From: Remi Tricot-Le Breton Date: Mon, 16 May 2022 14:24:32 +0000 (+0200) Subject: MINOR: ssl: Add 'ssl-propquery' global option X-Git-Tag: v2.6-dev11~101 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e80976526c1e738795e60e381f4b978c3d24b382;p=thirdparty%2Fhaproxy.git MINOR: ssl: Add 'ssl-propquery' global option This option can be used to define a default property query used when fetching algorithms in OpenSSL providers. It follows the format described in https://www.openssl.org/docs/man3.0/man7/property.html. It is only available when haproxy is built with SSL support and linked to OpenSSLv3 libraries. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 1b57c6969d..7632291c20 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -1050,6 +1050,7 @@ The following keywords are supported in the "global" section : - ssl-default-server-ciphersuites - ssl-default-server-options - ssl-dh-param-file + - ssl-propquery - ssl-server-verify - ssl-skip-self-issued-ca - unix-bind @@ -2060,6 +2061,17 @@ ssl-dh-param-file "openssl dhparam ", where size should be at least 2048, as 1024-bit DH parameters should not be considered secure anymore. +ssl-propquery + This setting is only available when support for OpenSSL was built in and when + OpenSSL's version is at least 3.0. It allows to define a default property + string used when fetching algorithms in providers. It behave the same way as + the openssl propquery option and it follows the same syntax (described in + https://www.openssl.org/docs/man3.0/man7/property.html). For instance, if you + have two providers loaded, the foo one and the default one, the propquery + "?provider=foo" allows to pick the algorithm implementations provided by the + foo provider by default, and to fallback on the default provider's one if it + was not found. + ssl-load-extra-del-ext This setting allows to configure the way HAProxy does the lookup for the extra SSL files. By default HAProxy adds a new extension to the filename. diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 462743e45e..513cfd6a7e 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -180,6 +180,28 @@ add_engine: } #endif +#ifdef HAVE_SSL_PROVIDERS +/* parse the "ssl-propquery" keyword in global section. + * Returns <0 on alert, >0 on warning, 0 on success. + */ +static int ssl_parse_global_ssl_propquery(char **args, int section_type, struct proxy *curpx, + const struct proxy *defpx, const char *file, int line, + char **err) +{ + int ret = -1; + + if (*(args[1]) == 0) { + memprintf(err, "global statement '%s' expects a property string as an argument.", args[0]); + return ret; + } + + if (EVP_set_default_properties(NULL, args[1])) + ret = 0; + + return ret; +} +#endif + /* parse the "ssl-default-bind-ciphers" / "ssl-default-server-ciphers" keywords * in global section. Returns <0 on alert, >0 on warning, 0 on success. */ @@ -1935,6 +1957,9 @@ static struct cfg_kw_list cfg_kws = {ILH, { { CFG_GLOBAL, "ssl-mode-async", ssl_parse_global_ssl_async }, #if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE) { CFG_GLOBAL, "ssl-engine", ssl_parse_global_ssl_engine }, +#endif +#ifdef HAVE_SSL_PROVIDERS + { CFG_GLOBAL, "ssl-propquery", ssl_parse_global_ssl_propquery }, #endif { CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca }, { CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int },