MAJOR: ssl: bind configuration per certificat
crt-list is extend to support ssl configuration. You can now have
such line in crt-list <file>:
mycert.pem [npn h2,http/1.1]
Support include "npn", "alpn", "verify", "ca_file", "crl_file",
"ecdhe", "ciphers" configuration and ssl options.
"crt-base" is also supported to fetch certificates.
diff --git a/include/common/defaults.h b/include/common/defaults.h
index 3e04f02..1618ab4 100644
--- a/include/common/defaults.h
+++ b/include/common/defaults.h
@@ -74,8 +74,11 @@
// max # args on a configuration line
#define MAX_LINE_ARGS 64
-// crt-list parsing factor for LINESIZE and MAX_LINE_ARGS
-#define CRTLIST_FACTOR 32
+// maximum line size when parsing crt-bind-list config
+#define CRT_LINESIZE 65536
+
+// max # args on crt-bind-list configuration line
+#define MAX_CRT_ARGS 2048
// max # args on a stats socket
// This should cover at least 5 + twice the # of data_types
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 9f43adc..6f779fa 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -42,7 +42,7 @@
}
int ssl_sock_handshake(struct connection *conn, unsigned int flag);
-int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx);
+int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *, SSL_CTX *ctx);
int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf);
int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf);
int ssl_sock_prepare_srv_ctx(struct server *srv);
diff --git a/include/types/listener.h b/include/types/listener.h
index 03f4a72..b534c47 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -115,22 +115,34 @@
#define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
#endif
-/* "bind" line settings */
-struct bind_conf {
+/* ssl "bind" settings */
+struct ssl_bind_conf {
#ifdef USE_OPENSSL
+#ifdef OPENSSL_NPN_NEGOTIATED
+ char *npn_str; /* NPN protocol string */
+ int npn_len; /* NPN protocol string length */
+#endif
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+ char *alpn_str; /* ALPN protocol string */
+ int alpn_len; /* ALPN protocol string length */
+#endif
+ int verify; /* verify method (set of SSL_VERIFY_* flags) */
char *ca_file; /* CAfile to use on verify */
- unsigned long long ca_ignerr; /* ignored verify errors in handshake if depth > 0 */
- unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */
- char *ciphers; /* cipher suite to use if non-null */
char *crl_file; /* CRLfile to use on verify */
+ char *ciphers; /* cipher suite to use if non-null */
char *ecdhe; /* named curve to use for ECDHE */
int ssl_options; /* ssl options */
- int verify; /* verify method (set of SSL_VERIFY_* flags) */
+#endif
+};
+
+/* "bind" line settings */
+struct bind_conf {
+#ifdef USE_OPENSSL
+ struct ssl_bind_conf ssl_conf; /* ssl conf for ctx setting */
+ unsigned long long ca_ignerr; /* ignored verify errors in handshake if depth > 0 */
+ unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */
SSL_CTX *default_ctx; /* SSL context of first/default certificate */
- char *npn_str; /* NPN protocol string */
- int npn_len; /* NPN protocol string length */
- char *alpn_str; /* ALPN protocol string */
- int alpn_len; /* ALPN protocol string length */
+ struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
int strict_sni; /* refuse negotiation if sni doesn't match a certificate */
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */
struct eb_root sni_w_ctx; /* sni_ctx tree of all known certs wildcards sorted by name */
@@ -213,6 +225,11 @@
int (*parse)(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err);
int skip; /* nb of args to skip */
};
+struct ssl_bind_kw {
+ const char *kw;
+ int (*parse)(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err);
+ int skip; /* nb of args to skip */
+};
/*
* A keyword list. It is a NULL-terminated array of keywords. It embeds a
diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index e71ba79..a384f05 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -22,6 +22,7 @@
#ifndef _TYPES_SSL_SOCK_H
#define _TYPES_SSL_SOCK_H
+#include <types/listener.h>
#include <openssl/ssl.h>
#include <ebmbtree.h>
@@ -29,6 +30,7 @@
SSL_CTX *ctx; /* context associated to the certificate */
int order; /* load order for the certificate */
int neg; /* reject if match */
+ struct ssl_bind_conf *conf; /* ssl "bind" conf for the certificate */
struct ebmb_node name; /* node holding the servername value */
};