MINOR: config: add "no-alpn" support for bind lines
It's possible to replace a previously set ALPN but not to disable ALPN
if it was previously set. The new "no-alpn" setting allows to disable
a previously set ALPN setting by preparing an empty one that will be
replaced and freed when the config is validated.
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 1b33eec..43ac3df 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1331,12 +1331,34 @@
return ssl_bind_parse_verify(args, cur_arg, px, &conf->ssl_conf, 0, err);
}
+/* parse the "no-alpn" ssl-bind keyword, storing an empty ALPN string */
+static int ssl_bind_parse_no_alpn(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err)
+{
+ free(conf->alpn_str);
+ conf->alpn_len = 0;
+ conf->alpn_str = strdup("");
+
+ if (!conf->alpn_str) {
+ memprintf(err, "'%s' : out of memory", *args);
+ return ERR_ALERT | ERR_FATAL;
+ }
+ return 0;
+}
+
+/* parse the "no-alpn" bind keyword, storing an empty ALPN string */
+static int bind_parse_no_alpn(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ return ssl_bind_parse_no_alpn(args, cur_arg, px, &conf->ssl_conf, 0, err);
+}
+
+
/* parse the "no-ca-names" bind keyword */
static int ssl_bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, int from_cli, char **err)
{
conf->no_ca_names = 1;
return 0;
}
+
static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, 0, err);
@@ -1984,6 +2006,7 @@
{ "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificate revocation list file use on client cert verify */
{ "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */
{ "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+ { "no-alpn", ssl_bind_parse_no_alpn, 0 }, /* disable sending ALPN */
{ "no-ca-names", ssl_bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */
{ "npn", ssl_bind_parse_npn, 1 }, /* set NPN supported protocols */
{ "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
@@ -2019,6 +2042,7 @@
{ "force-tlsv12", bind_parse_tls_method_options, 0 }, /* force TLSv12 */
{ "force-tlsv13", bind_parse_tls_method_options, 0 }, /* force TLSv13 */
{ "generate-certificates", bind_parse_generate_certs, 0 }, /* enable the server certificates generation */
+ { "no-alpn", bind_parse_no_alpn, 0 }, /* disable sending ALPN */
{ "no-ca-names", bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */
{ "no-sslv3", bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
{ "no-tlsv10", bind_parse_tls_method_options, 0 }, /* disable TLSv10 */
diff --git a/src/cfgparse.c b/src/cfgparse.c
index a978721..ce9932b 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2932,6 +2932,12 @@
* HTTP/2 and absolutely require buffers 16kB or larger.
*/
#ifdef USE_OPENSSL
+ /* no-alpn ? If so, it's the right moment to remove it */
+ if (bind_conf->ssl_conf.alpn_str && !bind_conf->ssl_conf.alpn_len) {
+ free(bind_conf->ssl_conf.alpn_str);
+ bind_conf->ssl_conf.alpn_str = NULL;
+ }
+
if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) {
#ifdef OPENSSL_NPN_NEGOTIATED
/* check NPN */