On Fri, Oct 27, 2017 at 03:54:27PM +0200, Emmanuel Hocdet wrote: > > > Le 27 oct. 2017 à 15:02, Olivier Houchard <[email protected]> a écrit : > > > > The attached patch does use the ssl_conf, instead of abusing ssl_options. > > I also added a new field in global_ssl, I wasn't so sure about this, but > > decided people may want to enable 0RTT globally. > > > > Emmanuel, is this ok for you ? > > > > In global option seem a bad idea. > > My opinion about global ssl ‘options’ for bind. > . Good fit is in ssl-default-bind-options. It can be extend to more options > like > generate-cert, strict-sni, …. > (In this case have a kw_list will be good idea to have something better than > parsing in if/then/else > in ssl_parse_default_bind_options) > . Some options have already 2 locations for configuration (bind line and per > certificats), we really > need a third? And some options are not really good candidate. > > ++ > Manu >
Hi, The attached patch removes the global ssl-allow-0rtt option. Regards, Olivier
>From 119a9c1b5324c4ef0636bc35d8e431a17c287076 Mon Sep 17 00:00:00 2001 From: Olivier Houchard <[email protected]> Date: Tue, 31 Oct 2017 13:32:10 +0100 Subject: [PATCH] MINOR: ssl: Remove the global allow-0rtt option. --- doc/configuration.txt | 4 ---- src/ssl_sock.c | 20 -------------------- 2 files changed, 24 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 8d0624839..67b888905 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -847,10 +847,6 @@ resetenv [<name> ...] next line in the configuration file sees the new environment. See also "setenv", "presetenv", and "unsetenv". -ssl-allow-0rtt - Allow using 0RTT on every listener. 0RTT is prone to various attacks, so be - sure to know the security implications before activating it. - stats bind-process [ all | odd | even | <number 1-64>[-<number 1-64>] ] ... Limits the stats socket to a certain set of processes numbers. By default the stats socket is bound to all processes, causing a warning to be emitted when diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 13d952652..7f52c4057 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -166,7 +166,6 @@ static struct { char *crt_base; /* base directory path for certificates */ char *ca_base; /* base directory path for CAs and CRLs */ int async; /* whether we use ssl async mode */ - int default_early_data; /* Shall we default to allow early data */ char *listen_default_ciphers; char *connect_default_ciphers; @@ -7325,7 +7324,6 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers); conf->ssl_options |= global_ssl.listen_default_ssloptions; conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags; - conf->ssl_conf.early_data = global_ssl.default_early_data; if (!conf->ssl_conf.ssl_methods.min) conf->ssl_conf.ssl_methods.min = global_ssl.listen_default_sslmethods.min; if (!conf->ssl_conf.ssl_methods.max) @@ -7819,23 +7817,6 @@ static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct pr return 0; } -/* parse the "ssl-allow-0rtt" keyword in global section. - * Returns <0 on alert, >0 on warning, 0 on success. - */ -static int ssl_parse_global_ssl_allow_0rtt(char **args, int section_type, - struct proxy *curpx, struct proxy *defpx, const char *file, int line, - char **err) -{ -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) - global_ssl.default_early_data = 1; - return 0; -#else - memprintf(err, "'%s': openssl library does not early data", args[0]); - return -1; -#endif - -} - /* parse the "ssl-mode-async" keyword in global section. * Returns <0 on alert, >0 on warning, 0 on success. */ @@ -8526,7 +8507,6 @@ static struct cfg_kw_list cfg_kws = {ILH, { { CFG_GLOBAL, "ca-base", ssl_parse_global_ca_crt_base }, { CFG_GLOBAL, "crt-base", ssl_parse_global_ca_crt_base }, { CFG_GLOBAL, "maxsslconn", ssl_parse_global_int }, - { CFG_GLOBAL, "ssl-allow-0rtt", ssl_parse_global_ssl_allow_0rtt }, { CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options }, { CFG_GLOBAL, "ssl-default-server-options", ssl_parse_default_server_options }, #ifndef OPENSSL_NO_DH -- 2.13.5
