commit 98263291cc3395a26a87408a900a93242f3f042d
author Emmanuel Hocdet <manu@gandi.net> Thu Dec 29 18:26:15 2016 +0100
committer Willy Tarreau <w@1wt.eu> Fri Jan 13 11:40:34 2017 +0100
tree 897fbc336bdb2f317b2d95a633dd7a22e2985057
parent 70e2f272127a931a7b245a95e3a022879145e1dd

MAJOR: ssl: bind configuration per certificat

crt-list is extend to support ssl configuration. You can now have
such line in crt-list <file>:
mycert.pem [npn h2,http/1.1]

Support include "npn", "alpn", "verify", "ca_file", "crl_file",
"ecdhe", "ciphers" configuration and ssl options.

"crt-base" is also supported to fetch certificates.

include/types/listener.h

diff --git a/include/types/listener.h b/include/types/listener.h
index 03f4a72..b534c47 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -115,22 +115,34 @@
 #define BC_SSL_O_NO_TLS_TICKETS 0x0100	/* disable session resumption tickets */
 #endif
 
-/* "bind" line settings */
-struct bind_conf {
+/* ssl "bind" settings */
+struct ssl_bind_conf {
 #ifdef USE_OPENSSL
+#ifdef OPENSSL_NPN_NEGOTIATED
+	char *npn_str;             /* NPN protocol string */
+	int npn_len;               /* NPN protocol string length */
+#endif
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
+	char *alpn_str;            /* ALPN protocol string */
+	int alpn_len;              /* ALPN protocol string length */
+#endif
+	int verify;                /* verify method (set of SSL_VERIFY_* flags) */
 	char *ca_file;             /* CAfile to use on verify */
-	unsigned long long ca_ignerr;  /* ignored verify errors in handshake if depth > 0 */
-	unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */
-	char *ciphers;             /* cipher suite to use if non-null */
 	char *crl_file;            /* CRLfile to use on verify */
+	char *ciphers;             /* cipher suite to use if non-null */
 	char *ecdhe;               /* named curve to use for ECDHE */
 	int ssl_options;           /* ssl options */
-	int verify;                /* verify method (set of SSL_VERIFY_* flags) */
+#endif
+};
+
+/* "bind" line settings */
+struct bind_conf {
+#ifdef USE_OPENSSL
+	struct ssl_bind_conf ssl_conf; /* ssl conf for ctx setting */
+	unsigned long long ca_ignerr;  /* ignored verify errors in handshake if depth > 0 */
+	unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */
 	SSL_CTX *default_ctx;      /* SSL context of first/default certificate */
-	char *npn_str;             /* NPN protocol string */
-	int npn_len;               /* NPN protocol string length */
-	char *alpn_str;            /* ALPN protocol string */
-	int alpn_len;              /* ALPN protocol string length */
+	struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
 	int strict_sni;            /* refuse negotiation if sni doesn't match a certificate */
 	struct eb_root sni_ctx;    /* sni_ctx tree of all known certs full-names sorted by name */
 	struct eb_root sni_w_ctx;  /* sni_ctx tree of all known certs wildcards sorted by name */
@@ -213,6 +225,11 @@
 	int (*parse)(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err);
 	int skip; /* nb of args to skip */
 };
+struct ssl_bind_kw {
+	const char *kw;
+	int (*parse)(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err);
+	int skip; /* nb of args to skip */
+};
 
 /*
  * A keyword list. It is a NULL-terminated array of keywords. It embeds a