|
[-]
[+]
|
Changed |
_service
|
| @@ -3,5 +3,5 @@
- <param name="protocol">http</param><param name="host">haproxy.1wt.eu</param><param name="path">/download/1.5/src/haproxy-1.5.5.tar.gz</param></service>
+ <param name="protocol">http</param><param name="host">haproxy.1wt.eu</param><param name="path">/download/1.5/src/haproxy-1.5.8.tar.gz</param></service>
</services>
\ No newline at end of file
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/CHANGELOG
^
|
| @@ -1,6 +1,28 @@
ChangeLog :
===========
+2014/10/31 : 1.5.8
+ - BUG/MAJOR: buffer: check the space left is enough or not when input data in a buffer is wrapped
+ - BUG/BUILD: revert accidental change in the makefile from latest SSL fix
+
+2014/10/30 : 1.5.7
+ - BUG/MEDIUM: regex: fix pcre_study error handling
+ - BUG/MINOR: log: fix request flags when keep-alive is enabled
+ - MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs
+ - MINOR: ssl: add statement to force some ssl options in global.
+ - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates
+ - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR
+ - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error
+ - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol
+ - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets
+
+2014/10/18 : 1.5.6
+ - BUG/MEDIUM: systemd: set KillMode to 'mixed'
+ - MINOR: systemd: Check configuration before start
+ - BUG/MEDIUM: config: avoid skipping disabled proxies
+ - BUG/MINOR: config: do not accept more track-sc than configured
+ - BUG/MEDIUM: backend: fix URI hash when a query string is present
+
2014/10/08 : 1.5.5
- DOC: Address issue where documentation is excluded due to a gitignore rule.
- MEDIUM: Improve signal handling in systemd wrapper.
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/README
^
|
| @@ -1,9 +1,9 @@
----------------------
HAProxy how-to
----------------------
- version 1.5.4
+ version 1.5.8
willy tarreau
- 2014/09/02
+ 2014/10/31
1) How to build it
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/VERDATE
^
|
| @@ -1,2 +1,2 @@
$Format:%ci$
-2014/10/07
+2014/10/31
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/VERSION
^
|
| @@ -1 +1 @@
-1.5.5
+1.5.8
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/contrib/systemd/haproxy.service.in
^
|
| @@ -3,8 +3,10 @@
After=network.target
[Service]
+ExecStartPre=@SBINDIR@/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=@SBINDIR@/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID
+KillMode=mixed
Restart=always
[Install]
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/doc/configuration.txt
^
|
| @@ -2,9 +2,9 @@
HAProxy
Configuration Manual
----------------------
- version 1.5.4
+ version 1.5.8
willy tarreau
- 2014/09/02
+ 2014/10/31
This document covers the configuration language as implemented in the version
@@ -657,6 +657,15 @@
as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
"bind" keyword for more information.
+ssl-default-bind-options [<option>]...
+ This setting is only available when support for OpenSSL was built in. It sets
+ default ssl-options to force on all "bind" lines. Please check the "bind"
+ keyword to see available options.
+
+ Example:
+ global
+ ssl-default-bind-options no-sslv3 no-tls-tickets
+
ssl-default-server-ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It
sets the default string describing the list of cipher algorithms that are
@@ -665,6 +674,11 @@
defined in "man 1 ciphers". Please check the "server" keyword for more
information.
+ssl-default-server-options [<option>]...
+ This setting is only available when support for OpenSSL was built in. It sets
+ default ssl-options to force on all "server" lines. Please check the "server"
+ keyword to see available options.
+
ssl-server-verify [none|required]
The default behavior for SSL verify on servers side. If specified to 'none',
servers certificates are not verified. The default is 'required' except if
@@ -8379,19 +8393,23 @@
force-sslv3
This option enforces use of SSLv3 only on SSL connections instantiated from
this listener. SSLv3 is generally less expensive than the TLS counterparts
- for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*".
+ for high connection rates. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
force-tlsv10
This option enforces use of TLSv1.0 only on SSL connections instantiated from
- this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+ this listener. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3".
force-tlsv11
This option enforces use of TLSv1.1 only on SSL connections instantiated from
- this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+ this listener. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
force-tlsv12
This option enforces use of TLSv1.2 only on SSL connections instantiated from
- this listener. See also "force-tls*", "no-sslv3", and "no-tls*".
+ this listener. This option is also available on global statement
+ "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3".
gid <gid>
Sets the group of the UNIX sockets to the designated system gid. It can also
@@ -8484,35 +8502,40 @@
This setting is only available when support for OpenSSL was built in. It
disables support for SSLv3 on any sockets instantiated from the listener when
SSL is supported. Note that SSLv2 is forced disabled in the code and cannot
- be enabled using any configuration option. See also "force-tls*",
+ be enabled using any configuration option. This option is also available on
+ global statement "ssl-default-bind-options". See also "force-tls*",
and "force-sslv3".
no-tls-tickets
This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless
- session resumption is more expensive in CPU usage.
+ session resumption is more expensive in CPU usage. This option is also
+ available on global statement "ssl-default-bind-options".
no-tlsv10
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.0 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and
- cannot be enabled using any configuration option. See also "force-tls*",
- and "force-sslv3".
+ cannot be enabled using any configuration option. This option is also
+ available on global statement "ssl-default-bind-options". See also
+ "force-tlsv*", and "force-sslv3".
no-tlsv11
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.1 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and
- cannot be enabled using any configuration option. See also "force-tls*",
- and "force-sslv3".
+ cannot be enabled using any configuration option. This option is also
+ available on global statement "ssl-default-bind-options". See also
+ "force-tlsv*", and "force-sslv3".
no-tlsv12
This setting is only available when support for OpenSSL was built in. It
disables support for TLSv1.2 on any sockets instantiated from the listener
when SSL is supported. Note that SSLv2 is forced disabled in the code and
- cannot be enabled using any configuration option. See also "force-tls*",
- and "force-sslv3".
+ cannot be enabled using any configuration option. This option is also
+ available on global statement "ssl-default-bind-options". See also
+ "force-tlsv*", and "force-sslv3".
npn <protocols>
This enables the NPN TLS extension and advertises the specified protocol list
@@ -8845,25 +8868,29 @@
force-sslv3
This option enforces use of SSLv3 only when SSL is used to communicate with
the server. SSLv3 is generally less expensive than the TLS counterparts for
- high connection rates. See also "no-tlsv*", "no-sslv3".
+ high connection rates. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv10
This option enforces use of TLSv1.0 only when SSL is used to communicate with
- the server. See also "no-tlsv*", "no-sslv3".
+ the server. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv11
This option enforces use of TLSv1.1 only when SSL is used to communicate with
- the server. See also "no-tlsv*", "no-sslv3".
+ the server. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
force-tlsv12
This option enforces use of TLSv1.2 only when SSL is used to communicate with
- the server. See also "no-tlsv*", "no-sslv3".
+ the server. This option is also available on global statement
+ "ssl-default-server-options". See also "no-tlsv*", "no-sslv3".
Supported in default-server: No
@@ -8951,7 +8978,8 @@
This setting is only available when support for OpenSSL was built in. It
disables the stateless session resumption (RFC 5077 TLS Ticket
extension) and force to use stateful session resumption. Stateless
- session resumption is more expensive in CPU usage for servers.
+ session resumption is more expensive in CPU usage for servers. This option
+ is also available on global statement "ssl-default-server-options".
Supported in default-server: No
@@ -8959,8 +8987,9 @@
This option disables support for TLSv1.0 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
- often makes sense to disable it when communicating with local servers. See
- also "force-sslv3", "force-tlsv*".
+ often makes sense to disable it when communicating with local servers. This
+ option is also available on global statement "ssl-default-server-options".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
@@ -8968,8 +8997,9 @@
This option disables support for TLSv1.1 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
- often makes sense to disable it when communicating with local servers. See
- also "force-sslv3", "force-tlsv*".
+ often makes sense to disable it when communicating with local servers. This
+ option is also available on global statement "ssl-default-server-options".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
@@ -8977,8 +9007,9 @@
This option disables support for TLSv1.2 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
- often makes sense to disable it when communicating with local servers. See
- also "force-sslv3", "force-tlsv*".
+ often makes sense to disable it when communicating with local servers. This
+ option is also available on global statement "ssl-default-server-options".
+ See also "force-sslv3", "force-tlsv*".
Supported in default-server: No
@@ -10681,6 +10712,11 @@
verification of the client certificate. If no error is encountered, 0 is
returned.
+ssl_c_der : binary
+ Returns the DER formatted certificate presented by the client when the
+ incoming connection was made over an SSL/TLS transport layer. When used for
+ an ACL, the value(s) to match against can be passed in hexadecimal form.
+
ssl_c_err : integer
When the incoming connection was made over an SSL/TLS transport layer,
returns the ID of the first error detected during verification at depth 0, or
@@ -10756,6 +10792,11 @@
Returns the version of the certificate presented by the client when the
incoming connection was made over an SSL/TLS transport layer.
+ssl_f_der : binary
+ Returns the DER formatted certificate presented by the frontend when the
+ incoming connection was made over an SSL/TLS transport layer. When used for
+ an ACL, the value(s) to match against can be passed in hexadecimal form.
+
ssl_f_i_dn([<entry>[,<occ>]]) : string
When the incoming connection was made over an SSL/TLS transport layer,
returns the full distinguished name of the issuer of the certificate
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/examples/haproxy.spec
^
|
| @@ -1,6 +1,6 @@
Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
Name: haproxy
-Version: 1.5.5
+Version: 1.5.8
Release: 1
License: GPL
Group: System Environment/Daemons
@@ -76,6 +76,15 @@
%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
%changelog
+* Fri Oct 31 2014 Willy Tarreau <w@1wt.eu>
+- updated to 1.5.8
+
+* Thu Oct 30 2014 Willy Tarreau <w@1wt.eu>
+- updated to 1.5.7
+
+* Sat Oct 18 2014 Willy Tarreau <w@1wt.eu>
+- updated to 1.5.6
+
* Wed Oct 8 2014 Willy Tarreau <w@1wt.eu>
- updated to 1.5.5
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/include/types/global.h
^
|
| @@ -85,6 +85,8 @@
int maxsslconn;
char *listen_default_ciphers;
char *connect_default_ciphers;
+ int listen_default_ssloptions;
+ int connect_default_ssloptions;
#endif
unsigned int ssl_server_verify; /* default verify mode on servers side */
struct freq_ctr conn_per_sec;
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/src/backend.c
^
|
| @@ -200,7 +200,7 @@
start = end = uri;
while (uri_len--) {
- c = *end++;
+ c = *end;
if (c == '/') {
slashes++;
if (slashes == px->uri_dirs_depth1) /* depth+1 */
@@ -208,6 +208,7 @@
}
else if (c == '?' && !px->uri_whole)
break;
+ end++;
}
hash = gen_hash(px, start, (end - start));
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/src/buffer.c
^
|
| @@ -88,6 +88,11 @@
if (bi_end(b) + delta >= b->data + b->size)
return 0; /* no space left */
+ if (buffer_not_empty(b) &&
+ bi_end(b) + delta > bo_ptr(b) &&
+ bo_ptr(b) >= bi_end(b))
+ return 0; /* no space left before wrapping data */
+
/* first, protect the end of the buffer */
memmove(pos + delta, pos, bi_end(b) - pos);
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/src/cfgparse.c
^
|
| @@ -6104,7 +6104,6 @@
if (curproxy->state == PR_STSTOPPED) {
/* ensure we don't keep listeners uselessly bound */
stop_proxy(curproxy);
- curproxy = curproxy->next;
continue;
}
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/src/dumpstats.c
^
|
| @@ -131,6 +131,7 @@
static int stats_pats_list(struct stream_interface *si);
static int stats_pat_list(struct stream_interface *si);
static int stats_map_lookup(struct stream_interface *si);
+static void cli_release_handler(struct stream_interface *si);
/*
* cli_io_handler()
@@ -2336,6 +2337,7 @@
}
else { /* output functions: first check if the output buffer is closed then abort */
if (res->flags & (CF_SHUTR_NOW|CF_SHUTR)) {
+ cli_release_handler(si);
appctx->st0 = STAT_CLI_END;
continue;
}
@@ -2389,6 +2391,7 @@
appctx->st0 = STAT_CLI_PROMPT;
break;
default: /* abnormal state */
+ cli_release_handler(si);
appctx->st0 = STAT_CLI_PROMPT;
break;
}
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/src/proto_http.c
^
|
| @@ -2546,7 +2546,7 @@
/* 1: we might have to print this header in debug mode */
if (unlikely((global.mode & MODE_DEBUG) &&
(!(global.mode & MODE_QUIET) || (global.mode & MODE_VERBOSE)) &&
- (msg->msg_state >= HTTP_MSG_BODY || msg->msg_state == HTTP_MSG_ERROR))) {
+ msg->msg_state >= HTTP_MSG_BODY)) {
char *eol, *sol;
sol = req->buf->p;
@@ -4893,6 +4893,7 @@
s->rep->flags &= ~(CF_SHUTR|CF_SHUTR_NOW|CF_READ_ATTACHED|CF_READ_ERROR|CF_READ_NOEXP|CF_STREAMER|CF_STREAMER_FAST|CF_WRITE_PARTIAL|CF_NEVER_WAIT|CF_WROTE_DATA);
s->flags &= ~(SN_DIRECT|SN_ASSIGNED|SN_ADDR_SET|SN_BE_ASSIGNED|SN_FORCE_PRST|SN_IGNORE_PRST);
s->flags &= ~(SN_CURR_SESS|SN_REDIRECTABLE|SN_SRV_REUSED);
+ s->flags &= ~(SN_ERR_MASK|SN_FINST_MASK|SN_REDISP);
s->txn.meth = 0;
http_reset_txn(s);
@@ -5661,7 +5662,7 @@
/* 1: we might have to print this header in debug mode */
if (unlikely((global.mode & MODE_DEBUG) &&
(!(global.mode & MODE_QUIET) || (global.mode & MODE_VERBOSE)) &&
- (msg->msg_state >= HTTP_MSG_BODY || msg->msg_state == HTTP_MSG_ERROR))) {
+ msg->msg_state >= HTTP_MSG_BODY)) {
char *eol, *sol;
sol = rep->buf->p;
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/src/proto_tcp.c
^
|
| @@ -450,15 +450,12 @@
}
}
- /* if a send_proxy is there, there are data */
- data |= conn->send_proxy_ofs;
-
#if defined(TCP_QUICKACK)
/* disabling tcp quick ack now allows the first request to leave the
* machine with the first ACK. We only do this if there are pending
* data in the buffer.
*/
- if (delack == 2 || ((delack || data) && (be->options2 & PR_O2_SMARTCON)))
+ if (delack == 2 || ((delack || data || conn->send_proxy_ofs) && (be->options2 & PR_O2_SMARTCON)))
setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, &zero, sizeof(zero));
#endif
@@ -558,12 +555,24 @@
{
if (dir)
return getpeername(fd, sa, &salen);
+ else {
+ int ret = getsockname(fd, sa, &salen);
+
+ if (ret < 0)
+ return ret;
+
#if defined(TPROXY) && defined(SO_ORIGINAL_DST)
- else if (getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) == 0)
- return 0;
+ /* For TPROXY and Netfilter's NAT, we can retrieve the original
+ * IPv4 address before DNAT/REDIRECT. We must not do that with
+ * other families because v6-mapped IPv4 addresses are still
+ * reported as v4.
+ */
+ if (((struct sockaddr_storage *)sa)->ss_family == AF_INET
+ && getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) == 0)
+ return 0;
#endif
- else
- return getsockname(fd, sa, &salen);
+ return ret;
+ }
}
/* Tries to drain any pending incoming data from the socket to reach the
@@ -1427,7 +1436,7 @@
}
else if (strncmp(args[arg], "track-sc", 8) == 0 &&
args[arg][9] == '\0' && args[arg][8] >= '0' &&
- args[arg][8] <= '0' + MAX_SESS_STKCTR) { /* track-sc 0..9 */
+ args[arg][8] < '0' + MAX_SESS_STKCTR) { /* track-sc 0..9 */
struct sample_expr *expr;
int kw = arg;
@@ -1491,7 +1500,7 @@
memprintf(err,
"'%s %s' expects 'accept', 'reject', 'track-sc0' ... 'track-sc%d' "
" in %s '%s' (got '%s')",
- args[0], args[1], MAX_SESS_STKCTR, proxy_type_str(curpx), curpx->id, args[arg]);
+ args[0], args[1], MAX_SESS_STKCTR-1, proxy_type_str(curpx), curpx->id, args[arg]);
return -1;
}
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/src/regex.c
^
|
| @@ -290,7 +290,7 @@
#ifdef USE_PCRE_JIT
regex->extra = pcre_study(regex->reg, PCRE_STUDY_JIT_COMPILE, &error);
- if (!regex->extra) {
+ if (!regex->extra && error != NULL) {
pcre_free(regex->reg);
memprintf(err, "failed to compile regex '%s' (error=%s)", str, error);
return 0;
|
|
[-]
[+]
|
Changed |
_service:download_url:haproxy-1.5.8.tar.gz/src/ssl_sock.c
^
|
| @@ -56,6 +56,7 @@
#include <common/standard.h>
#include <common/ticks.h>
#include <common/time.h>
+#include <common/cfgparse.h>
#include <ebsttree.h>
@@ -1948,10 +1949,15 @@
if (!bind_conf || !bind_conf->is_ssl)
return 0;
+ if (bind_conf->default_ctx)
+ err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px);
+
node = ebmb_first(&bind_conf->sni_ctx);
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
- if (!sni->order) /* only initialize the CTX on its first occurrence */
+ if (!sni->order && sni->ctx != bind_conf->default_ctx)
+ /* only initialize the CTX on its first occurrence and
+ if it is not the default_ctx */
err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
node = ebmb_next(node);
}
@@ -1959,7 +1965,9 @@
node = ebmb_first(&bind_conf->sni_w_ctx);
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
- if (!sni->order) /* only initialize the CTX on its first occurrence */
+ if (!sni->order && sni->ctx != bind_conf->default_ctx)
+ /* only initialize the CTX on its first occurrence and
+ if it is not the default_ctx */
err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
node = ebmb_next(node);
}
@@ -2543,6 +2551,28 @@
return 1;
}
+/* Extract a cert to der, and copy it to a chunk.
+ * Returns 1 if cert is found and copied, 0 on der convertion failure and
+ * -1 if output is not large enough.
+ */
+static int
+ssl_sock_crt2der(X509 *crt, struct chunk *out)
+{
+ int len;
+ unsigned char *p = (unsigned char *)out->str;;
+
+ len =i2d_X509(crt, NULL);
+ if (len <= 0)
+ return 1;
+
+ if (out->size < len)
+ return -1;
+
+ i2d_X509(crt,&p);
+ out->len = len;
+ return 1;
+}
+
/* Copy Date in ASN1_UTCTIME format in struct chunk out.
* Returns 1 if serial is found and copied, 0 if no valid time found
@@ -2783,6 +2813,54 @@
return 1;
}
+/* binary, returns a certificate in a binary chunk (der/raw).
+ * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
+ * should be use.
+ */
+static int
+smp_fetch_ssl_x_der(struct proxy *px, struct session *l4, void *l7, unsigned int opt,
+ const struct arg *args, struct sample *smp, const char *kw)
+{
+ int cert_peer = (kw[4] == 'c') ? 1 : 0;
+ X509 *crt = NULL;
+ int ret = 0;
+ struct chunk *smp_trash;
+ struct connection *conn;
+
+ if (!l4)
+ return 0;
+
+ conn = objt_conn(l4->si[0].end);
+ if (!conn || conn->xprt != &ssl_sock)
+ return 0;
+
+ if (!(conn->flags & CO_FL_CONNECTED)) {
+ smp->flags |= SMP_F_MAY_CHANGE;
+ return 0;
+ }
+
+ if (cert_peer)
+ crt = SSL_get_peer_certificate(conn->xprt_ctx);
+ else
+ crt = SSL_get_certificate(conn->xprt_ctx);
+
+ if (!crt)
+ goto out;
+
+ smp_trash = get_trash_chunk();
+ if (ssl_sock_crt2der(crt, smp_trash) <= 0)
+ goto out;
+
+ smp->data.str = *smp_trash;
+ smp->type = SMP_T_BIN;
+ ret = 1;
+out:
+ /* SSL_get_peer_certificate, it increase X509 * ref count */
+ if (cert_peer && crt)
+ X509_free(crt);
+ return ret;
+}
+
/* binary, returns serial of certificate in a binary chunk.
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
@@ -4039,6 +4117,7 @@
if (global.listen_default_ciphers && !conf->ciphers)
conf->ciphers = strdup(global.listen_default_ciphers);
+ conf->ssl_options |= global.listen_default_ssloptions;
list_for_each_entry(l, &conf->listeners, by_bind)
l->xprt = &ssl_sock;
@@ -4103,6 +4182,7 @@
newsrv->check.use_ssl = 1;
if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers);
+ newsrv->ssl_ctx.options |= global.connect_default_ssloptions;
return 0;
}
@@ -4296,6 +4376,106 @@
return 0;
}
+/* parse the "ssl-default-bind-options" keyword in global section */
+static int ssl_parse_default_bind_options(char **args, int section_type, struct proxy *curpx,
+ struct proxy *defpx, const char *file, int line,
+ char **err) {
+ int i = 1;
+
+ if (*(args[i]) == 0) {
+ memprintf(err, "global statement '%s' expects an option as an argument.", args[0]);
+ return -1;
+ }
+ while (*(args[i])) {
+ if (!strcmp(args[i], "no-sslv3"))
+ global.listen_default_ssloptions |= BC_SSL_O_NO_SSLV3;
+ else if (!strcmp(args[i], "no-tlsv10"))
+ global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV10;
+ else if (!strcmp(args[i], "no-tlsv11"))
+ global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV11;
+ else if (!strcmp(args[i], "no-tlsv12"))
+ global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV12;
+ else if (!strcmp(args[i], "force-sslv3"))
+ global.listen_default_ssloptions |= BC_SSL_O_USE_SSLV3;
+ else if (!strcmp(args[i], "force-tlsv10"))
+ global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV10;
+ else if (!strcmp(args[i], "force-tlsv11")) {
+#if SSL_OP_NO_TLSv1_1
+ global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV11;
+#else
+ memprintf(err, "'%s' '%s': library does not support protocol TLSv1.1", args[0], args[i]);
+ return -1;
+#endif
+ }
+ else if (!strcmp(args[i], "force-tlsv12")) {
+#if SSL_OP_NO_TLSv1_2
+ global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV12;
+#else
+ memprintf(err, "'%s' '%s': library does not support protocol TLSv1.2", args[0], args[i]);
+ return -1;
+#endif
+ }
+ else if (!strcmp(args[i], "no-tls-tickets"))
+ global.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS;
+ else {
+ memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
+ return -1;
+ }
+ i++;
+ }
+ return 0;
+}
+
+/* parse the "ssl-default-server-options" keyword in global section */
+static int ssl_parse_default_server_options(char **args, int section_type, struct proxy *curpx,
+ struct proxy *defpx, const char *file, int line,
+ char **err) {
+ int i = 1;
+
+ if (*(args[i]) == 0) {
+ memprintf(err, "global statement '%s' expects an option as an argument.", args[0]);
+ return -1;
+ }
+ while (*(args[i])) {
+ if (!strcmp(args[i], "no-sslv3"))
+ global.connect_default_ssloptions |= SRV_SSL_O_NO_SSLV3;
+ else if (!strcmp(args[i], "no-tlsv10"))
+ global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV10;
+ else if (!strcmp(args[i], "no-tlsv11"))
+ global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV11;
+ else if (!strcmp(args[i], "no-tlsv12"))
+ global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV12;
+ else if (!strcmp(args[i], "force-sslv3"))
+ global.connect_default_ssloptions |= SRV_SSL_O_USE_SSLV3;
+ else if (!strcmp(args[i], "force-tlsv10"))
+ global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV10;
+ else if (!strcmp(args[i], "force-tlsv11")) {
+#if SSL_OP_NO_TLSv1_1
+ global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV11;
+#else
+ memprintf(err, "'%s' '%s': library does not support protocol TLSv1.1", args[0], args[i]);
+ return -1;
+#endif
+ }
+ else if (!strcmp(args[i], "force-tlsv12")) {
+#if SSL_OP_NO_TLSv1_2
+ global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV12;
+#else
+ memprintf(err, "'%s' '%s': library does not support protocol TLSv1.2", args[0], args[i]);
+ return -1;
+#endif
+ }
+ else if (!strcmp(args[i], "no-tls-tickets"))
+ global.connect_default_ssloptions |= SRV_SSL_O_NO_TLS_TICKETS;
+ else {
+ memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
+ return -1;
+ }
+ i++;
+ }
+ return 0;
+}
+
/* Note: must not be declared <const> as its list will be overwritten.
* Please take care of keeping this list alphabetically sorted.
*/
@@ -4309,6 +4489,7 @@
{ "ssl_bc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
{ "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI },
{ "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI },
+ { "ssl_c_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
{ "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI },
{ "ssl_c_i_dn", smp_fetch_ssl_x_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_c_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
@@ -4321,6 +4502,7 @@
{ "ssl_c_used", smp_fetch_ssl_c_used, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
{ "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI },
{ "ssl_c_version", smp_fetch_ssl_x_version, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI },
+ { "ssl_f_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
{ "ssl_f_i_dn", smp_fetch_ssl_x_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_f_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_f_notafter", smp_fetch_ssl_x_notafter, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
@@ -4421,6 +4603,12 @@
{ NULL, NULL, 0, 0 },
}};
+static struct cfg_kw_list cfg_kws = {ILH, {
+ { CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options },
+ { CFG_GLOBAL, "ssl-default-server-options", ssl_parse_default_server_options },
+ { 0, NULL, NULL },
+}};
+
/* transport-layer operations for SSL sockets */
struct xprt_ops ssl_sock = {
.snd_buf = ssl_sock_from_buf,
@@ -4448,6 +4636,8 @@
global.listen_default_ciphers = strdup(global.listen_default_ciphers);
if (global.connect_default_ciphers)
global.connect_default_ciphers = strdup(global.connect_default_ciphers);
+ global.listen_default_ssloptions = BC_SSL_O_NONE;
+ global.connect_default_ssloptions = SRV_SSL_O_NONE;
SSL_library_init();
cm = SSL_COMP_get_compression_methods();
@@ -4456,6 +4646,7 @@
acl_register_keywords(&acl_kws);
bind_register_keywords(&bind_kws);
srv_register_keywords(&srv_kws);
+ cfg_register_keywords(&cfg_kws);
}
/*
|
