MEDIUM: config: Deprecate tune.ssl.capture-cipherlist-size
Deprecate tune.ssl.capture-cipherlist-size in favor of
tune.ssl.capture-buffer-size which better describes the purpose of the
setting.
diff --git a/.github/h2spec.config b/.github/h2spec.config
index a7b34ce..745a637 100644
--- a/.github/h2spec.config
+++ b/.github/h2spec.config
@@ -1,7 +1,7 @@
global
log stdout local0
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
defaults
mode http
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 9c1e2b2..bac18ab 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1110,7 +1110,8 @@
- tune.ssl.maxrecord
- tune.ssl.default-dh-param
- tune.ssl.ssl-ctx-cache-size
- - tune.ssl.capture-cipherlist-size
+ - tune.ssl.capture-buffer-size
+ - tune.ssl.capture-cipherlist-size (deprecated)
- tune.vars.global-max-size
- tune.vars.proc-max-size
- tune.vars.reqres-max-size
@@ -2805,7 +2806,8 @@
dynamically is expensive, they are cached. The default cache size is set to
1000 entries.
-tune.ssl.capture-cipherlist-size <number>
+tune.ssl.capture-buffer-size <number>
+tune.ssl.capture-cipherlist-size <number> (deprecated)
Sets the maximum size of the buffer used for capturing client hello cipher
list, extensions list, elliptic curves list and elliptic curve point
formats. If the value is 0 (default value) the capture is disabled,
@@ -18905,7 +18907,7 @@
ssl_fc_cipherlist_bin([<filter_option>]) : binary
Returns the binary form of the client hello cipher list. The maximum
returned value length is limited by the shared capture buffer size
- controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
+ controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output
@@ -18924,16 +18926,15 @@
ssl_fc_cipherlist_hex([<filter_option>]) : string
Returns the binary form of the client hello cipher list encoded as
hexadecimal. The maximum returned value length is limited by the shared
- capture buffer size controlled by "tune.ssl.capture-cipherlist-size"
- setting. Setting <filter_option> allows to filter returned data. Accepted
- values:
+ capture buffer size controlled by "tune.ssl.capture-buffer-size" setting.
+ Setting <filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output
ssl_fc_cipherlist_str([<filter_option>]) : string
Returns the decoded text form of the client hello cipher list. The maximum
returned value length is limited by the shared capture buffer size
- controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
+ controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output
@@ -18943,13 +18944,13 @@
ssl_fc_cipherlist_xxh : integer
Returns a xxh64 of the cipher list. This hash can return only if the value
- "tune.ssl.capture-cipherlist-size" is set greater than 0, however the hash
- take into account all the data of the cipher list.
+ "tune.ssl.capture-buffer-size" is set greater than 0, however the hash take
+ into account all the data of the cipher list.
ssl_fc_ecformats_bin : binary
Return the binary form of the client hello supported elliptic curve point
formats. The maximum returned value length is limited by the shared capture
- buffer size controlled by "tune.ssl.capture-cipherlist-size" setting.
+ buffer size controlled by "tune.ssl.capture-buffer-size" setting.
Example:
http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\
@@ -18965,7 +18966,7 @@
ssl_fc_eclist_bin([<filter_option>]) : binary
Returns the binary form of the client hello supported elliptic curves. The
maximum returned value length is limited by the shared capture buffer size
- controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
+ controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of supported elliptic curves (default)
1 : exclude GREASE (RFC8701) values from the output
@@ -18984,7 +18985,7 @@
ssl_fc_extlist_bin([<filter_option>]) : binary
Returns the binary form of the client hello extension list. The maximum
returned value length is limited by the shared capture buffer size
- controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
+ controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of extensions (default)
1 : exclude GREASE (RFC8701) values from the output
@@ -19111,8 +19112,8 @@
ssl_fc_protocol_hello_id : integer
The version of the TLS protocol by which the client wishes to communicate
during the session as indicated in client hello message. This value can
- return only if the value "tune.ssl.capture-cipherlist-size" is set greater
- than 0.
+ return only if the value "tune.ssl.capture-buffer-size" is set greater than
+ 0.
Example:
http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\
diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index 321d7b7..f3ed909 100644
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -276,7 +276,7 @@
unsigned int max_record; /* SSL max record size */
unsigned int default_dh_param; /* SSL maximum DH parameter size */
int ctx_cache; /* max number of entries in the ssl_ctx cache. */
- int capture_cipherlist; /* Size of the cipherlist buffer. */
+ int capture_buffer_size; /* Size of the capture buffer. */
int keylog; /* activate keylog */
int extra_files; /* which files not defined in the configuration file are we looking for */
int extra_files_noext; /* whether we remove the extension when looking up a extra file */
diff --git a/reg-tests/ssl/add_ssl_crt-list.vtc b/reg-tests/ssl/add_ssl_crt-list.vtc
index 7aae233..d3f8d75 100644
--- a/reg-tests/ssl/add_ssl_crt-list.vtc
+++ b/reg-tests/ssl/add_ssl_crt-list.vtc
@@ -24,7 +24,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin
diff --git a/reg-tests/ssl/del_ssl_crt-list.vtc b/reg-tests/ssl/del_ssl_crt-list.vtc
index 4bf89f9..4815e2d 100644
--- a/reg-tests/ssl/del_ssl_crt-list.vtc
+++ b/reg-tests/ssl/del_ssl_crt-list.vtc
@@ -22,7 +22,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin
diff --git a/reg-tests/ssl/new_del_ssl_cafile.vtc b/reg-tests/ssl/new_del_ssl_cafile.vtc
index 1b5bef1..b6cbc20 100644
--- a/reg-tests/ssl/new_del_ssl_cafile.vtc
+++ b/reg-tests/ssl/new_del_ssl_cafile.vtc
@@ -22,7 +22,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
diff --git a/reg-tests/ssl/new_del_ssl_crlfile.vtc b/reg-tests/ssl/new_del_ssl_crlfile.vtc
index 54bbdc2..7330163 100644
--- a/reg-tests/ssl/new_del_ssl_crlfile.vtc
+++ b/reg-tests/ssl/new_del_ssl_crlfile.vtc
@@ -22,7 +22,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
diff --git a/reg-tests/ssl/set_ssl_cafile.vtc b/reg-tests/ssl/set_ssl_cafile.vtc
index 72ce3e6..0b5c3ba 100644
--- a/reg-tests/ssl/set_ssl_cafile.vtc
+++ b/reg-tests/ssl/set_ssl_cafile.vtc
@@ -28,7 +28,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
diff --git a/reg-tests/ssl/set_ssl_cert.vtc b/reg-tests/ssl/set_ssl_cert.vtc
index 85684bc..6938b20 100644
--- a/reg-tests/ssl/set_ssl_cert.vtc
+++ b/reg-tests/ssl/set_ssl_cert.vtc
@@ -33,7 +33,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
diff --git a/reg-tests/ssl/set_ssl_cert_bundle.vtc b/reg-tests/ssl/set_ssl_cert_bundle.vtc
index 218f7bf..11abdaf 100644
--- a/reg-tests/ssl/set_ssl_cert_bundle.vtc
+++ b/reg-tests/ssl/set_ssl_cert_bundle.vtc
@@ -28,7 +28,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
diff --git a/reg-tests/ssl/set_ssl_cert_noext.vtc b/reg-tests/ssl/set_ssl_cert_noext.vtc
index b7bafa8..0947fe0 100644
--- a/reg-tests/ssl/set_ssl_cert_noext.vtc
+++ b/reg-tests/ssl/set_ssl_cert_noext.vtc
@@ -25,7 +25,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
ssl-load-extra-del-ext
stats socket "${tmpdir}/h1/stats" level admin
diff --git a/reg-tests/ssl/set_ssl_crlfile.vtc b/reg-tests/ssl/set_ssl_crlfile.vtc
index f6d97ce..ce83ff7 100644
--- a/reg-tests/ssl/set_ssl_crlfile.vtc
+++ b/reg-tests/ssl/set_ssl_crlfile.vtc
@@ -31,7 +31,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc
index 3fccaa6..880e7b0 100644
--- a/reg-tests/ssl/set_ssl_server_cert.vtc
+++ b/reg-tests/ssl/set_ssl_server_cert.vtc
@@ -17,7 +17,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
nbthread 1
diff --git a/reg-tests/ssl/show_ssl_ocspresponse.vtc b/reg-tests/ssl/show_ssl_ocspresponse.vtc
index 387f36a..d2a9345 100644
--- a/reg-tests/ssl/show_ssl_ocspresponse.vtc
+++ b/reg-tests/ssl/show_ssl_ocspresponse.vtc
@@ -27,7 +27,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
diff --git a/reg-tests/ssl/ssl_client_samples.vtc b/reg-tests/ssl/ssl_client_samples.vtc
index 83662be..2b6fd5b 100644
--- a/reg-tests/ssl/ssl_client_samples.vtc
+++ b/reg-tests/ssl/ssl_client_samples.vtc
@@ -13,7 +13,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
crt-base ${testdir}
defaults
diff --git a/reg-tests/ssl/ssl_default_server.vtc b/reg-tests/ssl/ssl_default_server.vtc
index 607225d..32179b1 100644
--- a/reg-tests/ssl/ssl_default_server.vtc
+++ b/reg-tests/ssl/ssl_default_server.vtc
@@ -23,7 +23,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
ca-base ${testdir}
diff --git a/reg-tests/ssl/ssl_errors.vtc b/reg-tests/ssl/ssl_errors.vtc
index 0d652d4..d8fea43 100644
--- a/reg-tests/ssl/ssl_errors.vtc
+++ b/reg-tests/ssl/ssl_errors.vtc
@@ -106,7 +106,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults
diff --git a/reg-tests/ssl/ssl_frontend_samples.vtc b/reg-tests/ssl/ssl_frontend_samples.vtc
index bca0856..92eec6a 100644
--- a/reg-tests/ssl/ssl_frontend_samples.vtc
+++ b/reg-tests/ssl/ssl_frontend_samples.vtc
@@ -12,7 +12,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
crt-base ${testdir}
defaults
diff --git a/reg-tests/ssl/ssl_server_samples.vtc b/reg-tests/ssl/ssl_server_samples.vtc
index 136ccaf..17b1bc4 100644
--- a/reg-tests/ssl/ssl_server_samples.vtc
+++ b/reg-tests/ssl/ssl_server_samples.vtc
@@ -13,7 +13,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin
diff --git a/reg-tests/ssl/wrong_ctx_storage.vtc b/reg-tests/ssl/wrong_ctx_storage.vtc
index 7dc7528..c6cb19a 100644
--- a/reg-tests/ssl/wrong_ctx_storage.vtc
+++ b/reg-tests/ssl/wrong_ctx_storage.vtc
@@ -25,7 +25,7 @@
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
- tune.ssl.capture-cipherlist-size 1
+ tune.ssl.capture-buffer-size 1
listen frt
mode http
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 6df5911..0ca8cab 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -272,8 +272,13 @@
target = &global_ssl.ctx_cache;
else if (strcmp(args[0], "maxsslconn") == 0)
target = &global.maxsslconn;
- else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0)
- target = &global_ssl.capture_cipherlist;
+ else if (strcmp(args[0], "tune.ssl.capture-buffer-size") == 0)
+ target = &global_ssl.capture_buffer_size;
+ else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0) {
+ target = &global_ssl.capture_buffer_size;
+ ha_warning("parsing [%s:%d]: '%s' is deprecated and will be removed in version 2.7. Please use 'tune.ssl.capture-buffer-size' instead.\n",
+ file, line, args[0]);
+ }
else {
memprintf(err, "'%s' keyword not unhandled (please report this bug).", args[0]);
return -1;
@@ -295,9 +300,9 @@
return 0;
}
-static int ssl_parse_global_capture_cipherlist(char **args, int section_type, struct proxy *curpx,
- const struct proxy *defpx, const char *file, int line,
- char **err)
+static int ssl_parse_global_capture_buffer(char **args, int section_type, struct proxy *curpx,
+ const struct proxy *defpx, const char *file, int line,
+ char **err)
{
int ret;
@@ -310,7 +315,7 @@
return -1;
}
- pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_cipherlist, MEM_F_SHARED);
+ pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_buffer_size, MEM_F_SHARED);
if (!pool_head_ssl_capture) {
memprintf(err, "Out of memory error.");
return -1;
@@ -1946,7 +1951,8 @@
{ CFG_GLOBAL, "tune.ssl.lifetime", ssl_parse_global_lifetime },
{ CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int },
{ CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int },
- { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
+ { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_buffer },
+ { CFG_GLOBAL, "tune.ssl.capture-buffer-size", ssl_parse_global_capture_buffer },
{ CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog },
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b8914a7..ae30c2c 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -124,7 +124,7 @@
#endif
.default_dh_param = SSL_DEFAULT_DH_PARAM,
.ctx_cache = DEFAULT_SSL_CTX_CACHE,
- .capture_cipherlist = 0,
+ .capture_buffer_size = 0,
.extra_files = SSL_GF_ALL,
.extra_files_noext = 0,
#ifdef HAVE_SSL_KEYLOG
@@ -556,7 +556,7 @@
if (!ssl_sock_register_msg_callback(ssl_sock_parse_heartbeat))
return ERR_ABORT;
#endif
- if (global_ssl.capture_cipherlist > 0) {
+ if (global_ssl.capture_buffer_size > 0) {
if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello))
return ERR_ABORT;
}
@@ -1795,7 +1795,7 @@
capture->xxh64 = XXH64(msg, rec_len, 0);
/* Capture the ciphersuite. */
- capture->ciphersuite_len = MIN(global_ssl.capture_cipherlist, rec_len);
+ capture->ciphersuite_len = MIN(global_ssl.capture_buffer_size, rec_len);
capture->ciphersuite_offset = 0;
memcpy(capture->data, msg, capture->ciphersuite_len);
msg += rec_len;
@@ -1827,7 +1827,7 @@
/* Parse each extension */
while (msg + 4 < extensions_end) {
/* Add 2 bytes of extension_id */
- if (global_ssl.capture_cipherlist >= offset + 2) {
+ if (global_ssl.capture_buffer_size >= offset + 2) {
capture->data[offset++] = msg[0];
capture->data[offset++] = msg[1];
capture->extensions_len += 2;
@@ -1880,8 +1880,8 @@
if (ec_start) {
rec_len = ec_len;
- if (offset + rec_len > global_ssl.capture_cipherlist)
- rec_len = global_ssl.capture_cipherlist - offset;
+ if (offset + rec_len > global_ssl.capture_buffer_size)
+ rec_len = global_ssl.capture_buffer_size - offset;
memcpy(capture->data + offset, ec_start, rec_len);
capture->ec_offset = offset;
capture->ec_len = rec_len;
@@ -1889,8 +1889,8 @@
}
if (ec_formats_start) {
rec_len = ec_formats_len;
- if (offset + rec_len > global_ssl.capture_cipherlist)
- rec_len = global_ssl.capture_cipherlist - offset;
+ if (offset + rec_len > global_ssl.capture_buffer_size)
+ rec_len = global_ssl.capture_buffer_size - offset;
memcpy(capture->data + offset, ec_formats_start, rec_len);
capture->ec_formats_offset = offset;
capture->ec_formats_len = rec_len;