MINOR: ssl: add defines LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS.
These ones are used to set the default ciphers suite on "bind" lines and
"server" lines respectively, instead of using OpenSSL's defaults. These
are probably mainly useful for distro packagers.
diff --git a/Makefile b/Makefile
index f0533a7..653c083 100644
--- a/Makefile
+++ b/Makefile
@@ -139,6 +139,11 @@
# Use DEFINE=-Dxxx to set any tunable macro. Anything declared here will appear
# in the build options reported by "haproxy -vv". Use SILENT_DEFINE if you do
# not want to pollute the report with complex defines.
+# The following settings might be of interest when SSL is enabled :
+# LISTEN_DEFAULT_CIPHERS is a cipher suite string used to set the default SSL
+# ciphers on "bind" lines instead of using OpenSSL's defaults.
+# CONNECT_DEFAULT_CIPHERS is a cipher suite string used to set the default
+# SSL ciphers on "server" lines instead of using OpenSSL's defaults.
DEFINE =
SILENT_DEFINE =
diff --git a/include/common/defaults.h b/include/common/defaults.h
index b49044e..3a67d33 100644
--- a/include/common/defaults.h
+++ b/include/common/defaults.h
@@ -188,4 +188,14 @@
#define HCHK_DESC_LEN 128
#endif
+/* ciphers used as defaults on connect */
+#ifndef CONNECT_DEFAULT_CIPHERS
+#define CONNECT_DEFAULT_CIPHERS NULL
+#endif
+
+/* ciphers used as defaults on listeners */
+#ifndef LISTEN_DEFAULT_CIPHERS
+#define LISTEN_DEFAULT_CIPHERS NULL
+#endif
+
#endif /* _COMMON_DEFAULTS_H */
diff --git a/include/types/global.h b/include/types/global.h
index 3efe933..d7c6cfd 100644
--- a/include/types/global.h
+++ b/include/types/global.h
@@ -76,6 +76,8 @@
int maxconn, hardmaxconn;
#ifdef USE_OPENSSL
int maxsslconn;
+ char *listen_default_ciphers;
+ char *connect_default_ciphers;
#endif
struct freq_ctr conn_per_sec;
int cps_lim, cps_max;
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 88c6300..9d47dae 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4313,6 +4313,9 @@
#ifdef USE_OPENSSL
newsrv->use_ssl = 1;
cur_arg += 1;
+
+ if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
+ newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
file, linenum, args[cur_arg]);
@@ -4324,6 +4327,9 @@
#ifdef USE_OPENSSL
newsrv->check.use_ssl = 1;
cur_arg += 1;
+
+ if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
+ newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
file, linenum, args[cur_arg]);
@@ -4340,6 +4346,7 @@
goto out;
}
+ free(newsrv->ssl_ctx.ciphers);
newsrv->ssl_ctx.ciphers = strdup(args[cur_arg + 1]);
cur_arg += 2;
diff --git a/src/haproxy.c b/src/haproxy.c
index d2f5d45..1cad8e4 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -125,9 +125,17 @@
.sslcachesize = 20000,
#endif
},
-#if defined (USE_OPENSSL) && defined(DEFAULT_MAXSSLCONN)
+#ifdef USE_OPENSSL
+#ifdef DEFAULT_MAXSSLCONN
.maxsslconn = DEFAULT_MAXSSLCONN,
#endif
+#ifdef LISTEN_DEFAULT_CIPHERS
+ .listen_default_ciphers = LISTEN_DEFAULT_CIPHERS,
+#endif
+#ifdef CONNECT_DEFAULT_CIPHERS
+ .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
+#endif
+#endif
/* others NULL OK */
};
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index af90018..055bc6f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1138,6 +1138,7 @@
return ERR_ALERT | ERR_FATAL;
}
+ free(conf->ciphers);
conf->ciphers = strdup(args[cur_arg + 1]);
return 0;
}
@@ -1340,6 +1341,10 @@
struct listener *l;
conf->is_ssl = 1;
+
+ if (global.listen_default_ciphers && !conf->ciphers)
+ conf->ciphers = strdup(global.listen_default_ciphers);
+
list_for_each_entry(l, &conf->listeners, by_bind)
l->xprt = &ssl_sock;