MINOR: ssl: add statement to force some ssl options in global.
Adds global statements 'ssl-default-server-options' and
'ssl-default-bind-options' to force on 'server' and 'bind' lines
some ssl options.
Currently available options are 'no-sslv3', 'no-tlsv10', 'no-tlsv11',
'no-tlsv12', 'force-sslv3', 'force-tlsv10', 'force-tlsv11',
'force-tlsv12', and 'no-tls-tickets'.
Example:
global
ssl-default-server-options no-sslv3
ssl-default-bind-options no-sslv3
(cherry picked from commit 2c86cbf7539af2008d61780b14f37ea8c46c2192)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 3d019e9..e29d655 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -657,6 +657,15 @@
as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
"bind" keyword for more information.
+ssl-default-bind-options [<option>]...
+ This setting is only available when support for OpenSSL was built in. It sets
+ default ssl-options to force on all "bind" lines. Please check the "bind"
+ keyword to see available options.
+
+ Example:
+ global
+ ssl-default-bind-options no-sslv3 no-tls-tickets
+
ssl-default-server-ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It
sets the default string describing the list of cipher algorithms that are
@@ -665,6 +674,11 @@
defined in "man 1 ciphers". Please check the "server" keyword for more
information.
+ssl-default-server-options [<option>]...
+ This setting is only available when support for OpenSSL was built in. It sets
+ default ssl-options to force on all "server" lines. Please check the "server"
+ keyword to see available options.
+
ssl-server-verify [none|required]
The default behavior for SSL verify on servers side. If specified to 'none',
servers certificates are not verified. The default is 'required' except if
@@ -8379,19 +8393,23 @@
force-sslv3
This option enforces use of SSLv3 only on SSL connections instantiated from
this listener. SSLv3 is generally less expensive than the TLS counterparts
- for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*".
+ for high connection rates. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
force-tlsv10
This option enforces use of TLSv1.0 only on SSL connections instantiated from
- this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+ this listener. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
force-tlsv11
This option enforces use of TLSv1.1 only on SSL connections instantiated from
- this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+ this listener. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
force-tlsv12
This option enforces use of TLSv1.2 only on SSL connections instantiated from
- this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+ this listener. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
gid <gid>
Sets the group of the UNIX sockets to the designated system gid. It can also
@@ -8484,35 +8502,40 @@
This setting is only available when support for OpenSSL was built in. It
disables support for SSLv3 on any sockets instantiated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option. See also "force-tls*",
+ be enabled using any configuration option. This option is also available on
+ global statement "ssl-default-bind-options". See also "force-tls*",
and "force-sslv3".
no-tls-tickets
This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless
- session resumption is more expensive in CPU usage.
+ session resumption is more expensive in CPU usage. This option is also
+ available on global statement "ssl-default-bind-options".
no-tlsv10
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.0 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and
- cannot be enabled using any configuration option. See also "force-tls*",
- and "force-sslv3".
+ cannot be enabled using any configuration option. This option is also
+ available on global statement "ssl-default-bind-options". See also
+ "force-tlsv*", and "force-sslv3".
no-tlsv11
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.1 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and
- cannot be enabled using any configuration option. See also "force-tls*",
- and "force-sslv3".
+ cannot be enabled using any configuration option. This option is also
+ available on global statement "ssl-default-bind-options". See also
+ "force-tlsv*", and "force-sslv3".
no-tlsv12
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.2 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and
- cannot be enabled using any configuration option. See also "force-tls*",
- and "force-sslv3".
+ cannot be enabled using any configuration option. This option is also
+ available on global statement "ssl-default-bind-options". See also
+ "force-tlsv*", and "force-sslv3".
npn <protocols>
This enables the NPN TLS extension and advertises the specified protocol list
@@ -8845,25 +8868,29 @@
force-sslv3
This option enforces use of SSLv3 only when SSL is used to communicate with
the server. SSLv3 is generally less expensive than the TLS counterparts for
- high connection rates. See also "no-tlsv*", "no-sslv3".
+ high connection rates. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv10
This option enforces use of TLSv1.0 only when SSL is used to communicate with
- the server. See also "no-tlsv*", "no-sslv3".
+ the server. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv11
This option enforces use of TLSv1.1 only when SSL is used to communicate with
- the server. See also "no-tlsv*", "no-sslv3".
+ the server. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv12
This option enforces use of TLSv1.2 only when SSL is used to communicate with
- the server. See also "no-tlsv*", "no-sslv3".
+ the server. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
@@ -8951,7 +8978,8 @@
This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless
- session resumption is more expensive in CPU usage for servers.
+ session resumption is more expensive in CPU usage for servers. This option
+ is also available on global statement "ssl-default-server-options".
Supported in default-server: No
@@ -8959,8 +8987,9 @@
This option disables support for TLSv1.0 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
- often makes sense to disable it when communicating with local servers. See
- also "force-sslv3", "force-tlsv*".
+ often makes sense to disable it when communicating with local servers. This
+ option is also available on global statement "ssl-default-server-options".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
@@ -8968,8 +8997,9 @@
This option disables support for TLSv1.1 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
- often makes sense to disable it when communicating with local servers. See
- also "force-sslv3", "force-tlsv*".
+ often makes sense to disable it when communicating with local servers. This
+ option is also available on global statement "ssl-default-server-options".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
@@ -8977,8 +9007,9 @@
This option disables support for TLSv1.2 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
- often makes sense to disable it when communicating with local servers. See
- also "force-sslv3", "force-tlsv*".
+ often makes sense to disable it when communicating with local servers. This
+ option is also available on global statement "ssl-default-server-options".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
diff --git a/include/types/global.h b/include/types/global.h
index 77df1dd..f1525ae 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -85,6 +85,8 @@
int maxsslconn;
char *listen_default_ciphers;
char *connect_default_ciphers;
+ int listen_default_ssloptions;
+ int connect_default_ssloptions;
#endif
unsigned int ssl_server_verify; /* default verify mode on servers side */
struct freq_ctr conn_per_sec;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 938e534..f1616ca 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -56,6 +56,7 @@
#include <common/standard.h>
#include <common/ticks.h>
#include <common/time.h>
+#include <common/cfgparse.h>
#include <ebsttree.h>
@@ -4109,6 +4110,7 @@
if (global.listen_default_ciphers && !conf->ciphers)
conf->ciphers = strdup(global.listen_default_ciphers);
+ conf->ssl_options |= global.listen_default_ssloptions;
list_for_each_entry(l, &conf->listeners, by_bind)
l->xprt = &ssl_sock;
@@ -4173,6 +4175,7 @@
newsrv->check.use_ssl = 1;
if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
+ newsrv->ssl_ctx.options |= global.connect_default_ssloptions;
return 0;
}
@@ -4366,6 +4369,106 @@
return 0;
}
+/* parse the "ssl-default-bind-options" keyword in global section */
+static int ssl_parse_default_bind_options(char **args, int section_type, struct proxy *curpx,
+ struct proxy *defpx, const char *file, int line,
+ char **err) {
+ int i = 1;
+
+ if (*(args[i]) == 0) {
+ memprintf(err, "global statement '%s' expects an option as an argument.", args[0]);
+ return -1;
+ }
+ while (*(args[i])) {
+ if (!strcmp(args[i], "no-sslv3"))
+ global.listen_default_ssloptions |= BC_SSL_O_NO_SSLV3;
+ else if (!strcmp(args[i], "no-tlsv10"))
+ global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV10;
+ else if (!strcmp(args[i], "no-tlsv11"))
+ global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV11;
+ else if (!strcmp(args[i], "no-tlsv12"))
+ global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV12;
+ else if (!strcmp(args[i], "force-sslv3"))
+ global.listen_default_ssloptions |= BC_SSL_O_USE_SSLV3;
+ else if (!strcmp(args[i], "force-tlsv10"))
+ global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV10;
+ else if (!strcmp(args[i], "force-tlsv11")) {
+#if SSL_OP_NO_TLSv1_1
+ global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV11;
+#else
+ memprintf(err, "'%s' '%s': library does not support protocol TLSv1.1", args[0], args[i]);
+ return -1;
+#endif
+ }
+ else if (!strcmp(args[i], "force-tlsv12")) {
+#if SSL_OP_NO_TLSv1_2
+ global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV12;
+#else
+ memprintf(err, "'%s' '%s': library does not support protocol TLSv1.2", args[0], args[i]);
+ return -1;
+#endif
+ }
+ else if (!strcmp(args[i], "no-tls-tickets"))
+ global.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS;
+ else {
+ memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
+ return -1;
+ }
+ i++;
+ }
+ return 0;
+}
+
+/* parse the "ssl-default-server-options" keyword in global section */
+static int ssl_parse_default_server_options(char **args, int section_type, struct proxy *curpx,
+ struct proxy *defpx, const char *file, int line,
+ char **err) {
+ int i = 1;
+
+ if (*(args[i]) == 0) {
+ memprintf(err, "global statement '%s' expects an option as an argument.", args[0]);
+ return -1;
+ }
+ while (*(args[i])) {
+ if (!strcmp(args[i], "no-sslv3"))
+ global.connect_default_ssloptions |= SRV_SSL_O_NO_SSLV3;
+ else if (!strcmp(args[i], "no-tlsv10"))
+ global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV10;
+ else if (!strcmp(args[i], "no-tlsv11"))
+ global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV11;
+ else if (!strcmp(args[i], "no-tlsv12"))
+ global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV12;
+ else if (!strcmp(args[i], "force-sslv3"))
+ global.connect_default_ssloptions |= SRV_SSL_O_USE_SSLV3;
+ else if (!strcmp(args[i], "force-tlsv10"))
+ global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV10;
+ else if (!strcmp(args[i], "force-tlsv11")) {
+#if SSL_OP_NO_TLSv1_1
+ global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV11;
+#else
+ memprintf(err, "'%s' '%s': library does not support protocol TLSv1.1", args[0], args[i]);
+ return -1;
+#endif
+ }
+ else if (!strcmp(args[i], "force-tlsv12")) {
+#if SSL_OP_NO_TLSv1_2
+ global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV12;
+#else
+ memprintf(err, "'%s' '%s': library does not support protocol TLSv1.2", args[0], args[i]);
+ return -1;
+#endif
+ }
+ else if (!strcmp(args[i], "no-tls-tickets"))
+ global.connect_default_ssloptions |= SRV_SSL_O_NO_TLS_TICKETS;
+ else {
+ memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
+ return -1;
+ }
+ i++;
+ }
+ return 0;
+}
+
/* Note: must not be declared <const> as its list will be overwritten.
* Please take care of keeping this list alphabetically sorted.
*/
@@ -4493,6 +4596,12 @@
{ NULL, NULL, 0, 0 },
}};
+static struct cfg_kw_list cfg_kws = {ILH, {
+ { CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options },
+ { CFG_GLOBAL, "ssl-default-server-options", ssl_parse_default_server_options },
+ { 0, NULL, NULL },
+}};
+
/* transport-layer operations for SSL sockets */
struct xprt_ops ssl_sock = {
.snd_buf = ssl_sock_from_buf,
@@ -4520,6 +4629,8 @@
global.listen_default_ciphers = strdup(global.listen_default_ciphers);
if (global.connect_default_ciphers)
global.connect_default_ciphers = strdup(global.connect_default_ciphers);
+ global.listen_default_ssloptions = BC_SSL_O_NONE;
+ global.connect_default_ssloptions = SRV_SSL_O_NONE;
SSL_library_init();
cm = SSL_COMP_get_compression_methods();
@@ -4528,6 +4639,7 @@
acl_register_keywords(&acl_kws);
bind_register_keywords(&bind_kws);
srv_register_keywords(&srv_kws);
+ cfg_register_keywords(&cfg_kws);
}
/*