Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 50df1cb1e51bee0428db236deead46bd3ca98d7a^! / .
commit50df1cb1e51bee0428db236deead46bd3ca98d7a[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.com>Tue Jun 02 10:52:24 2020 +0200
committerWilliam Lallemand <wlallemand@haproxy.org>Tue Jun 02 11:13:12 2020 +0200
treec6f7f64accee12d4a22b223faf6a1461136125b5
parent975564784fee089d6d03d8e85e93f2bff5d7253b [diff]
MINOR: ssl: set ssl-min-ver in ambiguous configurations

Using ssl-max-ver without ssl-min-ver is ambiguous.

When the ssl-min-ver is not configured, and ssl-max-ver is set to a
value lower than the default ssl-min-ver (which is TLSv1.2 currently),
set the ssl-min-ver to the value of ssl-max-ver, and emit a warning.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 0a6086c..837862c 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -12568,13 +12568,16 @@
 
 ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
   This option enforces use of <version> or lower on SSL connections instantiated
-  from this listener. This option is also available on global statement
+  from this listener. Using this setting without "ssl-min-ver" can be
+  ambiguous because the default ssl-min-ver value could change in future HAProxy
+  versions. This option is also available on global statement
   "ssl-default-bind-options". See also "ssl-min-ver".
 
 ssl-min-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ]
-  This option enforces use of <version> or upper on SSL connections instantiated
-  from this listener. This option is also available on global statement
-  "ssl-default-bind-options". See also "ssl-max-ver".
+  This option enforces use of <version> or upper on SSL connections
+  instantiated from this listener. The default value is "TLSv1.2". This option
+  is also available on global statement "ssl-default-bind-options".
+  See also "ssl-max-ver".
 
 strict-sni
   This setting is only available when support for OpenSSL was built in. The

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b52f2ec..8f16463 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3650,6 +3650,7 @@
 	int i, min, max, hole;
 	int flags = MC_SSL_O_ALL;
 	int cfgerr = 0;
+	const int default_min_ver = CONF_TLSV12;
 
 	ctx = SSL_CTX_new(SSLv23_server_method());
 	bind_conf->initial_ctx = ctx;
@@ -3663,9 +3664,18 @@
 
 	min = conf_ssl_methods->min;
 	max = conf_ssl_methods->max;
-	/* start with TLSv12 to remove SSLv3,TLSv10,TLSv11 per default */
-	if (!min && (!max || max >= CONF_TLSV12))
-		min = CONF_TLSV12;
+
+	/* default minimum is TLSV12,  */
+	if (!min) {
+		if (!max || (max >= default_min_ver)) {
+			min = default_min_ver;
+		} else {
+			ha_warning("Proxy '%s': Ambiguous configuration for bind '%s' at [%s:%d]: the ssl-min-ver value is not configured and the ssl-max-ver value is lower than the default ssl-min-ver value (%s). "
+			           "Setting the ssl-min-ver to %s. Use 'ssl-min-ver' to fix this.\n",
+			           bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line, methodVersions[default_min_ver].name, methodVersions[max].name);
+			min = max;
+		}
+	}
 	/* Real min and max should be determinate with configuration and openssl's capabilities */
 	if (min)
 		flags |= (methodVersions[min].flag - 1);