Re: All "server" settings supported on "default-server" lines

Frederic Lecaille Tue, 21 Mar 2017 12:10:23 -0700

>From 1e0bb327696daf9f2b39beff1f981767fd047cc0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecai...@haproxy.com>
Date: Mon, 13 Mar 2017 11:32:20 +0100
Subject: [PATCH 10/31] MINOR: server: Make 'default-server' support 'no-ssl*'
 and 'no-tlsv*' keywo rds.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4


This patch makes 'default-server' directive support 'no-sslv3' (resp. 'no-ssl-reuse',
'no-tlsv10', 'no-tlsv11', 'no-tlsv12', and 'no-tls-tickets') setting.
New keywords 'sslv3' (resp. 'ssl-reuse', 'tlsv10', 'tlsv11', 'tlsv12', and
'tls-no-tickets') have been added to disable these settings both in 'server' and
'default-server' directives.
---
 src/ssl_sock.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 54 insertions(+), 6 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2e7ae4b..2066e30 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6692,6 +6692,48 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser
 	return 0;
 }
 
+/* parse the "ssl-reuse" server keyword */
+static int srv_parse_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_REUSE;
+	return 0;
+}
+
+/* parse the "sslv3" server keyword */
+static int srv_parse_sslv3(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_SSLV3;
+	return 0;
+}
+
+/* parse the "tlsv10" server keyword */
+static int srv_parse_tlsv10(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV10;
+	return 0;
+}
+
+/* parse the "tlsv11" server keyword */
+static int srv_parse_tlsv11(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV11;
+	return 0;
+}
+
+/* parse the "tlsv12" server keyword */
+static int srv_parse_tlsv12(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLSV12;
+	return 0;
+}
+
+/* parse the "tls-tickets" server keyword */
+static int srv_parse_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLS_TICKETS;
+	return 0;
+}
+
 /* parse the "verify" server keyword */
 static int srv_parse_verify(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -7430,16 +7472,22 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "no-force-tlsv10",       srv_parse_no_force_tlsv10, 0, 1 }, /* do not force TLSv10 */
 	{ "no-force-tlsv11",       srv_parse_no_force_tlsv11, 0, 1 }, /* do not force TLSv11 */
 	{ "no-force-tlsv12",       srv_parse_no_force_tlsv12, 0, 1 }, /* do not force TLSv12 */
-	{ "no-ssl-reuse",          srv_parse_no_ssl_reuse,    0, 0 }, /* disable session reuse */
-	{ "no-sslv3",              srv_parse_no_sslv3,        0, 0 }, /* disable SSLv3 */
-	{ "no-tlsv10",             srv_parse_no_tlsv10,       0, 0 }, /* disable TLSv10 */
-	{ "no-tlsv11",             srv_parse_no_tlsv11,       0, 0 }, /* disable TLSv11 */
-	{ "no-tlsv12",             srv_parse_no_tlsv12,       0, 0 }, /* disable TLSv12 */
-	{ "no-tls-tickets",        srv_parse_no_tls_tickets,  0, 0 }, /* disable session resumption tickets */
+	{ "no-ssl-reuse",          srv_parse_no_ssl_reuse,    0, 1 }, /* disable session reuse */
+	{ "no-sslv3",              srv_parse_no_sslv3,        0, 1 }, /* disable SSLv3 */
+	{ "no-tlsv10",             srv_parse_no_tlsv10,       0, 1 }, /* disable TLSv10 */
+	{ "no-tlsv11",             srv_parse_no_tlsv11,       0, 1 }, /* disable TLSv11 */
+	{ "no-tlsv12",             srv_parse_no_tlsv12,       0, 1 }, /* disable TLSv12 */
+	{ "no-tls-tickets",        srv_parse_no_tls_tickets,  0, 1 }, /* disable session resumption tickets */
 	{ "send-proxy-v2-ssl",     srv_parse_send_proxy_ssl,  0, 0 }, /* send PROXY protocol header v2 with SSL info */
 	{ "send-proxy-v2-ssl-cn",  srv_parse_send_proxy_cn,   0, 0 }, /* send PROXY protocol header v2 with CN */
 	{ "sni",                   srv_parse_sni,             1, 0 }, /* send SNI extension */
 	{ "ssl",                   srv_parse_ssl,             0, 0 }, /* enable SSL processing */
+	{ "ssl-reuse",             srv_parse_ssl_reuse,       0, 1 }, /* enable session reuse */
+	{ "sslv3",                 srv_parse_sslv3,           0, 1 }, /* enable SSLv3 */
+	{ "tlsv10",                srv_parse_tlsv10,          0, 1 }, /* enable TLSv10 */
+	{ "tlsv11",                srv_parse_tlsv11,          0, 1 }, /* enable TLSv11 */
+	{ "tlsv12",                srv_parse_tlsv12,          0, 1 }, /* enable TLSv12 */
+	{ "tls-tickets",           srv_parse_tls_tickets,     0, 1 }, /* enable session resumption tickets */
 	{ "verify",                srv_parse_verify,          1, 0 }, /* set SSL verify method */
 	{ "verifyhost",            srv_parse_verifyhost,      1, 0 }, /* require that SSL cert verifies for hostname */
 	{ NULL, NULL, 0, 0 },
-- 
2.1.4

Re: All "server" settings supported on "default-server" lines

Reply via email to