Hi, please find attached to this mail two patches. One aims at addressing issue #595 on github, where Anit reports some server ssl options default values aren't applied when set with default-server or ssl-default-server-options directives. The other patch adds a new keyword in global section to set default bind curves. Jérôme
>From d86993cbd4476e1901eafdc7fbe88d31ca6f8e90 Mon Sep 17 00:00:00 2001 From: Jerome Magnin <jmag...@haproxy.com> Date: Wed, 22 Apr 2020 11:40:18 +0200 Subject: [PATCH] BUG/MINOR: ssl: default settings for ssl server options are not used
Documentation states that default settings for ssl server options can be set using either ssl-default-server-options or default-server directives. In practice, not all ssl server options can have default values, such as ssl-min-ver, ssl-max-ver, etc.. This patch adds the missing ssl options in srv_ssl_settings_cpy() and srv_parse_ssl(), making it possible to write configurations like the following examples, and have them behave as expected. global ssl-default-server-options ssl-max-ver TLSv1.2 defaults mode http listen l1 bind 1.2.3.4:80 default-server ssl verify none server s1 1.2.3.5:443 listen l2 bind 2.2.3.4:80 default-server ssl verify none ssl-max-ver TLSv1.3 ssl-min-ver TLSv1.2 server s1 1.2.3.6:443 This should be backported as far as 1.8. This fixes issue #595. --- src/server.c | 9 +++++++++ src/ssl_sock.c | 10 ++++++++++ 2 files changed, 19 insertions(+) diff --git a/src/server.c b/src/server.c index 4c745d655..f90cfff5a 100644 --- a/src/server.c +++ b/src/server.c @@ -1643,6 +1643,15 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src) srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host); if (src->ssl_ctx.ciphers != NULL) srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers); + if (src->ssl_ctx.options) + srv->ssl_ctx.options = src->ssl_ctx.options; + if (src->ssl_ctx.methods.flags) + srv->ssl_ctx.methods.flags = src->ssl_ctx.methods.flags; + if (src->ssl_ctx.methods.min) + srv->ssl_ctx.methods.min = src->ssl_ctx.methods.min; + if (src->ssl_ctx.methods.max) + srv->ssl_ctx.methods.max = src->ssl_ctx.methods.max; + #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) if (src->ssl_ctx.ciphersuites != NULL) srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 9077e9114..2d52facb2 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -10050,6 +10050,16 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites) newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites); #endif + newsrv->ssl_ctx.options |= global_ssl.connect_default_ssloptions; + newsrv->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags; + + if (!newsrv->ssl_ctx.methods.min) + newsrv->ssl_ctx.methods.min = global_ssl.connect_default_sslmethods.min; + + if (!newsrv->ssl_ctx.methods.max) + newsrv->ssl_ctx.methods.max = global_ssl.connect_default_sslmethods.max; + + return 0; } -- 2.26.2
>From e2d311f55f3a3eb5728f5dcf376ed54c672160a3 Mon Sep 17 00:00:00 2001 From: Jerome Magnin <jmag...@haproxy.com> Date: Fri, 3 Apr 2020 15:28:22 +0200 Subject: [PATCH] MINOR: config: add a global directive to set default SSL curves This commit adds a new keyword to the global section to set default curves for ssl binds: - ssl-default-bind-curves It is also possible to preset them at build time by setting the macro LISTEN_DEFAULT_CURVES. --- Makefile | 2 ++ doc/configuration.txt | 8 ++++++++ src/ssl_sock.c | 40 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+) diff --git a/Makefile b/Makefile index 1e4213989..9e4cdef90 100644 --- a/Makefile +++ b/Makefile @@ -238,6 +238,8 @@ ADDLIB = # ciphers on "bind" lines instead of using OpenSSL's defaults. # CONNECT_DEFAULT_CIPHERS is a cipher suite string used to set the default # SSL ciphers on "server" lines instead of using OpenSSL's defaults. +# LISTEN_DEFAULT_CURVES is a curve suite string sued to set the default SSL +# curves on "bind" lines instead of using OpenSSL's defaults. DEFINE = SILENT_DEFINE = diff --git a/doc/configuration.txt b/doc/configuration.txt index 2e548b66c..9b0b1d4f7 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -622,6 +622,7 @@ The following keywords are supported in the "global" section : - stats - ssl-default-bind-ciphers - ssl-default-bind-ciphersuites + - ssl-default-bind-curves - ssl-default-bind-options - ssl-default-server-ciphers - ssl-default-server-ciphersuites @@ -1270,6 +1271,13 @@ ssl-default-bind-ciphersuites <ciphersuites> "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more information. +ssl-default-bind-curves <curves> + This setting is only available when support for OpenSSL was built in. It sets + the default string describing the list of elliptic curves algorithms ("curve + suite") that are negotiated during the SSL/TLS handshake with ECDHE. The format + of the string is a colon-delimited list of curve name. + Please check the "bind" keyword for more information. + ssl-default-bind-options [<option>]... This setting is only available when support for OpenSSL was built in. It sets default ssl-options to force on all "bind" lines. Please check the "bind" diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 9077e9114..857b2292e 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -175,6 +175,9 @@ static struct { #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) char *listen_default_ciphersuites; char *connect_default_ciphersuites; +#endif +#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) + char *listen_default_curves; #endif int listen_default_ssloptions; int connect_default_ssloptions; @@ -202,6 +205,11 @@ static struct { #ifdef CONNECT_DEFAULT_CIPHERSUITES .connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES, #endif +#endif +#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +#ifdef LISTEN_DEFAULT_CURVES + .listen_default_curves = LISTEN_DEFAULT_CURVES, +#endif #endif .listen_default_ssloptions = BC_SSL_O_NONE, .connect_default_ssloptions = SRV_SSL_O_NONE, @@ -9516,6 +9524,10 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers) conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers); +#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) + if (global_ssl.listen_default_curves && !conf->ssl_conf.curves) + conf->ssl_conf.curves = strdup(global_ssl.listen_default_curves); +#endif #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites) conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites); @@ -10493,6 +10505,31 @@ static int ssl_parse_global_ciphersuites(char **args, int section_type, struct p } #endif +#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) +/* + * parse the "ssl-default-bind-curves" keyword in a global section. + * Returns <0 on alert, >0 on warning, 0 on success. + */ +static int ssl_parse_global_curves(char **args, int section_type, struct proxy *curpx, + struct proxy *defpx, const char *file, int line, + char **err) +{ + char **target; + target = &global_ssl.listen_default_curves; + + if (too_many_args(1, args, err, NULL)) + return -1; + + if (*(args[1]) == 0) { + memprintf(err, "global statement '%s' expects a curves suite as an arguments.", args[0]); + return -1; + } + + free(*target); + *target = strdup(args[1]); + return 0; +} +#endif /* parse various global tune.ssl settings consisting in positive integers. * Returns <0 on alert, >0 on warning, 0 on success. */ @@ -13008,6 +13045,9 @@ static struct cfg_kw_list cfg_kws = {ILH, { { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist }, { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers }, +#if ((HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL) || defined(LIBRESSL_VERSION_NUMBER)) + { CFG_GLOBAL, "ssl-default-bind-curves", ssl_parse_global_curves }, +#endif #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L) { CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites }, { CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites }, -- 2.26.2