From e566ecbea88ec1166faafc6a4b121f3ec08a7853 Mon Sep 17 00:00:00 2001
From: David BERARD <contact@davidberard.fr>
Date: Tue, 4 Sep 2012 15:15:13 +0200
Subject: [PATCH] MEDIUM: ssl: add support for prefer-server-ciphers option

I wrote a small path to add the SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSL option
to frontend, if the 'prefer-server-ciphers' keyword is set.

Example :
	bind 10.11.12.13 ssl /etc/haproxy/ssl/cert.pem ciphers RC4:HIGH:!aNULL:!MD5 prefer-server-ciphers

This option mitigate the effect of the BEAST Attack (as I understand), and it
equivalent to :
	- Apache HTTPd SSLHonorCipherOrder option.
	- Nginx ssl_prefer_server_ciphers option.

[WT: added a test for the support of the option]
---
 include/types/protocols.h |  1 +
 src/cfgparse.c            | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/include/types/protocols.h b/include/types/protocols.h
index b075ef6a83..1d962eaa99 100644
--- a/include/types/protocols.h
+++ b/include/types/protocols.h
@@ -137,6 +137,7 @@ struct listener {
 		char *ciphers;		/* cipher suite to use if non-null */
 		int nosslv3;		/* disable SSLv3 */
 		int notlsv1;		/* disable TLSv1 */
+		int prefer_server_ciphers; /* Prefer server ciphers */
 	} ssl_ctx;
 #endif
 	/* warning: this struct is huge, keep it at the bottom */
diff --git a/src/cfgparse.c b/src/cfgparse.c
index f5061b3173..6ff166e99b 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -1889,6 +1889,23 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
 #endif
 			}
 
+			if (!strcmp(args[cur_arg], "prefer-server-ciphers")) { /* Prefert server ciphers */
+#if defined (USE_OPENSSL) && defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
+				struct listener *l;
+
+				for (l = curproxy->listen; l != last_listen; l = l->next)
+					l->ssl_ctx.prefer_server_ciphers = 1;
+
+				cur_arg += 1;
+				continue;
+#else
+				Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n",
+				      file, linenum, args[0], args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif
+			}
+
 			if (!strcmp(args[cur_arg], "accept-proxy")) { /* expect a 'PROXY' line first */
 				struct listener *l;
 
@@ -6794,6 +6811,10 @@ out_uri_auth_compat:
 			}
 
 #ifdef USE_OPENSSL
+#ifndef SSL_OP_CIPHER_SERVER_PREFERENCE                 /* needs OpenSSL >= 0.9.7 */
+#define SSL_OP_CIPHER_SERVER_PREFERENCE 0
+#endif
+
 #ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	/* needs OpenSSL >= 0.9.7 */
 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
 #endif
@@ -6827,6 +6848,8 @@ out_uri_auth_compat:
 					ssloptions |= SSL_OP_NO_SSLv3;
 				if (listener->ssl_ctx.notlsv1)
 					ssloptions |= SSL_OP_NO_TLSv1;
+				if (listener->ssl_ctx.prefer_server_ciphers)
+					ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 				SSL_CTX_set_options(listener->ssl_ctx.ctx, ssloptions);
 				SSL_CTX_set_mode(listener->ssl_ctx.ctx, sslmode);
 				SSL_CTX_set_verify(listener->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);
-- 
2.39.5