BUILD: SSL: guard TLS13 ciphersuites with HAVE_SSL_CTX_SET_CIPHERSUITES
HAVE_SSL_CTX_SET_CIPHERSUITES is newly defined macro set in openssl-compat.h,
which helps to identify ssl libs (currently OpenSSL-1.1.1 only) that supports
TLS13 cipersuites manipulation on TLS13 context
diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h
index 77a3eb0..ec57f88 100644
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@@ -136,7 +136,7 @@
char *ca_verify_file; /* CAverify file to use on verify only */
char *crl_file; /* CRLfile to use on verify */
char *ciphers; /* cipher suite to use if non-null */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */
#endif
char *curves; /* curves suite to use for ECDHE */
diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 0bc9ac0..6b5a489 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -47,6 +47,10 @@
#define OpenSSL_version_num SSLeay
#endif
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL))
+#define HAVE_SSL_CTX_SET_CIPHERSUITES
+#endif
+
#if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL)
/* Functions present in OpenSSL 0.9.8, older not tested */
static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length)
diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h
index 694cc3d..0e66be6 100644
--- a/include/haproxy/server-t.h
+++ b/include/haproxy/server-t.h
@@ -309,7 +309,7 @@
int allocated_size;
} * reused_sess;
char *ciphers; /* cipher suite to use if non-null */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */
#endif
int options; /* ssl options */
diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index 58faebe..c0f47cb 100644
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -270,7 +270,7 @@
char *listen_default_ciphers;
char *connect_default_ciphers;
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
char *listen_default_ciphersuites;
char *connect_default_ciphersuites;
#endif
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 0d7c7c3..47e0592 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -203,7 +203,7 @@
return 0;
}
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
/* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords
* in global section. Returns <0 on alert, >0 on warning, 0 on success.
*/
@@ -613,7 +613,7 @@
return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err);
}
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
/* parse the "ciphersuites" bind keyword */
static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
@@ -1049,7 +1049,7 @@
if (global_ssl.listen_default_curves && !conf->ssl_conf.curves)
conf->ssl_conf.curves = strdup(global_ssl.listen_default_curves);
#endif
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites)
conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
#endif
@@ -1362,7 +1362,7 @@
{
if (global_ssl.connect_default_ciphers && !s->ssl_ctx.ciphers)
s->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (global_ssl.connect_default_ciphersuites && !s->ssl_ctx.ciphersuites)
s->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
#endif
@@ -1397,7 +1397,7 @@
return 0;
}
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
/* parse the "ciphersuites" server keyword */
static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
@@ -1733,7 +1733,7 @@
{ "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process ca-names and verify on client cert */
{ "ca-verify-file", ssl_bind_parse_ca_verify_file, 1 }, /* set CAverify file to process verify on client cert */
{ "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
#endif
{ "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificate revocation list file use on client cert verify */
@@ -1758,7 +1758,7 @@
{ "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */
{ "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */
{ "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
#endif
{ "crl-file", bind_parse_crl_file, 1 }, /* set certificate revocation list file use on client cert verify */
@@ -1808,7 +1808,7 @@
{ "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */
{ "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */
{ "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */
#endif
{ "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */
@@ -1877,7 +1877,7 @@
#if defined(SSL_CTX_set1_curves_list)
{ CFG_GLOBAL, "ssl-default-bind-curves", ssl_parse_global_curves },
#endif
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },
{ CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites },
#endif
diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index f72f60e..ba09799 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -50,7 +50,7 @@
conf->crl_file = NULL;
free(conf->ciphers);
conf->ciphers = NULL;
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
free(conf->ciphersuites);
conf->ciphersuites = NULL;
#endif
@@ -109,7 +109,7 @@
if (!dst->ciphers)
goto error;
}
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (src->ciphersuites) {
dst->ciphersuites = strdup(src->ciphersuites);
if (!dst->ciphersuites)
@@ -832,7 +832,7 @@
chunk_appendf(buf, "ciphers %s", conf->ciphers);
space++;
}
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (conf->ciphersuites) {
if (space) chunk_appendf(buf, " ");
chunk_appendf(buf, "ciphersuites %s", conf->ciphersuites);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5a0cd2b..b7d3b92 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -104,14 +104,10 @@
#ifdef CONNECT_DEFAULT_CIPHERS
.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
#endif
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
-#ifdef LISTEN_DEFAULT_CIPHERSUITES
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
.listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES,
-#endif
-#ifdef CONNECT_DEFAULT_CIPHERSUITES
.connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES,
#endif
-#endif
.listen_default_ssloptions = BC_SSL_O_NONE,
.connect_default_ssloptions = SRV_SSL_O_NONE,
@@ -4054,7 +4050,7 @@
int verify = SSL_VERIFY_NONE;
struct ssl_bind_conf __maybe_unused *ssl_conf_cur;
const char *conf_ciphers;
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
const char *conf_ciphersuites;
#endif
const char *conf_curves = NULL;
@@ -4162,7 +4158,7 @@
cfgerr |= ERR_ALERT | ERR_FATAL;
}
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites;
if (conf_ciphersuites &&
!SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) {
@@ -4619,7 +4615,7 @@
cfgerr++;
}
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (srv->ssl_ctx.ciphersuites &&
!SSL_CTX_set_ciphersuites(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) {
ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n",
@@ -6721,7 +6717,7 @@
global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers);
if (global_ssl.connect_default_ciphers)
global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers);
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (global_ssl.listen_default_ciphersuites)
global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
if (global_ssl.connect_default_ciphersuites)