From: Remi Tricot-Le Breton Date: Tue, 17 May 2022 13:18:37 +0000 (+0200) Subject: MINOR: ssl: Add 'ssl-provider-path' global option X-Git-Tag: v2.6-dev11~70 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ccc0355c413ad3bc808ee3eaf3b8e69516025cca;p=thirdparty%2Fhaproxy.git MINOR: ssl: Add 'ssl-provider-path' global option When loading providers with 'ssl-provider' global options, this ssl-provider-path option can be used to set the search path that is to be used by openssl. It behaves the same way as the OPENSSL_MODULES environment variable. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 8198181b03..7293a3cb43 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -1052,6 +1052,7 @@ The following keywords are supported in the "global" section : - ssl-dh-param-file - ssl-propquery - ssl-provider + - ssl-provider-path - ssl-server-verify - ssl-skip-self-issued-ca - unix-bind @@ -2090,7 +2091,16 @@ ssl-provider "openssl version -a" command. If the provider is in another directory, you can set the OPENSSL_MODULES environment variable, which takes the directory where your provider can be found. - See also "ssl-propquery". + See also "ssl-propquery" and "ssl-provider-path". + +ssl-provider-path + This setting is only available when support for OpenSSL was built in and when + OpenSSL's version is at least 3.0. It allows to specify the search path that + is to be used by OpenSSL for looking for providers. It behaves the same way + as the OPENSSL_MODULES environment variable. It will be used for any + following 'ssl-provider' option or until a new 'ssl-provider-path' is + defined. + See also "ssl-provider". ssl-load-extra-del-ext This setting allows to configure the way HAProxy does the lookup for the diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 326cc210cc..6530775a99 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -220,6 +220,23 @@ static int ssl_parse_global_ssl_provider(char **args, int section_type, struct p return ret; } + +/* parse the "ssl-provider-path" keyword in global section. + * Returns <0 on alert, >0 on warning, 0 on success. + */ +static int ssl_parse_global_ssl_provider_path(char **args, int section_type, struct proxy *curpx, + const struct proxy *defpx, const char *file, int line, + char **err) +{ + if (*(args[1]) == 0) { + memprintf(err, "global statement '%s' expects a directory path as an argument.", args[0]); + return -1; + } + + OSSL_PROVIDER_set_default_search_path(NULL, args[1]); + + return 0; +} #endif /* parse the "ssl-default-bind-ciphers" / "ssl-default-server-ciphers" keywords @@ -1981,6 +1998,7 @@ static struct cfg_kw_list cfg_kws = {ILH, { #ifdef HAVE_SSL_PROVIDERS { CFG_GLOBAL, "ssl-propquery", ssl_parse_global_ssl_propquery }, { CFG_GLOBAL, "ssl-provider", ssl_parse_global_ssl_provider }, + { CFG_GLOBAL, "ssl-provider-path", ssl_parse_global_ssl_provider_path }, #endif { CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca }, { CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int },