Hi,
please find attached to this mail two patches.
One aims at addressing issue #595 on github, where Anit reports some server
ssl options default values aren't applied when set with default-server or
ssl-default-server-options directives.
The other patch adds a new keyword in global section to set default bind curves.
Jérôme
>From d86993cbd4476e1901eafdc7fbe88d31ca6f8e90 Mon Sep 17 00:00:00 2001
From: Jerome Magnin <jmag...@haproxy.com>
Date: Wed, 22 Apr 2020 11:40:18 +0200
Subject: [PATCH] BUG/MINOR: ssl: default settings for ssl server options are
not used
Documentation states that default settings for ssl server options can be set
using either ssl-default-server-options or default-server directives. In
practice,
not all ssl server options can have default values, such as ssl-min-ver,
ssl-max-ver,
etc..
This patch adds the missing ssl options in srv_ssl_settings_cpy() and
srv_parse_ssl(),
making it possible to write configurations like the following examples, and
have them
behave as expected.
global
ssl-default-server-options ssl-max-ver TLSv1.2
defaults
mode http
listen l1
bind 1.2.3.4:80
default-server ssl verify none
server s1 1.2.3.5:443
listen l2
bind 2.2.3.4:80
default-server ssl verify none ssl-max-ver TLSv1.3 ssl-min-ver TLSv1.2
server s1 1.2.3.6:443
This should be backported as far as 1.8.
This fixes issue #595.
---
src/server.c | 9 +++++++++
src/ssl_sock.c | 10 ++++++++++
2 files changed, 19 insertions(+)
diff --git a/src/server.c b/src/server.c
index 4c745d655..f90cfff5a 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1643,6 +1643,15 @@ static void srv_ssl_settings_cpy(struct server *srv,
struct server *src)
srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);
if (src->ssl_ctx.ciphers != NULL)
srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers);
+ if (src->ssl_ctx.options)
+ srv->ssl_ctx.options = src->ssl_ctx.options;
+ if (src->ssl_ctx.methods.flags)
+ srv->ssl_ctx.methods.flags = src->ssl_ctx.methods.flags;
+ if (src->ssl_ctx.methods.min)
+ srv->ssl_ctx.methods.min = src->ssl_ctx.methods.min;
+ if (src->ssl_ctx.methods.max)
+ srv->ssl_ctx.methods.max = src->ssl_ctx.methods.max;
+
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
if (src->ssl_ctx.ciphersuites != NULL)
srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9077e9114..2d52facb2 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -10050,6 +10050,16 @@ static int srv_parse_ssl(char **args, int *cur_arg,
struct proxy *px, struct ser
if (global_ssl.connect_default_ciphersuites &&
!newsrv->ssl_ctx.ciphersuites)
newsrv->ssl_ctx.ciphersuites =
strdup(global_ssl.connect_default_ciphersuites);
#endif
+ newsrv->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
+ newsrv->ssl_ctx.methods.flags |=
global_ssl.connect_default_sslmethods.flags;
+
+ if (!newsrv->ssl_ctx.methods.min)
+ newsrv->ssl_ctx.methods.min =
global_ssl.connect_default_sslmethods.min;
+
+ if (!newsrv->ssl_ctx.methods.max)
+ newsrv->ssl_ctx.methods.max =
global_ssl.connect_default_sslmethods.max;
+
+
return 0;
}
--
2.26.2
>From e2d311f55f3a3eb5728f5dcf376ed54c672160a3 Mon Sep 17 00:00:00 2001
From: Jerome Magnin <jmag...@haproxy.com>
Date: Fri, 3 Apr 2020 15:28:22 +0200
Subject: [PATCH] MINOR: config: add a global directive to set default SSL
curves
This commit adds a new keyword to the global section to set default
curves for ssl binds:
- ssl-default-bind-curves
It is also possible to preset them at build time by setting the macro
LISTEN_DEFAULT_CURVES.
---
Makefile | 2 ++
doc/configuration.txt | 8 ++++++++
src/ssl_sock.c | 40 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 50 insertions(+)
diff --git a/Makefile b/Makefile
index 1e4213989..9e4cdef90 100644
--- a/Makefile
+++ b/Makefile
@@ -238,6 +238,8 @@ ADDLIB =
# ciphers on "bind" lines instead of using OpenSSL's defaults.
# CONNECT_DEFAULT_CIPHERS is a cipher suite string used to set the default
# SSL ciphers on "server" lines instead of using OpenSSL's defaults.
+# LISTEN_DEFAULT_CURVES is a curve suite string sued to set the default SSL
+# curves on "bind" lines instead of using OpenSSL's defaults.
DEFINE =
SILENT_DEFINE =
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 2e548b66c..9b0b1d4f7 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -622,6 +622,7 @@ The following keywords are supported in the "global"
section :
- stats
- ssl-default-bind-ciphers
- ssl-default-bind-ciphersuites
+ - ssl-default-bind-curves
- ssl-default-bind-options
- ssl-default-server-ciphers
- ssl-default-server-ciphersuites
@@ -1270,6 +1271,13 @@ ssl-default-bind-ciphersuites <ciphersuites>
"ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
information.
+ssl-default-bind-curves <curves>
+ This setting is only available when support for OpenSSL was built in. It sets
+ the default string describing the list of elliptic curves algorithms ("curve
+ suite") that are negotiated during the SSL/TLS handshake with ECDHE. The
format
+ of the string is a colon-delimited list of curve name.
+ Please check the "bind" keyword for more information.
+
ssl-default-bind-options [<option>]...
This setting is only available when support for OpenSSL was built in. It sets
default ssl-options to force on all "bind" lines. Please check the "bind"
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9077e9114..857b2292e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -175,6 +175,9 @@ static struct {
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
char *listen_default_ciphersuites;
char *connect_default_ciphersuites;
+#endif
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) ||
defined(LIBRESSL_VERSION_NUMBER))
+ char *listen_default_curves;
#endif
int listen_default_ssloptions;
int connect_default_ssloptions;
@@ -202,6 +205,11 @@ static struct {
#ifdef CONNECT_DEFAULT_CIPHERSUITES
.connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES,
#endif
+#endif
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) ||
defined(LIBRESSL_VERSION_NUMBER))
+#ifdef LISTEN_DEFAULT_CURVES
+ .listen_default_curves = LISTEN_DEFAULT_CURVES,
+#endif
#endif
.listen_default_ssloptions = BC_SSL_O_NONE,
.connect_default_ssloptions = SRV_SSL_O_NONE,
@@ -9516,6 +9524,10 @@ static int bind_parse_ssl(char **args, int cur_arg,
struct proxy *px, struct bin
if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
conf->ssl_conf.ciphers =
strdup(global_ssl.listen_default_ciphers);
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) ||
defined(LIBRESSL_VERSION_NUMBER))
+ if (global_ssl.listen_default_curves && !conf->ssl_conf.curves)
+ conf->ssl_conf.curves =
strdup(global_ssl.listen_default_curves);
+#endif
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
if (global_ssl.listen_default_ciphersuites &&
!conf->ssl_conf.ciphersuites)
conf->ssl_conf.ciphersuites =
strdup(global_ssl.listen_default_ciphersuites);
@@ -10493,6 +10505,31 @@ static int ssl_parse_global_ciphersuites(char **args,
int section_type, struct p
}
#endif
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) ||
defined(LIBRESSL_VERSION_NUMBER))
+/*
+ * parse the "ssl-default-bind-curves" keyword in a global section.
+ * Returns <0 on alert, >0 on warning, 0 on success.
+ */
+static int ssl_parse_global_curves(char **args, int section_type, struct proxy
*curpx,
+ struct proxy *defpx, const char *file, int
line,
+ char **err)
+{
+ char **target;
+ target = &global_ssl.listen_default_curves;
+
+ if (too_many_args(1, args, err, NULL))
+ return -1;
+
+ if (*(args[1]) == 0) {
+ memprintf(err, "global statement '%s' expects a curves suite as
an arguments.", args[0]);
+ return -1;
+ }
+
+ free(*target);
+ *target = strdup(args[1]);
+ return 0;
+}
+#endif
/* parse various global tune.ssl settings consisting in positive integers.
* Returns <0 on alert, >0 on warning, 0 on success.
*/
@@ -13008,6 +13045,9 @@ static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size",
ssl_parse_global_capture_cipherlist },
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
+#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) ||
defined(LIBRESSL_VERSION_NUMBER))
+ { CFG_GLOBAL, "ssl-default-bind-curves", ssl_parse_global_curves },
+#endif
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
{ CFG_GLOBAL, "ssl-default-bind-ciphersuites",
ssl_parse_global_ciphersuites },
{ CFG_GLOBAL, "ssl-default-server-ciphersuites",
ssl_parse_global_ciphersuites },
--
2.26.2
