From 158c18e85a1e12c334b88144de2759a330916491 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 19 Apr 2023 08:28:40 +0200 Subject: [PATCH] MINOR: config: add "no-alpn" support for bind lines It's possible to replace a previously set ALPN but not to disable ALPN if it was previously set. The new "no-alpn" setting allows to disable a previously set ALPN setting by preparing an empty one that will be replaced and freed when the config is validated. --- src/cfgparse-ssl.c | 24 ++++++++++++++++++++++++ src/cfgparse.c | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 1b33eecb87..43ac3dfdc8 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -1331,12 +1331,34 @@ static int bind_parse_verify(char **args, int cur_arg, struct proxy *px, struct return ssl_bind_parse_verify(args, cur_arg, px, &conf->ssl_conf, 0, err); } +/* parse the "no-alpn" ssl-bind keyword, storing an empty ALPN string */ +static int ssl_bind_parse_no_alpn(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err) +{ + free(conf->alpn_str); + conf->alpn_len = 0; + conf->alpn_str = strdup(""); + + if (!conf->alpn_str) { + memprintf(err, "'%s' : out of memory", *args); + return ERR_ALERT | ERR_FATAL; + } + return 0; +} + +/* parse the "no-alpn" bind keyword, storing an empty ALPN string */ +static int bind_parse_no_alpn(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) +{ + return ssl_bind_parse_no_alpn(args, cur_arg, px, &conf->ssl_conf, 0, err); +} + + /* parse the "no-ca-names" bind keyword */ static int ssl_bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err) { conf->no_ca_names = 1; return 0; } + static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, 0, err); @@ -1984,6 +2006,7 @@ struct ssl_crtlist_kw ssl_crtlist_kws[] = { { "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificate revocation list file use on client cert verify */ { "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */ { "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */ + { "no-alpn", ssl_bind_parse_no_alpn, 0 }, /* disable sending ALPN */ { "no-ca-names", ssl_bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */ { "npn", ssl_bind_parse_npn, 1 }, /* set NPN supported protocols */ { "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */ @@ -2019,6 +2042,7 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { { "force-tlsv12", bind_parse_tls_method_options, 0 }, /* force TLSv12 */ { "force-tlsv13", bind_parse_tls_method_options, 0 }, /* force TLSv13 */ { "generate-certificates", bind_parse_generate_certs, 0 }, /* enable the server certificates generation */ + { "no-alpn", bind_parse_no_alpn, 0 }, /* disable sending ALPN */ { "no-ca-names", bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */ { "no-sslv3", bind_parse_tls_method_options, 0 }, /* disable SSLv3 */ { "no-tlsv10", bind_parse_tls_method_options, 0 }, /* disable TLSv10 */ diff --git a/src/cfgparse.c b/src/cfgparse.c index a978721568..ce9932b0ad 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -2932,6 +2932,12 @@ init_proxies_list_stage1: * HTTP/2 and absolutely require buffers 16kB or larger. */ #ifdef USE_OPENSSL + /* no-alpn ? If so, it's the right moment to remove it */ + if (bind_conf->ssl_conf.alpn_str && !bind_conf->ssl_conf.alpn_len) { + free(bind_conf->ssl_conf.alpn_str); + bind_conf->ssl_conf.alpn_str = NULL; + } + if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) { #ifdef OPENSSL_NPN_NEGOTIATED /* check NPN */ -- 2.39.5