MINOR: config: add global directives to set default SSL ciphers
The ability to globally override the default client and server cipher
suites has been requested multiple times since the introduction of SSL.
This commit adds two new keywords to the global section for this :
- ssl-default-bind-ciphers
- ssl-default-server-ciphers
It is still possible to preset them at build time by setting the macros
LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7af752e..35dcf37 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -629,6 +629,23 @@
warning will automatically be disabled when this setting is used, whatever
the number of processes used.
+ssl-default-bind-ciphers <ciphers>
+ This setting is only available when support for OpenSSL was built in. It sets
+ the default string describing the list of cipher algorithms ("cipher suite")
+ that are negociated during the SSL/TLS handshake for all "bind" lines which
+ do not explicitly define theirs. The format of the string is defined in
+ "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
+ as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
+ "bind" keyword for more information.
+
+ssl-default-server-ciphers <ciphers>
+ This setting is only available when support for OpenSSL was built in. It
+ sets the default string describing the list of cipher algorithms that are
+ negociated during the SSL/TLS handshake with the server, for all "server"
+ lines which do not explicitly define theirs. The format of the string is
+ defined in "man 1 ciphers". Please check the "server" keyword for more
+ information.
+
ssl-server-verify [none|required]
The default behavior for SSL verify on servers side. If specified to 'none',
servers certificates are not verified. The default is 'required' except if
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 462187a..88231f9 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -883,6 +883,36 @@
goto out;
#endif
}
+ else if (!strcmp(args[0], "ssl-default-bind-ciphers")) {
+#ifdef USE_OPENSSL
+ if (*(args[1]) == 0) {
+ Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ free(global.listen_default_ciphers);
+ global.listen_default_ciphers = strdup(args[1]);
+#else
+ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+#endif
+ }
+ else if (!strcmp(args[0], "ssl-default-server-ciphers")) {
+#ifdef USE_OPENSSL
+ if (*(args[1]) == 0) {
+ Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ free(global.connect_default_ciphers);
+ global.connect_default_ciphers = strdup(args[1]);
+#else
+ Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+#endif
+ }
else if (!strcmp(args[0], "ssl-server-verify")) {
if (*(args[1]) == 0) {
Alert("parsing [%s:%d] : '%s' expects an integer argument.\n", file, linenum, args[0]);
diff --git a/src/haproxy.c b/src/haproxy.c
index 1825705..45d1bd7 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -161,12 +161,6 @@
#ifdef DEFAULT_MAXSSLCONN
.maxsslconn = DEFAULT_MAXSSLCONN,
#endif
-#ifdef LISTEN_DEFAULT_CIPHERS
- .listen_default_ciphers = LISTEN_DEFAULT_CIPHERS,
-#endif
-#ifdef CONNECT_DEFAULT_CIPHERS
- .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
-#endif
#endif
/* others NULL OK */
};
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5ac2b06..3b96e37 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3628,6 +3628,17 @@
{
STACK_OF(SSL_COMP)* cm;
+#ifdef LISTEN_DEFAULT_CIPHERS
+ global.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS;
+#endif
+#ifdef CONNECT_DEFAULT_CIPHERS
+ global.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS;
+#endif
+ if (global.listen_default_ciphers)
+ global.listen_default_ciphers = strdup(global.listen_default_ciphers);
+ if (global.connect_default_ciphers)
+ global.connect_default_ciphers = strdup(global.connect_default_ciphers);
+
SSL_library_init();
cm = SSL_COMP_get_compression_methods();
sk_SSL_COMP_zero(cm);