Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 340ae606af030b031725cc2556987890a64b4c99^! / . / src / ssl_sock.c
commit340ae606af030b031725cc2556987890a64b4c99[log] [tgz]
authorFrédéric Lécaille <flecaille@haproxy.com>Mon Mar 13 10:38:04 2017 +0100
committerWilly Tarreau <w@1wt.eu>Mon Mar 27 14:36:12 2017 +0200
treebd4e26577c65a1e30a2d8750dda5c4e30ab75abe
parent31045e4c106867eba0bc0b6f747b1206a5c9f6bb [diff] [blame]
MINOR: server: Make 'default-server' support 'check-ssl' keyword.

This patch makes 'default-server' directive support 'check-ssl' setting
to enable SSL for health checks.
A new keyword 'no-check-ssl' has been added to disable this setting both in
'server' and 'default-server' directives.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1e63c57..ff3f6c6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -6532,6 +6532,16 @@
 #endif
 }
 
+/* parse the "no-check-ssl" server keyword */
+static int srv_parse_no_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+	newsrv->check.use_ssl = 0;
+	free(newsrv->ssl_ctx.ciphers);
+	newsrv->ssl_ctx.ciphers = NULL;
+	newsrv->ssl_ctx.options &= ~global_ssl.connect_default_ssloptions;
+	return 0;
+}
+
 /* parse the "no-ssl-reuse" server keyword */
 static int srv_parse_no_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -7361,7 +7371,7 @@
  */
 static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "ca-file",               srv_parse_ca_file,        1, 0 }, /* set CAfile to process verify server cert */
-	{ "check-ssl",             srv_parse_check_ssl,      0, 0 }, /* enable SSL for health checks */
+	{ "check-ssl",             srv_parse_check_ssl,      0, 1 }, /* enable SSL for health checks */
 	{ "ciphers",               srv_parse_ciphers,        1, 0 }, /* select the cipher suite */
 	{ "crl-file",              srv_parse_crl_file,       1, 0 }, /* set certificate revocation list file use on server cert verify */
 	{ "crt",                   srv_parse_crt,            1, 0 }, /* set client certificate */
@@ -7369,6 +7379,7 @@
 	{ "force-tlsv10",          srv_parse_force_tlsv10,   0, 0 }, /* force TLSv10 */
 	{ "force-tlsv11",          srv_parse_force_tlsv11,   0, 0 }, /* force TLSv11 */
 	{ "force-tlsv12",          srv_parse_force_tlsv12,   0, 0 }, /* force TLSv12 */
+	{ "no-check-ssl",          srv_parse_no_check_ssl,   0, 1 }, /* disable SSL for health checks */
 	{ "no-ssl-reuse",          srv_parse_no_ssl_reuse,   0, 0 }, /* disable session reuse */
 	{ "no-sslv3",              srv_parse_no_sslv3,       0, 0 }, /* disable SSLv3 */
 	{ "no-tlsv10",             srv_parse_no_tlsv10,      0, 0 }, /* disable TLSv10 */