Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 415150f7640b06740fa832363d186c5c6565338e^! / . / include
commit415150f7640b06740fa832363d186c5c6565338e[log] [tgz]
authorDirkjan Bussink <d.bussink@gmail.com>Fri Sep 14 11:14:21 2018 +0200
committerWilly Tarreau <w@1wt.eu>Mon Oct 08 19:20:13 2018 +0200
treef2f682f6edcb4110586e2a6a7b667b2e9eee8e4a
parent363c745569b6ffd8f095d2b7758131d08aa27219 [diff]
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3

OpenSSL released support for TLSv1.3. It also added a separate function
SSL_CTX_set_ciphersuites that is used to set the ciphers used in the
TLS 1.3 handshake. This change adds support for that new configuration
option by adding a ciphersuites configuration variable that works
essentially the same as the existing ciphers setting.

Note that it should likely be backported to 1.8 in order to ease usage
of the now released openssl-1.1.1.

diff --git a/include/common/defaults.h b/include/common/defaults.h
index f5c74db..b2c2583 100644
--- a/include/common/defaults.h
+++ b/include/common/defaults.h

@@ -239,11 +239,21 @@
 #define CONNECT_DEFAULT_CIPHERS NULL
 #endif
 
+/* ciphers used as defaults on TLS 1.3 connect */
+#ifndef CONNECT_DEFAULT_CIPHERSUITES
+#define CONNECT_DEFAULT_CIPHERSUITES NULL
+#endif
+
 /* ciphers used as defaults on listeners */
 #ifndef LISTEN_DEFAULT_CIPHERS
 #define LISTEN_DEFAULT_CIPHERS NULL
 #endif
 
+/* cipher suites used as defaults on TLS 1.3 listeners */
+#ifndef LISTEN_DEFAULT_CIPHERSUITES
+#define LISTEN_DEFAULT_CIPHERSUITES NULL
+#endif
+
 /* named curve used as defaults for ECDHE ciphers */
 #ifndef ECDHE_DEFAULT_CURVE
 #define ECDHE_DEFAULT_CURVE "prime256v1"

diff --git a/include/types/listener.h b/include/types/listener.h
index 816d111..50f1936 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h

@@ -129,6 +129,9 @@
 	char *ca_file;             /* CAfile to use on verify */
 	char *crl_file;            /* CRLfile to use on verify */
 	char *ciphers;             /* cipher suite to use if non-null */
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+	char *ciphersuites;        /* TLS 1.3 cipher suite to use if non-null */
+#endif
 	char *curves;	           /* curves suite to use for ECDHE */
 	char *ecdhe;               /* named curve to use for ECDHE */
 	struct tls_version_filter ssl_methods; /* ssl methods */

diff --git a/include/types/server.h b/include/types/server.h
index 8adc29b..a2e11c3 100644
--- a/include/types/server.h
+++ b/include/types/server.h

@@ -288,6 +288,9 @@
 			int allocated_size;
 		} * reused_sess;
 		char *ciphers;			/* cipher suite to use if non-null */
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+		char *ciphersuites;			/* TLS 1.3 cipher suite to use if non-null */
+#endif
 		int options;			/* ssl options */
 		int verify;			/* verify method (set of SSL_VERIFY_* flags) */
 		struct tls_version_filter methods;	/* ssl methods */