv_register_keywords(&srv_kws); cfg_register_keywords(&cfg_kws); + cli_register_kw(&cli_kws); global.ssl_session_max_cost = SSL_SESSION_MAX_COST; global.ssl_handshake_max_cost = SSL_HANDSHAKE_MAX_COST;