1berry/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG/MINOR: ssl: default settings for ssl server options are not used

Browse Source 
Documentation states that default settings for ssl server options can be set
using either ssl-default-server-options or default-server directives. In practice,
not all ssl server options can have default values, such as ssl-min-ver, ssl-max-ver,
etc..

This patch adds the missing ssl options in srv_ssl_settings_cpy() and srv_parse_ssl(),
making it possible to write configurations like the following examples, and have them
behave as expected.

   global
     ssl-default-server-options ssl-max-ver TLSv1.2

   defaults
     mode http

   listen l1
     bind 1.2.3.4:80
     default-server ssl verify none
     server s1 1.2.3.5:443

   listen l2
     bind 2.2.3.4:80
     default-server ssl verify none ssl-max-ver TLSv1.3 ssl-min-ver TLSv1.2
     server s1 1.2.3.6:443

This should be backported as far as 1.8.
This fixes issue #595.
This commit is contained in:
Jerome Magnin 2020-04-22 11:40:18 +02:00 committed by William Lallemand
parent c3b7e74455
commit 2e8d52f869
2 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/server.c
View File

@ -1643,6 +1643,15 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src)
srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host); srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);
if (src->ssl_ctx.ciphers != NULL) if (src->ssl_ctx.ciphers != NULL)
srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers); srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers);
if (src->ssl_ctx.options)
srv->ssl_ctx.options = src->ssl_ctx.options;
if (src->ssl_ctx.methods.flags)
srv->ssl_ctx.methods.flags = src->ssl_ctx.methods.flags;
if (src->ssl_ctx.methods.min)
srv->ssl_ctx.methods.min = src->ssl_ctx.methods.min;
if (src->ssl_ctx.methods.max)
srv->ssl_ctx.methods.max = src->ssl_ctx.methods.max;
#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL) #if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL)
if (src->ssl_ctx.ciphersuites != NULL) if (src->ssl_ctx.ciphersuites != NULL)
srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites); srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites);

10
src/ssl_sock.c
View File

@ -10051,6 +10051,16 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser
if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites) if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites); newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
#endif #endif
newsrv->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
newsrv->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags;
if (!newsrv->ssl_ctx.methods.min)
newsrv->ssl_ctx.methods.min = global_ssl.connect_default_sslmethods.min;
if (!newsrv->ssl_ctx.methods.max)
newsrv->ssl_ctx.methods.max = global_ssl.connect_default_sslmethods.max;
return 0; return 0;
} }