Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / e566ecbea88ec1166faafc6a4b121f3ec08a7853^! / .
commite566ecbea88ec1166faafc6a4b121f3ec08a7853[log] [tgz]
authorDavid BERARD <contact@davidberard.fr>Tue Sep 04 15:15:13 2012 +0200
committerWilly Tarreau <w@1wt.eu>Tue Sep 04 15:35:32 2012 +0200
tree6a9c46dd5f2756661cc917c42cb27c38296d4891
parentff9f7698fcefef66bceb1ec32a3da8b14947a594 [diff]
MEDIUM: ssl: add support for prefer-server-ciphers option

I wrote a small path to add the SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSL option
to frontend, if the 'prefer-server-ciphers' keyword is set.

Example :
	bind 10.11.12.13 ssl /etc/haproxy/ssl/cert.pem ciphers RC4:HIGH:!aNULL:!MD5 prefer-server-ciphers

This option mitigate the effect of the BEAST Attack (as I understand), and it
equivalent to :
	- Apache HTTPd SSLHonorCipherOrder option.
	- Nginx ssl_prefer_server_ciphers option.

[WT: added a test for the support of the option]

diff --git a/include/types/protocols.h b/include/types/protocols.h
index b075ef6..1d962ea 100644
--- a/include/types/protocols.h
+++ b/include/types/protocols.h

@@ -137,6 +137,7 @@
 		char *ciphers;		/* cipher suite to use if non-null */
 		int nosslv3;		/* disable SSLv3 */
 		int notlsv1;		/* disable TLSv1 */
+		int prefer_server_ciphers; /* Prefer server ciphers */
 	} ssl_ctx;
 #endif
 	/* warning: this struct is huge, keep it at the bottom */

diff --git a/src/cfgparse.c b/src/cfgparse.c
index f5061b3..6ff166e 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c

@@ -1889,6 +1889,23 @@
 #endif
 			}
 
+			if (!strcmp(args[cur_arg], "prefer-server-ciphers")) { /* Prefert server ciphers */
+#if defined (USE_OPENSSL) && defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
+				struct listener *l;
+
+				for (l = curproxy->listen; l != last_listen; l = l->next)
+					l->ssl_ctx.prefer_server_ciphers = 1;
+
+				cur_arg += 1;
+				continue;
+#else
+				Alert("parsing [%s:%d] : '%s' : '%s' option not implemented.\n",
+				      file, linenum, args[0], args[cur_arg]);
+				err_code |= ERR_ALERT | ERR_FATAL;
+				goto out;
+#endif
+			}
+
 			if (!strcmp(args[cur_arg], "accept-proxy")) { /* expect a 'PROXY' line first */
 				struct listener *l;
 
@@ -6794,6 +6811,10 @@
 			}
 
 #ifdef USE_OPENSSL
+#ifndef SSL_OP_CIPHER_SERVER_PREFERENCE                 /* needs OpenSSL >= 0.9.7 */
+#define SSL_OP_CIPHER_SERVER_PREFERENCE 0
+#endif
+
 #ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	/* needs OpenSSL >= 0.9.7 */
 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
 #endif
@@ -6827,6 +6848,8 @@
 					ssloptions |= SSL_OP_NO_SSLv3;
 				if (listener->ssl_ctx.notlsv1)
 					ssloptions |= SSL_OP_NO_TLSv1;
+				if (listener->ssl_ctx.prefer_server_ciphers)
+					ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 				SSL_CTX_set_options(listener->ssl_ctx.ctx, ssloptions);
 				SSL_CTX_set_mode(listener->ssl_ctx.ctx, sslmode);
 				SSL_CTX_set_verify(listener->ssl_ctx.ctx, SSL_VERIFY_NONE, NULL);