From: William Lallemand Date: Tue, 2 Jun 2020 08:52:24 +0000 (+0200) Subject: MINOR: ssl: set ssl-min-ver in ambiguous configurations X-Git-Tag: v2.2-dev9~165 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=50df1cb1e51bee0428db236deead46bd3ca98d7a;p=thirdparty%2Fhaproxy.git MINOR: ssl: set ssl-min-ver in ambiguous configurations Using ssl-max-ver without ssl-min-ver is ambiguous. When the ssl-min-ver is not configured, and ssl-max-ver is set to a value lower than the default ssl-min-ver (which is TLSv1.2 currently), set the ssl-min-ver to the value of ssl-max-ver, and emit a warning. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 0a6086c2c4..837862c5e2 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12568,13 +12568,16 @@ ssl ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ] This option enforces use of or lower on SSL connections instantiated - from this listener. This option is also available on global statement + from this listener. Using this setting without "ssl-min-ver" can be + ambiguous because the default ssl-min-ver value could change in future HAProxy + versions. This option is also available on global statement "ssl-default-bind-options". See also "ssl-min-ver". ssl-min-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ] - This option enforces use of or upper on SSL connections instantiated - from this listener. This option is also available on global statement - "ssl-default-bind-options". See also "ssl-max-ver". + This option enforces use of or upper on SSL connections + instantiated from this listener. The default value is "TLSv1.2". This option + is also available on global statement "ssl-default-bind-options". + See also "ssl-max-ver". strict-sni This setting is only available when support for OpenSSL was built in. The diff --git a/src/ssl_sock.c b/src/ssl_sock.c index b52f2ec6ae..8f16463ca2 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3650,6 +3650,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) int i, min, max, hole; int flags = MC_SSL_O_ALL; int cfgerr = 0; + const int default_min_ver = CONF_TLSV12; ctx = SSL_CTX_new(SSLv23_server_method()); bind_conf->initial_ctx = ctx; @@ -3663,9 +3664,18 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) min = conf_ssl_methods->min; max = conf_ssl_methods->max; - /* start with TLSv12 to remove SSLv3,TLSv10,TLSv11 per default */ - if (!min && (!max || max >= CONF_TLSV12)) - min = CONF_TLSV12; + + /* default minimum is TLSV12, */ + if (!min) { + if (!max || (max >= default_min_ver)) { + min = default_min_ver; + } else { + ha_warning("Proxy '%s': Ambiguous configuration for bind '%s' at [%s:%d]: the ssl-min-ver value is not configured and the ssl-max-ver value is lower than the default ssl-min-ver value (%s). " + "Setting the ssl-min-ver to %s. Use 'ssl-min-ver' to fix this.\n", + bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line, methodVersions[default_min_ver].name, methodVersions[max].name); + min = max; + } + } /* Real min and max should be determinate with configuration and openssl's capabilities */ if (min) flags |= (methodVersions[min].flag - 1);