MINOR: ssl: Add 'ssl-propquery' global option
This option can be used to define a default property query used when
fetching algorithms in OpenSSL providers. It follows the format
described in https://www.openssl.org/docs/man3.0/man7/property.html.
It is only available when haproxy is built with SSL support and linked
to OpenSSLv3 libraries.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 1b57c69..7632291 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1050,6 +1050,7 @@
- ssl-default-server-ciphersuites
- ssl-default-server-options
- ssl-dh-param-file
+ - ssl-propquery
- ssl-server-verify
- ssl-skip-self-issued-ca
- unix-bind
@@ -2060,6 +2061,17 @@
"openssl dhparam <size>", where size should be at least 2048, as 1024-bit DH
parameters should not be considered secure anymore.
+ssl-propquery <query>
+ This setting is only available when support for OpenSSL was built in and when
+ OpenSSL's version is at least 3.0. It allows to define a default property
+ string used when fetching algorithms in providers. It behave the same way as
+ the openssl propquery option and it follows the same syntax (described in
+ https://www.openssl.org/docs/man3.0/man7/property.html). For instance, if you
+ have two providers loaded, the foo one and the default one, the propquery
+ "?provider=foo" allows to pick the algorithm implementations provided by the
+ foo provider by default, and to fallback on the default provider's one if it
+ was not found.
+
ssl-load-extra-del-ext
This setting allows to configure the way HAProxy does the lookup for the
extra SSL files. By default HAProxy adds a new extension to the filename.
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 462743e..513cfd6 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -180,6 +180,28 @@
}
#endif
+#ifdef HAVE_SSL_PROVIDERS
+/* parse the "ssl-propquery" keyword in global section.
+ * Returns <0 on alert, >0 on warning, 0 on success.
+ */
+static int ssl_parse_global_ssl_propquery(char **args, int section_type, struct proxy *curpx,
+ const struct proxy *defpx, const char *file, int line,
+ char **err)
+{
+ int ret = -1;
+
+ if (*(args[1]) == 0) {
+ memprintf(err, "global statement '%s' expects a property string as an argument.", args[0]);
+ return ret;
+ }
+
+ if (EVP_set_default_properties(NULL, args[1]))
+ ret = 0;
+
+ return ret;
+}
+#endif
+
/* parse the "ssl-default-bind-ciphers" / "ssl-default-server-ciphers" keywords
* in global section. Returns <0 on alert, >0 on warning, 0 on success.
*/
@@ -1936,6 +1958,9 @@
#if defined(USE_ENGINE) && !defined(OPENSSL_NO_ENGINE)
{ CFG_GLOBAL, "ssl-engine", ssl_parse_global_ssl_engine },
#endif
+#ifdef HAVE_SSL_PROVIDERS
+ { CFG_GLOBAL, "ssl-propquery", ssl_parse_global_ssl_propquery },
+#endif
{ CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca },
{ CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int },
#ifndef OPENSSL_NO_DH