MINOR: conf: rename all ssl modules fetches using prefix 'ssl_fc' and 'ssl_c'
SSL fetches were renamed :
ssl_fc_* = Front Connection (attributes of the connection itself)
ssl_c_* = Client side certificate
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9270e16..c7c6b4b 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -8272,15 +8272,6 @@
through TCP request content inspection. Please see the "tcp-request content"
keyword for more detailed information on the subject.
-client_crt
- Returns true if a client certificate is present in an incoming connection over
- SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
-
-is_ssl
- Returns true when the incoming connection was made via an SSL/TLS transport
- layer and is locally deciphered. This means it has matched a socket declared
- with a "bind" line having the "ssl" option.
-
rep_ssl_hello_type <integer>
Returns true when data in the response buffer looks like a complete SSL (v3
or superior) hello message and handshake type is equal to <integer>.
@@ -8364,14 +8355,47 @@
SSL transport layer, so this will not work with "bind" lines having the "ssl"
option.
-ssl_has_sni
+ssl_c_ca_err <integer>
+ Returns true when the incoming connection was made over an SSL/TLS transport
+ layer, and the ID of the first error detected during verification of the
+ client certificate at depth > 0 matches the specified value (check man verify
+ for possible values). Note that error zero means no error was encountered
+ during this verification process.
+
+ssl_c_ca_err_depth <integer>
+ Returns true when the incoming connection was made over an SSL/TLS transport
+ layer, and the depth in the CA chain of the first error detected during the
+ verification of the client certificate matches the specified value. When no
+ error is found, depth 0 is returned.
+
+ssl_c_err <integer>
+ Returns true when the incoming connection was made over an SSL/TLS transport
+ layer, and the ID of the first error detected during verification at depth==0
+ matches the specified value (check man verify for possible values). Note that
+ error zero means no error was encountered during this verification process.
+
+ssl_c_verify <integer>
+ Returns true when the incoming connection was made over an SSL/TLS transport
+ layer, and the verify result matches the specified value (check man verify
+ for possible values). Zero indicates no error was detected.
+
+ssl_fc
+ Returns true when the front connection was made via an SSL/TLS transport
+ layer and is locally deciphered. This means it has matched a socket declared
+ with a "bind" line having the "ssl" option.
+
+ssl_fc_has_crt
+ Returns true if a client certificate is present in an incoming connection over
+ SSL/TLS transport layer. Useful if 'verify' statement is set to 'optional'.
+
+ssl_fc_has_sni
This is used to check for presence of a Server Name Indication TLS extension
in an incoming connection was made over an SSL/TLS transport layer. Returns
true when the incoming connection presents a TLS SNI field. This requires
that the SSL library is build with support for TLS extensions enabled (check
haproxy -vv).
-ssl_npn <string>
+ssl_fc_npn <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer which deciphered it and found a Next Protocol Negociation TLS extension
sent by the client, matching the specified string. This requires that the SSL
@@ -8380,17 +8404,18 @@
the "bind" line specifies a protocol list. Also, nothing forces the client to
pick a protocol from this list, any other one may be requested.
-ssl_sni <string>
+ssl_fc_sni <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer which deciphered it and found a Server Name Indication TLS extension
sent by the client, matching the specified string. In HTTPS, the SNI field
(when present) is equal to the requested host name. This match is different
from "req_ssl_sni" above in that it applies to the connection being
deciphered by haproxy and not to SSL contents being blindly forwarded.
- See also "ssl_sni_end" and "ssl_sni_req" below. This requires that the SSL
- library is build with support for TLS extensions enabled (check haproxy -vv).
+ See also "ssl_fc_sni_end" and "ssl_fc_sni_req" below. This requires that the
+ SSL library is build with support for TLS extensions enabled (check
+ haproxy -vv).
-ssl_sni_end <string>
+ssl_fc_sni_end <string>
Returns true when the incoming connection was made over an SSL/TLS transport
layer which deciphered it and found a Server Name Indication TLS extension
sent by the client, ending like the specified string. In HTTPS, the SNI field
@@ -8400,7 +8425,7 @@
requires that the SSL library is build with support for TLS extensions
enabled (check haproxy -vv).
-ssl_sni_req <regex>
+ssl_fc_sni_reg <regex>
Returns true when the incoming connection was made over an SSL/TLS transport
layer which deciphered it and found a Server Name Indication TLS extension
sent by the client, matching the specified regex. In HTTPS, the SNI field
@@ -8410,25 +8435,6 @@
requires that the SSL library is build with support for TLS extensions
enabled (check haproxy -vv).
-ssl_verify_caerr <errorID>
- Returns true when the incoming connection was made over an SSL/TLS transport
- layer and the ID of the first error detected during verify at depth > 0 match
- the errorID.
-
-ssl_verify_caerr_depth <depth>
- Returns true when the incoming connection was made over an SSL/TLS transport
- layer and the depth of the first error detected during verify match the
- depth.
-
-ssl_verify_crterr <errorID>
- Returns true when the incoming connection was made over an SSL/TLS transport
- layer and the ID of the first error detected during verify at depth == 0
- match the errorID.
-
-ssl_verify_result <errorID>
- Returns true when the incoming connection was made over an SSL/TLS transport
- layer and the verify result match the errorID.
-
wait_end
Waits for the end of the analysis period to return true. This may be used in
conjunction with content analysis to avoid returning a wrong verdict early.
@@ -8969,9 +8975,6 @@
shared caches efficiency. Using this with a limited size stick
table also allows one to collect statistics about most commonly
requested objects by host/path.
- client_crt
- Returns 1 if a client certificate is present in an incoming
- connection over SSL/TLS transport layer, otherwise 0.
src This is the source IPv4 address of the client of the session.
It is of type IPv4 and works on both IPv4 and IPv6 tables.
@@ -9000,10 +9003,6 @@
last one. A typical use is with the X-Forwarded-For header once
converted to IP, associated with an IP stick-table.
- is_ssl This checks the transport layer used by incoming connection, and
- returns 1 if the connection was made via an SSL/TLS transport
- layer, otherwise zero.
-
path This extracts the request's URL path (without the host part). A
typical use is with prefetch-capable caches, and with portals
which need to aggregate multiple information from databases and
@@ -9031,41 +9030,49 @@
that this function will be useful but it's available at no cost.
It is of type integer and only works with such tables.
+ ssl_c_ca_err Returns the ID of the first error detected during verify of the
+ client certificate at depth > 0, or 0 if no error was detected.
+
- ssl_has_sni This checks the transport layer used by incoming connection, and
+ ssl_c_ca_err_depth
+ Returns the depth of the first error detected during verify. If
+ no error is encountered in the CA chain, zero is returned.
+
+ ssl_c_err Returns the ID of the first error detected during verify of the
+ client certificate at depth == 0, or 0 if no errors.
+
+ ssl_c_verify Returns the verify result errorID when the incoming connection
+ was made over an SSL/TLS transport layer, otherwise zero if no
+ error is encountered.
+
+ ssl_fc This checks the transport layer used on the front connection,
+ and returns 1 if it was made via an SSL/TLS transport layer,
+ otherwise zero.
+
+ ssl_fc_has_crt
+ Returns 1 if a client certificate is present in the front
+ connection over SSL/TLS transport layer, otherwise 0.
+
+ ssl_fc_has_sni
+ This checks the transport layer used by the front connection, and
returns 1 if the connection was made via an SSL/TLS transport
layer and the client sent a Server Name Indication TLS extension,
otherwise zero. This requires that the SSL library is build with
support for TLS extensions enabled (check haproxy -vv).
- ssl_npn This extracts the Next Protocol Negociation field from an
+ ssl_fc_npn This extracts the Next Protocol Negociation field from an
incoming connection made via an SSL/TLS transport layer and
locally deciphered by haproxy. The result is a string containing
the protocol name advertised by the client. The SSL library must
have been built with support for TLS extensions enabled (check
- haproxy -vv).
+ haproxy -vv). See also the "npn" bind keyword.
- ssl_sni This extracts the Server Name Indication field from an incoming
+ ssl_fc_sni This extracts the Server Name Indication field from an incoming
connection made via an SSL/TLS transport layer and locally
deciphered by haproxy. The result typically is a string matching
the HTTPS host name (253 chars or less). The SSL library must
have been built with support for TLS extensions enabled (check
haproxy -vv).
- ssl_verify_caerr
- Returns the ID of the first error detected during verify at
- depth > 0 or 0 if no errors.
-
- ssl_verify_caerr_depth
- Returns the depth of the first error detected during verify.
-
- ssl_verify_crterr
- Returns the ID of the first error detected during verify at
- depth == 0 or 0 if no errors.
-
- ssl_verify_result
- Returns the verify result errorID when the incoming connection
- was made over an SSL/TLS transport layer.
-
url This extracts the request's URL as presented in the request. A
typical use is with prefetch-capable caches, and with portals
which need to aggregate multiple information from databases and
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9c60679..ce0c67d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1099,8 +1099,8 @@
/* boolean, returns true if client cert was present */
static int
-smp_fetch_client_crt(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
- const struct arg *args, struct sample *smp)
+smp_fetch_ssl_fc_has_crt(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp)
{
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
return 0;
@@ -1118,9 +1118,9 @@
}
-/* boolean, returns true if transport layer is SSL */
+/* boolean, returns true if front conn. transport layer is SSL */
static int
-smp_fetch_is_ssl(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+smp_fetch_ssl_fc(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
smp->type = SMP_T_BOOL;
@@ -1128,10 +1128,10 @@
return 1;
}
-/* boolean, returns true if transport layer is SSL */
+/* boolean, returns true if client present a SNI */
static int
-smp_fetch_has_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
- const struct arg *args, struct sample *smp)
+smp_fetch_ssl_fc_has_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp)
{
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
smp->type = SMP_T_BOOL;
@@ -1146,8 +1146,8 @@
#ifdef OPENSSL_NPN_NEGOTIATED
static int
-smp_fetch_ssl_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
- const struct arg *args, struct sample *smp)
+smp_fetch_ssl_fc_npn(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp)
{
smp->flags = 0;
smp->type = SMP_T_CSTR;
@@ -1167,8 +1167,8 @@
#endif
static int
-smp_fetch_ssl_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
- const struct arg *args, struct sample *smp)
+smp_fetch_ssl_fc_sni(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp)
{
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
smp->flags = 0;
@@ -1188,9 +1188,9 @@
#endif
}
-/* integer, returns the first verify error ID in CA */
+/* integer, returns the first verify error in CA chain of client certificate chain. */
static int
-smp_fetch_verify_caerr(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+smp_fetch_ssl_c_ca_err(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
@@ -1208,9 +1208,9 @@
return 1;
}
-/* integer, returns the depth of the first verify error in CA */
+/* integer, returns the depth of the first verify error in CA chain of client certificate chain. */
static int
-smp_fetch_verify_caerr_depth(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+smp_fetch_ssl_c_ca_err_depth(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
const struct arg *args, struct sample *smp)
{
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
@@ -1228,10 +1228,10 @@
return 1;
}
-/* integer, returns the depth of the first verify error in CA */
+/* integer, returns the first verify error on client certificate */
static int
-smp_fetch_verify_crterr(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
- const struct arg *args, struct sample *smp)
+smp_fetch_ssl_c_err(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp)
{
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
return 0;
@@ -1248,10 +1248,10 @@
return 1;
}
-/* integer, returns the verify result */
+/* integer, returns the verify result on client cert */
static int
-smp_fetch_verify_result(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
- const struct arg *args, struct sample *smp)
+smp_fetch_ssl_c_verify(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp)
{
if (!l4 || l4->si[0].conn.xprt != &ssl_sock)
return 0;
@@ -1755,17 +1755,17 @@
* Please take care of keeping this list alphabetically sorted.
*/
static struct sample_fetch_kw_list sample_fetch_keywords = {{ },{
- { "client_crt", smp_fetch_client_crt, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
- { "is_ssl", smp_fetch_is_ssl, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
- { "ssl_has_sni", smp_fetch_has_sni, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_fc_has_crt", smp_fetch_ssl_fc_has_crt, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_fc_has_sni", smp_fetch_ssl_fc_has_sni, 0, NULL, SMP_T_BOOL, SMP_CAP_REQ|SMP_CAP_RES },
#ifdef OPENSSL_NPN_NEGOTIATED
- { "ssl_npn", smp_fetch_ssl_npn, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_fc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
#endif
- { "ssl_sni", smp_fetch_ssl_sni, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
- { "ssl_verify_caerr", smp_fetch_verify_caerr, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
- { "ssl_verify_caerr_depth", smp_fetch_verify_caerr_depth, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
- { "ssl_verify_crterr", smp_fetch_verify_crterr, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
- { "ssl_verify_result", smp_fetch_verify_result, 0, NULL, SMP_T_UINT, SMP_CAP_REQ|SMP_CAP_RES },
+ { "ssl_fc_sni", smp_fetch_ssl_fc_sni, 0, NULL, SMP_T_CSTR, SMP_CAP_REQ|SMP_CAP_RES },
{ NULL, NULL, 0, 0, 0 },
}};
@@ -1773,19 +1773,19 @@
* Please take care of keeping this list alphabetically sorted.
*/
static struct acl_kw_list acl_kws = {{ },{
- { "client_crt", acl_parse_int, smp_fetch_client_crt, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
- { "is_ssl", acl_parse_int, smp_fetch_is_ssl, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
- { "ssl_has_sni", acl_parse_int, smp_fetch_has_sni, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
+ { "ssl_c_ca_err", acl_parse_int, smp_fetch_ssl_c_ca_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_c_ca_err_depth", acl_parse_int, smp_fetch_ssl_c_ca_err_depth, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_c_err", acl_parse_int, smp_fetch_ssl_c_err, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_c_verify", acl_parse_int, smp_fetch_ssl_c_verify, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_fc", acl_parse_int, smp_fetch_ssl_fc, acl_match_nothing, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_fc_has_crt", acl_parse_int, smp_fetch_ssl_fc_has_crt, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
+ { "ssl_fc_has_sni", acl_parse_int, smp_fetch_ssl_fc_has_sni, acl_match_nothing, ACL_USE_L6REQ_PERMANENT, 0 },
#ifdef OPENSSL_NPN_NEGOTIATED
- { "ssl_npn", acl_parse_str, smp_fetch_ssl_npn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_fc_npn", acl_parse_str, smp_fetch_ssl_fc_npn, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
#endif
- { "ssl_sni", acl_parse_str, smp_fetch_ssl_sni, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
- { "ssl_sni_end", acl_parse_str, smp_fetch_ssl_sni, acl_match_end, ACL_USE_L6REQ_PERMANENT, 0 },
- { "ssl_sni_reg", acl_parse_reg, smp_fetch_ssl_sni, acl_match_reg, ACL_USE_L6REQ_PERMANENT, 0 },
- { "ssl_verify_caerr", acl_parse_int, smp_fetch_verify_caerr, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
- { "ssl_verify_caerr_depth", acl_parse_int, smp_fetch_verify_caerr_depth, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
- { "ssl_verify_crterr", acl_parse_int, smp_fetch_verify_crterr, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
- { "ssl_verify_result", acl_parse_int, smp_fetch_verify_result, acl_match_int, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_fc_sni", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_str, ACL_USE_L6REQ_PERMANENT|ACL_MAY_LOOKUP, 0 },
+ { "ssl_fc_sni_end", acl_parse_str, smp_fetch_ssl_fc_sni, acl_match_end, ACL_USE_L6REQ_PERMANENT, 0 },
+ { "ssl_fc_sni_reg", acl_parse_reg, smp_fetch_ssl_fc_sni, acl_match_reg, ACL_USE_L6REQ_PERMANENT, 0 },
{ NULL, NULL, NULL, NULL },
}};