From: Emmanuel Hocdet Date: Thu, 30 Mar 2017 17:29:39 +0000 (+0200) Subject: MINOR: ssl: support TLSv1.3 for bind and server X-Git-Tag: v1.8-dev2~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42fb980e53773b9b705f0aadb389a994e4dd6cd9;p=thirdparty%2Fhaproxy.git MINOR: ssl: support TLSv1.3 for bind and server This patch add 'no-tlsv13' and 'force-tlsv13' configuration. This is only useful with openssl-dev and boringssl. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 68cffd472d..4486a1cd41 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -10434,6 +10434,11 @@ force-tlsv12 this listener. This option is also available on global statement "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3". +force-tlsv13 + This option enforces use of TLSv1.3 only on SSL connections instantiated from + this listener. This option is also available on global statement + "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3". + generate-certificates This setting is only available when support for OpenSSL was built in. It enables the dynamic SSL certificates generation. A CA certificate and its @@ -10584,6 +10589,14 @@ no-tlsv12 available on global statement "ssl-default-bind-options". See also "force-tlsv*", and "force-sslv3". +no-tlsv13 + This setting is only available when support for OpenSSL was built in. It + disables support for TLSv1.3 on any sockets instantiated from the listener + when SSL is supported. Note that SSLv2 is forced disabled in the code and + cannot be enabled using any configuration option. This option is also + available on global statement "ssl-default-bind-options". See also + "force-tlsv*", and "force-sslv3". + npn This enables the NPN TLS extension and advertises the specified protocol list as supported on top of NPN. The protocol list consists in a comma-delimited @@ -10974,6 +10987,13 @@ force-tlsv12 Supported in default-server: No +force-tlsv13 + This option enforces use of TLSv1.3 only when SSL is used to communicate with + the server. This option is also available on global statement + "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". + + Supported in default-server: No + id Set a persistent ID for the server. This ID must be positive and unique for the proxy. An unused ID will automatically be assigned if unset. The first @@ -11161,7 +11181,7 @@ no-tlsv10 using any configuration option. TLSv1 is more expensive than SSLv3 so it often makes sense to disable it when communicating with local servers. This option is also available on global statement "ssl-default-server-options". - See also "tlsv10", "force-sslv3", "force-tlsv*". + See also "force-sslv3", "force-tlsv*". Supported in default-server: No @@ -11171,7 +11191,7 @@ no-tlsv11 using any configuration option. TLSv1 is more expensive than SSLv3 so it often makes sense to disable it when communicating with local servers. This option is also available on global statement "ssl-default-server-options". - See also "tlsv11", "force-sslv3", "force-tlsv*". + See also "force-sslv3", "force-tlsv*". Supported in default-server: No @@ -11181,7 +11201,17 @@ no-tlsv12 using any configuration option. TLSv1 is more expensive than SSLv3 so it often makes sense to disable it when communicating with local servers. This option is also available on global statement "ssl-default-server-options". - See also "tlsv12", "force-sslv3", "force-tlsv*". + See also "force-sslv3", "force-tlsv*". + + Supported in default-server: No + +no-tlsv13 + This option disables support for TLSv1.3 when SSL is used to communicate with + the server. Note that SSLv2 is disabled in the code and cannot be enabled + using any configuration option. TLSv1 is more expensive than SSLv3 so it + often makes sense to disable it when communicating with local servers. This + option is also available on global statement "ssl-default-server-options". + See also "force-sslv3", "force-tlsv*". Supported in default-server: No diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 9cbdad93f4..63c0f7928b 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -126,6 +126,7 @@ #define MC_SSL_O_NO_TLSV10 0x0002 /* disable TLSv10 */ #define MC_SSL_O_NO_TLSV11 0x0004 /* disable TLSv11 */ #define MC_SSL_O_NO_TLSV12 0x0008 /* disable TLSv12 */ +#define MC_SSL_O_NO_TLSV13 0x0010 /* disable TLSv13 */ /* ssl_methods versions */ enum { @@ -135,7 +136,8 @@ enum { CONF_TLSV10 = 2, CONF_TLSV11 = 3, CONF_TLSV12 = 4, - CONF_TLSV_MAX = 4, + CONF_TLSV13 = 5, + CONF_TLSV_MAX = 5, }; /* server and bind verify method, it uses a global value as default */ @@ -3181,6 +3183,9 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct #ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */ #define SSL_OP_NO_TLSv1_2 0 #endif +#ifndef SSL_OP_NO_TLSv1_3 /* dev */ +#define SSL_OP_NO_TLSv1_3 0 +#endif #ifndef SSL_OP_SINGLE_DH_USE /* needs OpenSSL >= 0.9.6 */ #define SSL_OP_SINGLE_DH_USE 0 #endif @@ -3218,6 +3223,9 @@ static void ssl_set_TLSv12_func(SSL_CTX *ctx, int is_server) { : SSL_CTX_set_ssl_version(ctx, TLSv1_2_client_method()); #endif } +static void ssl_set_TLSv13_func(SSL_CTX *ctx, int is_server) { + /* TLS 1.2 is the last supported version in this context. */ +} #else /* openssl >= 1.1.0 */ static void ssl_set_SSLv3_func(SSL_CTX *ctx, int is_max) { is_max ? SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION) @@ -3235,6 +3243,12 @@ static void ssl_set_TLSv12_func(SSL_CTX *ctx, int is_max) { is_max ? SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION) : SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); } +static void ssl_set_TLSv13_func(SSL_CTX *ctx, int is_max) { +#if SSL_OP_NO_TLSv1_3 + is_max ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) + : SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); +#endif +} #endif static void ssl_set_None_func(SSL_CTX *ctx, int i) { } @@ -3250,6 +3264,7 @@ static struct { {SSL_OP_NO_TLSv1, MC_SSL_O_NO_TLSV10, ssl_set_TLSv10_func, "TLSv1.0"}, /* CONF_TLSV10 */ {SSL_OP_NO_TLSv1_1, MC_SSL_O_NO_TLSV11, ssl_set_TLSv11_func, "TLSv1.1"}, /* CONF_TLSV11 */ {SSL_OP_NO_TLSv1_2, MC_SSL_O_NO_TLSV12, ssl_set_TLSv12_func, "TLSv1.2"}, /* CONF_TLSV12 */ + {SSL_OP_NO_TLSv1_3, MC_SSL_O_NO_TLSV13, ssl_set_TLSv13_func, "TLSv1.3"}, /* CONF_TLSV13 */ }; /* Create an initial CTX used to start the SSL connection before switchctx */ @@ -6229,6 +6244,8 @@ static int parse_tls_method_options(char *arg, struct tls_version_filter *method v = CONF_TLSV11; else if (!strcmp(p, "tlsv12")) v = CONF_TLSV12; + else if (!strcmp(p, "tlsv13")) + v = CONF_TLSV13; else return 1; if (!strncmp(arg, "no-", 3)) @@ -7375,11 +7392,13 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { { "force-tlsv10", bind_parse_tls_method_options, 0 }, /* force TLSv10 */ { "force-tlsv11", bind_parse_tls_method_options, 0 }, /* force TLSv11 */ { "force-tlsv12", bind_parse_tls_method_options, 0 }, /* force TLSv12 */ + { "force-tlsv13", bind_parse_tls_method_options, 0 }, /* force TLSv13 */ { "generate-certificates", bind_parse_generate_certs, 0 }, /* enable the server certificates generation */ { "no-sslv3", bind_parse_tls_method_options, 0 }, /* disable SSLv3 */ { "no-tlsv10", bind_parse_tls_method_options, 0 }, /* disable TLSv10 */ { "no-tlsv11", bind_parse_tls_method_options, 0 }, /* disable TLSv11 */ { "no-tlsv12", bind_parse_tls_method_options, 0 }, /* disable TLSv12 */ + { "no-tlsv13", bind_parse_tls_method_options, 0 }, /* disable TLSv13 */ { "no-tls-tickets", bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */ { "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */ { "strict-sni", bind_parse_strict_sni, 0 }, /* refuse negotiation if sni doesn't match a certificate */ @@ -7407,6 +7426,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { "force-tlsv10", srv_parse_tls_method_options,0, 1 }, /* force TLSv10 */ { "force-tlsv11", srv_parse_tls_method_options,0, 1 }, /* force TLSv11 */ { "force-tlsv12", srv_parse_tls_method_options,0, 1 }, /* force TLSv12 */ + { "force-tlsv13", srv_parse_tls_method_options,0, 1 }, /* force TLSv13 */ { "no-check-ssl", srv_parse_no_check_ssl, 0, 1 }, /* disable SSL for health checks */ { "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */ { "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn, 0, 1 }, /* do not send PROXY protocol header v2 with CN */ @@ -7416,6 +7436,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { "no-tlsv10", srv_parse_tls_method_options,0, 0 }, /* disable TLSv10 */ { "no-tlsv11", srv_parse_tls_method_options,0, 0 }, /* disable TLSv11 */ { "no-tlsv12", srv_parse_tls_method_options,0, 0 }, /* disable TLSv12 */ + { "no-tlsv13", srv_parse_tls_method_options,0, 0 }, /* disable TLSv13 */ { "no-tls-tickets", srv_parse_no_tls_tickets, 0, 1 }, /* disable session resumption tickets */ { "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1 }, /* send PROXY protocol header v2 with SSL info */ { "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1 }, /* send PROXY protocol header v2 with CN */