MEDIUM: checks: Implement ssl-hello check using tcp-check rules
A shared tcp-check ruleset is now created to support ssl-hello check. This way
no extra memory is used if several backends use a ssl-hello check.
The following sequence is used :
tcp-check send-binary SSLV3_CLIENT_HELLO log-format
tcp-check expect rbinary "^1[56]" min-recv 5 \
error-status "L6RSP" tout-status "L6TOUT"
SSLV3_CLIENT_HELLO is a log-format hexa string representing a SSLv3 CLIENT HELLO
packet. It is the same than the one used by the old ssl-hello except the sample
expression "%[date(),htonl,hex]" is used to set the date field.
diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c
index fdcf68e..291dca8 100644
--- a/src/cfgparse-listen.c
+++ b/src/cfgparse-listen.c
@@ -2397,16 +2397,8 @@
goto out;
}
else if (!strcmp(args[1], "ssl-hello-chk")) {
- /* use SSLv3 CLIENT HELLO to check servers' health */
- if (warnifnotcap(curproxy, PR_CAP_BE, file, linenum, args[1], NULL))
- err_code |= ERR_WARN;
-
- free(curproxy->check_req);
- curproxy->check_req = NULL;
- curproxy->options2 &= ~PR_O2_CHK_ANY;
- curproxy->options2 |= PR_O2_SSL3_CHK;
-
- if (alertif_too_many_args_idx(0, 1, file, linenum, args, &err_code))
+ err_code |= proxy_parse_ssl_hello_chk_opt(args, 0, curproxy, &defproxy, file, linenum);
+ if (err_code & ERR_FATAL)
goto out;
}
else if (!strcmp(args[1], "smtpchk")) {