Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 34897d2eff6a2f11a6586bd05e6ea7c90b77542a^! / .
commit34897d2eff6a2f11a6586bd05e6ea7c90b77542a[log] [tgz]
authorAmaury Denoyelle <adenoyelle@haproxy.com>Wed May 19 09:49:41 2021 +0200
committerAmaury Denoyelle <adenoyelle@haproxy.com>Fri Jun 18 16:42:26 2021 +0200
tree73f2d1b739e7c980ac5d1e555984e63632a285ea
parent71f9a06e4baf8750714a2386e9290c2f0d1d1305 [diff]
MINOR: ssl: support ssl keyword for dynamic servers

Activate the 'ssl' keyword for dynamic servers. This is the final step
to have ssl dynamic servers feature implemented. If activated,
ssl_sock_prepare_srv_ctx will be called at the end of the 'add server'
CLI handler.

At the same time, update the management doc to list all ssl keywords
implemented for dynamic servers.

diff --git a/doc/management.txt b/doc/management.txt
index 932981b..7abfc85 100644
--- a/doc/management.txt
+++ b/doc/management.txt

@@ -1472,13 +1472,25 @@
 
   Here is the list of the currently supported keywords :
 
+  - allow-0rtt
+  - alpn
   - backup
+  - ca-file
+  - ciphers
+  - ciphersuites
+  - crl-file
+  - crt
   - disabled
   - enabled
+  - force-sslv3/tlsv10/tlsv11/tlsv12/tlsv13
   - id
   - maxconn
   - maxqueue
   - minconn
+  - no-ssl-reuse
+  - no-sslv3/tlsv10/tlsv11/tlsv12/tlsv13
+  - no-tls-tickets
+  - npn
   - pool-low-conn
   - pool-max-conn
   - pool-purge-delay
@@ -1486,9 +1498,18 @@
   - proxy-v2-options
   - send-proxy
   - send-proxy-v2
+  - send-proxy-v2-ssl
+  - send-proxy-v2-ssl-cn
+  - sni
   - source
+  - ssl
+  - ssl-max-ver
+  - ssl-min-ver
   - tfo
+  - tls-tickets
   - usesrc
+  - verify
+  - verifyhost
   - weight
 
   Their syntax is similar to the server line from the configuration file,

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 7aa8efa..6df5911 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c

@@ -1911,7 +1911,7 @@
 	{ "send-proxy-v2-ssl",       srv_parse_send_proxy_ssl,     0, 1, 1 }, /* send PROXY protocol header v2 with SSL info */
 	{ "send-proxy-v2-ssl-cn",    srv_parse_send_proxy_cn,      0, 1, 1 }, /* send PROXY protocol header v2 with CN */
 	{ "sni",                     srv_parse_sni,                1, 1, 1 }, /* send SNI extension */
-	{ "ssl",                     srv_parse_ssl,                0, 1, 0 }, /* enable SSL processing */
+	{ "ssl",                     srv_parse_ssl,                0, 1, 1 }, /* enable SSL processing */
 	{ "ssl-min-ver",             srv_parse_tls_method_minmax,  1, 1, 1 }, /* minimum version */
 	{ "ssl-max-ver",             srv_parse_tls_method_minmax,  1, 1, 1 }, /* maximum version */
 	{ "ssl-reuse",               srv_parse_ssl_reuse,          0, 1, 0 }, /* enable session reuse */

diff --git a/src/server.c b/src/server.c
index 4a4c3c8..96390e8 100644
--- a/src/server.c
+++ b/src/server.c

@@ -4491,6 +4491,13 @@
 		goto out;
 	}
 
+	if (srv->use_ssl == 1) {
+		if (xprt_get(XPRT_SSL) && xprt_get(XPRT_SSL)->prepare_srv) {
+			if (xprt_get(XPRT_SSL)->prepare_srv(srv))
+				goto out;
+		}
+	}
+
 	/* Attach the server to the end of the proxy linked list. Note that this
 	 * operation is not thread-safe so this is executed under thread
 	 * isolation.