upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-04-21 14:17:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
haproxy/src/ssl_sock.c

9574 lines
285 KiB
C
Raw Normal View History

MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/*
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
* SSL/TLS transport layer over SOCK_STREAM sockets
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
*
* Copyright (C) 2012 EXCELIANCE, Emeric Brun <ebrun@exceliance.fr>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
DOC: add a special acknowledgement for the stud project Really, the quality of their code deserves it, it would have been much harder to figure how to get all the things right at once without looking there from time to time !
2012-09-10 03:43:09 -04:00
* Acknowledgement:
* We'd like to specially thank the Stud project authors for a very clean
* and well documented code which helped us understand how the OpenSSL API
* ought to be used in non-blocking mode. This is one difficult part which
* is not easy to get from the OpenSSL doc, and reading the Stud code made
* it much more obvious than the examples in the OpenSSL package. Keep up
* the good works, guys !
*
* Stud is an extremely efficient and scalable SSL/TLS proxy which combines
* particularly well with haproxy. For more info about this project, visit :
* https://github.com/bumptech/stud
*
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
*/
#define _GNU_SOURCE
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
#include <ctype.h>
#include <dirent.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
#include <string.h>
#include <unistd.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
#include <netdb.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <netinet/tcp.h>
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
#include <openssl/bn.h>
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
#include <openssl/crypto.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <openssl/ssl.h>
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
BUG/MEDIUM: ssl: openssl 0.9.8 doesn't open /dev/random before chroot Openssl needs to access /dev/urandom to initialize its internal random number generator. It does so when it needs a random for the first time, which fails if it is a handshake performed after the chroot(), causing all SSL incoming connections to fail. This fix consists in calling RAND_bytes() to produce a random before the chroot, which will in turn open /dev/urandom before it's too late, and avoid the issue. If the random generator fails to work while processing the config, haproxy now fails with an error instead of causing SSL connections to fail at runtime.
2013-01-24 08:15:43 -05:00
#include <openssl/rand.h>
MINOR: ssl: build with recent BoringSSL library BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility. Fix BoringSSL call and openssl-compat.h/#define occordingly. This will not break openssl/libressl compat.
2017-10-02 11:12:06 -04:00
#include <openssl/hmac.h>
BUILD: ssl: use OPENSSL_NO_OCSP to detect OCSP support Since commit 656c5fa7e859 ("BUILD: ssl: disable OCSP when using boringssl) the OCSP code is bypassed when OPENSSL_IS_BORINGSSL is defined. The correct thing to do here is to use OPENSSL_NO_OCSP instead, which is defined for this exact purpose in openssl/opensslfeatures.h. This makes haproxy forward compatible if boringssl ever introduces full OCSP support with the additional benefit that it links fine against a OCSP-disabled openssl. Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
2014-12-09 10:32:51 -05:00
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
#include <openssl/ocsp.h>
#endif
BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten Herv Commowick reported that the logic used to avoid complaining about ssl-default-dh-param not being set when static DH params are present in the certificate file was clearly wrong when more than one sni_ctx is used. This patch stores whether static DH params are being used for each SSL_CTX individually, and does not overwrite the value of tune.ssl.default-dh-param.
2015-05-28 10:23:00 -04:00
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#ifndef OPENSSL_NO_ENGINE
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
#include <openssl/engine.h>
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#endif
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
#include <openssl/async.h>
#endif
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
#ifndef OPENSSL_VERSION
#define OPENSSL_VERSION SSLEAY_VERSION
#define OpenSSL_version(x) SSLeay_version(x)
#define OpenSSL_version_num SSLeay
#endif
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER < 0x20700000L)
#define X509_getm_notBefore X509_get_notBefore
#define X509_getm_notAfter X509_get_notAfter
#endif
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
#include <import/lru.h>
#include <import/xxhash.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <common/buffer.h>
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
#include <common/chunk.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <common/compat.h>
#include <common/config.h>
#include <common/debug.h>
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
#include <common/errors.h>
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
#include <common/initcall.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <common/standard.h>
#include <common/ticks.h>
#include <common/time.h>
MINOR: ssl: add statement to force some ssl options in global. Adds global statements 'ssl-default-server-options' and 'ssl-default-bind-options' to force on 'server' and 'bind' lines some ssl options. Currently available options are 'no-sslv3', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', 'force-sslv3', 'force-tlsv10', 'force-tlsv11', 'force-tlsv12', and 'no-tls-tickets'. Example: global ssl-default-server-options no-sslv3 ssl-default-bind-options no-sslv3
2014-10-30 10:56:50 -04:00
#include <common/cfgparse.h>
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
#include <common/base64.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
#include <ebsttree.h>
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
#include <types/applet.h>
#include <types/cli.h>
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
#include <types/global.h>
#include <types/ssl_sock.h>
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
#include <types/stats.h>
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
#include <proto/acl.h>
#include <proto/arg.h>
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
#include <proto/channel.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <proto/connection.h>
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
#include <proto/cli.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <proto/fd.h>
#include <proto/freq_ctr.h>
#include <proto/frontend.h>
REORG: http: move HTTP rules parsing to http_rules.c These ones are mostly called from cfgparse.c for the parsing and do not depend on the HTTP representation. The functions's prototypes were moved to proto/http_rules.h, making this file work exactly like tcp_rules. Ideally we should stop calling these functions directly from cfgparse and register keywords, but there are a few cases where that wouldn't work (stats http-request) so it's probably not worth trying to go this far.
2018-10-02 10:43:32 -04:00
#include <proto/http_rules.h>
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
#include <proto/listener.h>
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
#include <proto/openssl-compat.h>
REORG: acl/pattern: extract pattern matching from the acl file and create pattern.c This patch just moves code without any change. The ACL are just the association between sample and pattern. The pattern contains the match method and the parse method. These two things are different. This patch cleans the code by splitting it.
2013-11-28 05:05:19 -05:00
#include <proto/pattern.h>
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
#include <proto/proto_tcp.h>
MINOR: ssl/proto_http: Add keywords to take care of early data. Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true if early data were sent, and a new action, "wait-for-handshake", if used, the request won't be forwarded until the SSL handshake is done.
2017-10-02 05:51:03 -04:00
#include <proto/proto_http.h>
MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c All SSL-specific "server" keywords are now processed in ssl_sock.c. At the moment, there is no more "not implemented" hint when SSL is disabled, but keywords could be added in server.c if needed.
2012-10-10 17:04:25 -04:00
#include <proto/server.h>
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
#include <proto/stream_interface.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <proto/log.h>
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
#include <proto/proxy.h>
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
#include <proto/shctx.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <proto/ssl_sock.h>
MEDIUM: session: use the pointer to the origin instead of s->si[0].end When s->si[0].end was dereferenced as a connection or anything in order to retrieve information about the originating session, we'll now use sess->origin instead so that when we have to chain multiple streams in HTTP/2, we'll keep accessing the same origin.
2015-04-03 13:19:59 -04:00
#include <proto/stream.h>
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
#include <proto/task.h>
BUG/MEDIUM: ssl: always send a full buffer after EAGAIN Igor Chan reported a very interesting bug which was triggered by the recent dynamic size change in SSL. The OpenSSL API refuses to send less data than any failed previous attempt. So what's happening is that if an SSL_write() in streaming mode sends 5kB of data and the openssl layer cannot send them all, it returns SSL_ERROR_WANT_WRITE, which haproxy reacts to by enabling polling on the file descriptor. In the mean time, haproxy may detect that the buffer was almost full and will disable streaming mode. Upon write notification, it will try to send again, but less data this time (limited to tune.ssl_max_record). OpenSSL disagrees with this and returns a generic error SSL_ERROR_SSL. The solution which was found consists in adding a flag to the SSL context to remind that we must not shrink writes after a failed attempt. Thus, if EAGAIN is encountered, the next send() will not be limited in order to retry the same size as before.
2014-02-17 09:43:01 -05:00
/* Warning, these are bits, not integers! */
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
#define SSL_SOCK_ST_FL_VERIFY_DONE 0x00000001
MINOR: ssl: handshake optim for long certificate chains. Suggested on the mailing list by Ilya Grigorik and greatly inspired from Nginx code: we try to dynamicaly rise the output buffer size from 4k to 16k during the handshake to reduce the number of round trips. This is mostly beneficial when initcwnd==10. Ilya's tests confirm the gain and show a handshake time divided by 3 : before: http://www.webpagetest.org/result/140116_VW_3bd95a5cfb7e667498ef13b59639b9bf/2/details/ after: http://www.webpagetest.org/result/140201_2X_03511ec63344f442b81c24d2bf39f59d/3/details/
2014-01-28 09:43:53 -05:00
#define SSL_SOCK_ST_FL_16K_WBFSIZE 0x00000002
BUG/MEDIUM: ssl: always send a full buffer after EAGAIN Igor Chan reported a very interesting bug which was triggered by the recent dynamic size change in SSL. The OpenSSL API refuses to send less data than any failed previous attempt. So what's happening is that if an SSL_write() in streaming mode sends 5kB of data and the openssl layer cannot send them all, it returns SSL_ERROR_WANT_WRITE, which haproxy reacts to by enabling polling on the file descriptor. In the mean time, haproxy may detect that the buffer was almost full and will disable streaming mode. Upon write notification, it will try to send again, but less data this time (limited to tune.ssl_max_record). OpenSSL disagrees with this and returns a generic error SSL_ERROR_SSL. The solution which was found consists in adding a flag to the SSL context to remind that we must not shrink writes after a failed attempt. Thus, if EAGAIN is encountered, the next send() will not be limited in order to retry the same size as before.
2014-02-17 09:43:01 -05:00
#define SSL_SOCK_SEND_UNLIMITED 0x00000004
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
#define SSL_SOCK_RECV_HEARTBEAT 0x00000008
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
/* bits 0xFFFF0000 are reserved to store verify errors */
/* Verify errors macros */
#define SSL_SOCK_CA_ERROR_TO_ST(e) (((e > 63) ? 63 : e) << (16))
#define SSL_SOCK_CAEDEPTH_TO_ST(d) (((d > 15) ? 15 : d) << (6+16))
#define SSL_SOCK_CRTERROR_TO_ST(e) (((e > 63) ? 63 : e) << (4+6+16))
#define SSL_SOCK_ST_TO_CA_ERROR(s) ((s >> (16)) & 63)
#define SSL_SOCK_ST_TO_CAEDEPTH(s) ((s >> (6+16)) & 15)
#define SSL_SOCK_ST_TO_CRTERROR(s) ((s >> (4+6+16)) & 63)
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
/* Supported hash function for TLS tickets */
#ifdef OPENSSL_NO_SHA256
#define HASH_FUNCT EVP_sha1
#else
#define HASH_FUNCT EVP_sha256
#endif /* OPENSSL_NO_SHA256 */
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
/* ssl_methods flags for ssl options */
#define MC_SSL_O_ALL 0x0000
#define MC_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */
#define MC_SSL_O_NO_TLSV10 0x0002 /* disable TLSv10 */
#define MC_SSL_O_NO_TLSV11 0x0004 /* disable TLSv11 */
#define MC_SSL_O_NO_TLSV12 0x0008 /* disable TLSv12 */
MINOR: ssl: support TLSv1.3 for bind and server This patch add 'no-tlsv13' and 'force-tlsv13' configuration. This is only useful with openssl-dev and boringssl.
2017-03-30 13:29:39 -04:00
#define MC_SSL_O_NO_TLSV13 0x0010 /* disable TLSv13 */
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
/* ssl_methods versions */
enum {
CONF_TLSV_NONE = 0,
CONF_TLSV_MIN = 1,
CONF_SSLV3 = 1,
CONF_TLSV10 = 2,
CONF_TLSV11 = 3,
CONF_TLSV12 = 4,
MINOR: ssl: support TLSv1.3 for bind and server This patch add 'no-tlsv13' and 'force-tlsv13' configuration. This is only useful with openssl-dev and boringssl.
2017-03-30 13:29:39 -04:00
CONF_TLSV13 = 5,
CONF_TLSV_MAX = 5,
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
};
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
/* server and bind verify method, it uses a global value as default */
enum {
SSL_SOCK_VERIFY_DEFAULT = 0,
SSL_SOCK_VERIFY_REQUIRED = 1,
SSL_SOCK_VERIFY_OPTIONAL = 2,
SSL_SOCK_VERIFY_NONE = 3,
};
MEDIUM: shctx: allow the use of multiple shctx Add an shctx argument which permits to create new independent shctx area.
2017-10-09 10:30:50 -04:00
MINOR: cli: add more information to the "show info" output In addition to previous outputs, we also emit the cumulated number of connections, the cumulated number of requests, the maximum allowed SSL connection concurrency, the current number of SSL connections and the cumulated number of SSL connections. This will help troubleshoot systems which experience memory shortage due to SSL.
2014-01-28 09:19:44 -05:00
int sslconns = 0;
int totalsslconns = 0;
CLEANUP: connection: unexport raw_sock and ssl_sock This way we're sure not to reuse them by accident.
2016-12-22 15:08:52 -05:00
static struct xprt_ops ssl_sock;
BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit automatically. The number of async fd is computed considering the maxconn, the number of sides using ssl and the number of engines using async mode. This patch should be backported on haproxy 1.8
2017-12-06 07:51:49 -05:00
int nb_engines = 0;
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
static struct {
char *crt_base; /* base directory path for certificates */
char *ca_base; /* base directory path for CAs and CRLs */
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
int async; /* whether we use ssl async mode */
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
char *listen_default_ciphers;
char *connect_default_ciphers;
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
char *listen_default_ciphersuites;
char *connect_default_ciphersuites;
#endif
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
int listen_default_ssloptions;
int connect_default_ssloptions;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
struct tls_version_filter listen_default_sslmethods;
struct tls_version_filter connect_default_sslmethods;
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
int private_cache; /* Force to use a private session cache even if nbproc > 1 */
unsigned int life_time; /* SSL session lifetime in seconds */
unsigned int max_record; /* SSL max record size */
unsigned int default_dh_param; /* SSL maximum DH parameter size */
int ctx_cache; /* max number of entries in the ssl_ctx cache. */
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
int capture_cipherlist; /* Size of the cipherlist buffer. */
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
} global_ssl = {
#ifdef LISTEN_DEFAULT_CIPHERS
.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS,
#endif
#ifdef CONNECT_DEFAULT_CIPHERS
.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
#ifdef LISTEN_DEFAULT_CIPHERSUITES
.listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES,
#endif
#ifdef CONNECT_DEFAULT_CIPHERSUITES
.connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES,
#endif
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
#endif
.listen_default_ssloptions = BC_SSL_O_NONE,
.connect_default_ssloptions = SRV_SSL_O_NONE,
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
.listen_default_sslmethods.flags = MC_SSL_O_ALL,
.listen_default_sslmethods.min = CONF_TLSV_NONE,
.listen_default_sslmethods.max = CONF_TLSV_NONE,
.connect_default_sslmethods.flags = MC_SSL_O_ALL,
.connect_default_sslmethods.min = CONF_TLSV_NONE,
.connect_default_sslmethods.max = CONF_TLSV_NONE,
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
#ifdef DEFAULT_SSL_MAX_RECORD
.max_record = DEFAULT_SSL_MAX_RECORD,
#endif
.default_dh_param = SSL_DEFAULT_DH_PARAM,
.ctx_cache = DEFAULT_SSL_CTX_CACHE,
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
.capture_cipherlist = 0,
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
};
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
#if defined(USE_THREAD) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
MINOR: threads: Use __decl_hathreads to declare locks This macro should be used to declare variables or struct members depending on the USE_THREAD compile option. It avoids the encapsulation of such declarations between #ifdef/#endif. It is used to declare all lock variables.
2017-11-13 04:34:01 -05:00
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
static HA_RWLOCK_T *ssl_rwlocks;
unsigned long ssl_id_function(void)
{
return (unsigned long)tid;
}
void ssl_locking_function(int mode, int n, const char * file, int line)
{
if (mode & CRYPTO_LOCK) {
if (mode & CRYPTO_READ)
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_RDLOCK(SSL_LOCK, &ssl_rwlocks[n]);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
else
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_WRLOCK(SSL_LOCK, &ssl_rwlocks[n]);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
}
else {
if (mode & CRYPTO_READ)
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_RDUNLOCK(SSL_LOCK, &ssl_rwlocks[n]);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
else
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_WRUNLOCK(SSL_LOCK, &ssl_rwlocks[n]);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
}
}
static int ssl_locking_init(void)
{
int i;
ssl_rwlocks = malloc(sizeof(HA_RWLOCK_T)*CRYPTO_num_locks());
if (!ssl_rwlocks)
return -1;
for (i = 0 ; i < CRYPTO_num_locks() ; i++)
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_INIT(&ssl_rwlocks[i]);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
CRYPTO_set_id_callback(ssl_id_function);
CRYPTO_set_locking_callback(ssl_locking_function);
return 0;
}
MINOR: threads: Use __decl_hathreads to declare locks This macro should be used to declare variables or struct members depending on the USE_THREAD compile option. It avoids the encapsulation of such declarations between #ifdef/#endif. It is used to declare all lock variables.
2017-11-13 04:34:01 -05:00
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
#endif
BUG/MINOR: ssl: fix cipherlist captures with sustainable SSL calls Use SSL_set_ex_data/SSL_get_ex_data standard API call to store capture. We need to avoid internal structures/undocumented calls usage to try to control the beast and limit painful compatibilities.
2017-03-07 12:34:58 -05:00
/* This memory pool is used for capturing clienthello parameters. */
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
struct ssl_capture {
unsigned long long int xxh64;
unsigned char ciphersuite_len;
char ciphersuite[0];
};
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
struct pool_head *pool_head_ssl_capture = NULL;
BUG/MINOR: ssl: fix cipherlist captures with sustainable SSL calls Use SSL_set_ex_data/SSL_get_ex_data standard API call to store capture. We need to avoid internal structures/undocumented calls usage to try to control the beast and limit painful compatibilities.
2017-03-07 12:34:58 -05:00
static int ssl_capture_ptr_index = -1;
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
static int ssl_app_data_index = -1;
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
MINOR: ssl: add ssl_sock_get_pkey_algo function ssl_sock_get_pkey_algo can be used to report pkey algorithm to log and ppv2 (RSA2048, EC256,...). Extract pkey information is not free in ssl api (lock/alloc/free): haproxy can use the pkey information computed in load_certificate. Store and use this information in a SSL ex_data when available, compute it if not (SSL multicert bundled and generated cert).
2017-10-31 10:46:07 -04:00
static int ssl_pkey_info_index = -1;
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
struct list tlskeys_reference = LIST_HEAD_INIT(tlskeys_reference);
#endif
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#ifndef OPENSSL_NO_ENGINE
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
static unsigned int openssl_engines_initialized;
struct list openssl_engines = LIST_HEAD_INIT(openssl_engines);
struct ssl_engine_list {
struct list list;
ENGINE *e;
};
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#endif
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
#ifndef OPENSSL_NO_DH
BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten Herv Commowick reported that the logic used to avoid complaining about ssl-default-dh-param not being set when static DH params are present in the certificate file was clearly wrong when more than one sni_ctx is used. This patch stores whether static DH params are being used for each SSL_CTX individually, and does not overwrite the value of tune.ssl.default-dh-param.
2015-05-28 10:23:00 -04:00
static int ssl_dh_ptr_index = -1;
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
static DH *global_dh = NULL;
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
static DH *local_dh_1024 = NULL;
static DH *local_dh_2048 = NULL;
static DH *local_dh_4096 = NULL;
BUILD: ssl: fix build with -DOPENSSL_NO_DH
2017-03-03 11:04:14 -05:00
static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen);
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
#endif /* OPENSSL_NO_DH */
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
/* X509V3 Extensions that will be added on generated certificates */
#define X509V3_EXT_SIZE 5
static char *x509v3_ext_names[X509V3_EXT_SIZE] = {
"basicConstraints",
"nsComment",
"subjectKeyIdentifier",
"authorityKeyIdentifier",
"keyUsage",
};
static char *x509v3_ext_values[X509V3_EXT_SIZE] = {
"CA:FALSE",
"\"OpenSSL Generated Certificate\"",
"hash",
"keyid,issuer:always",
"nonRepudiation,digitalSignature,keyEncipherment"
};
/* LRU cache to store generated certificate */
static struct lru64_head *ssl_ctx_lru_tree = NULL;
static unsigned int ssl_ctx_lru_seed = 0;
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
static unsigned int ssl_ctx_serial;
MEDIUM: init: use self-initializing spinlocks and rwlocks This patch replaces a number of __decl_hathread() followed by HA_SPIN_INIT or HA_RWLOCK_INIT by the new __decl_spinlock() or __decl_rwlock() which automatically registers the lock for initialization in during the STG_LOCK init stage. A few static modifiers were lost in the process, but since they were not essential at all it was not worth extending the API to provide such a variant.
2018-11-25 14:12:18 -05:00
__decl_rwlock(ssl_ctx_lru_rwlock);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
BUILD: ssl: fix recent build breakage on older SSL libs Commit 31af49d ("MEDIUM: ssl: Add options to forge SSL certificates") introduced some dependencies on SSL_CTRL_SET_TLSEXT_HOSTNAME for which a few checks were missing, breaking the build on openssl 0.9.8.
2015-06-17 09:48:26 -04:00
#endif // SSL_CTRL_SET_TLSEXT_HOSTNAME
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
static struct ssl_bind_kw ssl_bind_kws[];
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
/* The order here matters for picking a default context,
* keep the most common keytype at the bottom of the list
*/
const char *SSL_SOCK_KEYTYPE_NAMES[] = {
"dsa",
"ecdsa",
"rsa"
};
#define SSL_SOCK_NUM_KEYTYPES 3
BUILD: ssl: set SSL_SOCK_NUM_KEYTYPES with openssl < 1.0.2 Last patch unfortunately broke build with openssl older than 1.0.2. Let's just define a single key type in this case.
2015-12-14 05:28:33 -05:00
#else
#define SSL_SOCK_NUM_KEYTYPES 1
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
#endif
BUG/MEDIUM: ssl: don't allocate shctx several time The shctx_init() function does not check anymore if the pointer is not NULL, this check must be done is the caller. The consequence was to allocate one shctx per ssl bind. Bug introduced by 4f45bb9 ("MEDIUM: shctx: separate ssl and shctx") Thanks to Maciej Zdeb for reporting this bug. Must be backported to 1.8.
2017-11-28 05:04:43 -05:00
static struct shared_context *ssl_shctx = NULL; /* ssl shared session cache */
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
static struct eb_root *sh_ssl_sess_tree; /* ssl shared session tree */
#define sh_ssl_sess_tree_delete(s) ebmb_delete(&(s)->key);
#define sh_ssl_sess_tree_insert(s) (struct sh_ssl_sess_hdr *)ebmb_insert(sh_ssl_sess_tree, \
&(s)->key, SSL_MAX_SSL_SESSION_ID_LENGTH);
#define sh_ssl_sess_tree_lookup(k) (struct sh_ssl_sess_hdr *)ebmb_lookup(sh_ssl_sess_tree, \
(k), SSL_MAX_SSL_SESSION_ID_LENGTH);
MEDIUM: shctx: allow the use of multiple shctx Add an shctx argument which permits to create new independent shctx area.
2017-10-09 10:30:50 -04:00
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
/*
* This function gives the detail of the SSL error. It is used only
* if the debug mode and the verbose mode are activated. It dump all
* the SSL error until the stack was empty.
*/
static forceinline void ssl_sock_dump_errors(struct connection *conn)
{
unsigned long ret;
if (unlikely(global.mode & MODE_DEBUG)) {
while(1) {
ret = ERR_get_error();
if (ret == 0)
return;
fprintf(stderr, "fd[%04x] OpenSSL error[0x%lx] %s: %s\n",
REORG/MEDIUM: connection: introduce the notion of connection handle Till now connections used to rely exclusively on file descriptors. It was planned in the past that alternative solutions would be implemented, leading to member "union t" presenting sock.fd only for now. With QUIC, the connection will need to continue to exist but will not rely on a file descriptor but a connection ID. So this patch introduces a "connection handle" which is either a file descriptor or a connection ID, to replace the existing "union t". We've now removed the intermediate "struct sock" which was never used. There is no functional change at all, though the struct connection was inflated by 32 bits on 64-bit platforms due to alignment.
2017-08-24 08:31:19 -04:00
(unsigned short)conn->handle.fd, ret,
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
ERR_func_error_string(ret), ERR_reason_error_string(ret));
}
}
}
BUILD: ssl: fix recent build breakage on older SSL libs Commit 31af49d ("MEDIUM: ssl: Add options to forge SSL certificates") introduced some dependencies on SSL_CTRL_SET_TLSEXT_HOSTNAME for which a few checks were missing, breaking the build on openssl 0.9.8.
2015-06-17 09:48:26 -04:00
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
/*
* struct alignment works here such that the key.key is the same as key_data
* Do not change the placement of key_data
*/
BUILD: ssl: fix recent build breakage on older SSL libs Commit 31af49d ("MEDIUM: ssl: Add options to forge SSL certificates") introduced some dependencies on SSL_CTRL_SET_TLSEXT_HOSTNAME for which a few checks were missing, breaking the build on openssl 0.9.8.
2015-06-17 09:48:26 -04:00
struct certificate_ocsp {
struct ebmb_node key;
unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer response;
BUILD: ssl: fix recent build breakage on older SSL libs Commit 31af49d ("MEDIUM: ssl: Add options to forge SSL certificates") introduced some dependencies on SSL_CTRL_SET_TLSEXT_HOSTNAME for which a few checks were missing, breaking the build on openssl 0.9.8.
2015-06-17 09:48:26 -04:00
long expire;
};
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
struct ocsp_cbk_arg {
int is_single;
int single_kt;
union {
struct certificate_ocsp *s_ocsp;
/*
* m_ocsp will have multiple entries dependent on key type
* Entry 0 - DSA
* Entry 1 - ECDSA
* Entry 2 - RSA
*/
struct certificate_ocsp *m_ocsp[SSL_SOCK_NUM_KEYTYPES];
};
};
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#ifndef OPENSSL_NO_ENGINE
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
static int ssl_init_single_engine(const char *engine_id, const char *def_algorithms)
{
int err_code = ERR_ABORT;
ENGINE *engine;
struct ssl_engine_list *el;
/* grab the structural reference to the engine */
engine = ENGINE_by_id(engine_id);
if (engine == NULL) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("ssl-engine %s: failed to get structural reference\n", engine_id);
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
goto fail_get;
}
if (!ENGINE_init(engine)) {
/* the engine couldn't initialise, release it */
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("ssl-engine %s: failed to initialize\n", engine_id);
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
goto fail_init;
}
if (ENGINE_set_default_string(engine, def_algorithms) == 0) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("ssl-engine %s: failed on ENGINE_set_default_string\n", engine_id);
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
goto fail_set_method;
}
el = calloc(1, sizeof(*el));
el->e = engine;
LIST_ADD(&openssl_engines, &el->list);
BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit automatically. The number of async fd is computed considering the maxconn, the number of sides using ssl and the number of engines using async mode. This patch should be backported on haproxy 1.8
2017-12-06 07:51:49 -05:00
nb_engines++;
if (global_ssl.async)
global.ssl_used_async_engines = nb_engines;
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
return 0;
fail_set_method:
/* release the functional reference from ENGINE_init() */
ENGINE_finish(engine);
fail_init:
/* release the structural reference from ENGINE_by_id() */
ENGINE_free(engine);
fail_get:
return err_code;
}
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#endif
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
/*
* openssl async fd handler
*/
static void ssl_async_fd_handler(int fd)
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
{
struct connection *conn = fdtab[fd].owner;
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
/* fd is an async enfine fd, we must stop
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
* to poll this fd until it is requested
*/
BUG/MINOR: ssl: do not call directly the conn_fd_handler from async_fd_handler This patch modifies the way to re-enable the connection from the async fd handler calling conn_update_sock_polling instead of the conn_fd_handler. It also ensures that the polling is really stopped on the async fd.
2017-06-02 11:54:06 -04:00
fd_stop_recv(fd);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
fd_cant_recv(fd);
/* crypto engine is available, let's notify the associated
* connection that it can pursue its processing.
*/
BUG/MINOR: ssl: do not call directly the conn_fd_handler from async_fd_handler This patch modifies the way to re-enable the connection from the async fd handler calling conn_update_sock_polling instead of the conn_fd_handler. It also ensures that the polling is really stopped on the async fd.
2017-06-02 11:54:06 -04:00
__conn_sock_want_recv(conn);
__conn_sock_want_send(conn);
conn_update_sock_polling(conn);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
}
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
/*
* openssl async delayed SSL_free handler
*/
static void ssl_async_fd_free(int fd)
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
{
SSL *ssl = fdtab[fd].owner;
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
OSSL_ASYNC_FD all_fd[32];
size_t num_all_fds = 0;
int i;
/* We suppose that the async job for a same SSL *
* are serialized. So if we are awake it is
* because the running job has just finished
* and we can remove all async fds safely
*/
SSL_get_all_async_fds(ssl, NULL, &num_all_fds);
if (num_all_fds > 32) {
send_log(NULL, LOG_EMERG, "haproxy: openssl returns too many async fds. It seems a bug. Process may crash\n");
return;
}
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
SSL_get_all_async_fds(ssl, all_fd, &num_all_fds);
for (i=0 ; i < num_all_fds ; i++)
fd_remove(all_fd[i]);
/* Now we can safely call SSL_free, no more pending job in engines */
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
SSL_free(ssl);
MEDIUM: ssl: Use the new _HA_ATOMIC_* macros. Use the new _HA_ATOMIC_* macros and add barriers where needed.
2019-03-08 12:54:43 -05:00
_HA_ATOMIC_SUB(&sslconns, 1);
_HA_ATOMIC_SUB(&jobs, 1);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
}
/*
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
* function used to manage a returned SSL_ERROR_WANT_ASYNC
* and enable/disable polling for async fds
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
*/
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
static void inline ssl_async_process_fds(struct connection *conn, SSL *ssl)
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
{
MINOR: fd: pass the iocb and owner to fd_insert() fd_insert() is currently called just after setting the owner and iocb, but proceeding like this prevents the operation from being atomic and requires a lock to protect the maxfd computation in another thread from meeting an incompletely initialized FD and computing a wrong maxfd. Fortunately for now all fdtab[].owner are set before calling fd_insert(), and the first lock in fd_insert() enforces a memory barrier so the code is safe. This patch moves the initialization of the owner and iocb to fd_insert() so that the function will be able to properly arrange its operations and remain safe even when modified to become lockless. There's no other change beyond the internal API.
2018-01-25 01:22:13 -05:00
OSSL_ASYNC_FD add_fd[32];
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
OSSL_ASYNC_FD del_fd[32];
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
size_t num_add_fds = 0;
size_t num_del_fds = 0;
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
int i;
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
SSL_get_changed_async_fds(ssl, NULL, &num_add_fds, NULL,
&num_del_fds);
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
if (num_add_fds > 32 || num_del_fds > 32) {
send_log(NULL, LOG_EMERG, "haproxy: openssl returns too many async fds. It seems a bug. Process may crash\n");
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
return;
}
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
SSL_get_changed_async_fds(ssl, add_fd, &num_add_fds, del_fd, &num_del_fds);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
/* We remove unused fds from the fdtab */
for (i=0 ; i < num_del_fds ; i++)
fd_remove(del_fd[i]);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
/* We add new fds to the fdtab */
for (i=0 ; i < num_add_fds ; i++) {
MINOR: fd: pass the iocb and owner to fd_insert() fd_insert() is currently called just after setting the owner and iocb, but proceeding like this prevents the operation from being atomic and requires a lock to protect the maxfd computation in another thread from meeting an incompletely initialized FD and computing a wrong maxfd. Fortunately for now all fdtab[].owner are set before calling fd_insert(), and the first lock in fd_insert() enforces a memory barrier so the code is safe. This patch moves the initialization of the owner and iocb to fd_insert() so that the function will be able to properly arrange its operations and remain safe even when modified to become lockless. There's no other change beyond the internal API.
2018-01-25 01:22:13 -05:00
fd_insert(add_fd[i], conn, ssl_async_fd_handler, tid_bit);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
}
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
num_add_fds = 0;
SSL_get_all_async_fds(ssl, NULL, &num_add_fds);
if (num_add_fds > 32) {
send_log(NULL, LOG_EMERG, "haproxy: openssl returns too many async fds. It seems a bug. Process may crash\n");
return;
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
}
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
/* We activate the polling for all known async fds */
SSL_get_all_async_fds(ssl, add_fd, &num_add_fds);
BUG/MAJOR: ssl: fix segfault on connection close using async engines. This patch ensure that the ASYNC fd handlers won't be wake up too early, disabling the event cache for this fd on connection close and when a WANT_ASYNC is rised by Openssl. The calls to SSL_read/SSL_write/SSL_do_handshake before rising a real read event from the ASYNC fd, generated an EAGAIN followed by a context switch for some engines, or a blocked read for the others. On connection close it resulted in a too early call to SSL_free followed by a segmentation fault.
2017-05-31 06:02:53 -04:00
for (i=0 ; i < num_add_fds ; i++) {
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
fd_want_recv(add_fd[i]);
BUG/MAJOR: ssl: fix segfault on connection close using async engines. This patch ensure that the ASYNC fd handlers won't be wake up too early, disabling the event cache for this fd on connection close and when a WANT_ASYNC is rised by Openssl. The calls to SSL_read/SSL_write/SSL_do_handshake before rising a real read event from the ASYNC fd, generated an EAGAIN followed by a context switch for some engines, or a blocked read for the others. On connection close it resulted in a too early call to SSL_free followed by a segmentation fault.
2017-05-31 06:02:53 -04:00
/* To ensure that the fd cache won't be used
* We'll prefer to catch a real RD event
* because handling an EAGAIN on this fd will
* result in a context switch and also
* some engines uses a fd in blocking mode.
*/
fd_cant_recv(add_fd[i]);
}
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
/* We must also prevent the conn_handler
* to be called until a read event was
* polled on an async fd
*/
__conn_sock_stop_both(conn);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
}
#endif
BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses. For some browsers (firefox), an expired OCSP Response causes unwanted behavior. Haproxy stops serving OCSP response if nextupdate date minus the supported time skew (#define OCSP_MAX_RESPONSE_TIME_SKEW) is in the past.
2014-06-20 09:46:13 -04:00
/*
* This function returns the number of seconds elapsed
* since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) and the
* date presented un ASN1_GENERALIZEDTIME.
*
* In parsing error case, it returns -1.
*/
static long asn1_generalizedtime_to_epoch(ASN1_GENERALIZEDTIME *d)
{
long epoch;
char *p, *end;
const unsigned short month_offset[12] = {
0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334
};
int year, month;
if (!d || (d->type != V_ASN1_GENERALIZEDTIME)) return -1;
p = (char *)d->data;
end = p + d->length;
if (end - p < 4) return -1;
year = 1000 * (p[0] - '0') + 100 * (p[1] - '0') + 10 * (p[2] - '0') + p[3] - '0';
p += 4;
if (end - p < 2) return -1;
month = 10 * (p[0] - '0') + p[1] - '0';
if (month < 1 || month > 12) return -1;
/* Compute the number of seconds since 1 jan 1970 and the beginning of current month
We consider leap years and the current month (<marsh or not) */
epoch = ( ((year - 1970) * 365)
+ ((year - (month < 3)) / 4 - (year - (month < 3)) / 100 + (year - (month < 3)) / 400)
- ((1970 - 1) / 4 - (1970 - 1) / 100 + (1970 - 1) / 400)
+ month_offset[month-1]
) * 24 * 60 * 60;
p += 2;
if (end - p < 2) return -1;
/* Add the number of seconds of completed days of current month */
epoch += (10 * (p[0] - '0') + p[1] - '0' - 1) * 24 * 60 * 60;
p += 2;
if (end - p < 2) return -1;
/* Add the completed hours of the current day */
epoch += (10 * (p[0] - '0') + p[1] - '0') * 60 * 60;
p += 2;
if (end - p < 2) return -1;
/* Add the completed minutes of the current hour */
epoch += (10 * (p[0] - '0') + p[1] - '0') * 60;
p += 2;
if (p == end) return -1;
/* Test if there is available seconds */
if (p[0] < '0' || p[0] > '9')
goto nosec;
if (end - p < 2) return -1;
/* Add the seconds of the current minute */
epoch += 10 * (p[0] - '0') + p[1] - '0';
p += 2;
if (p == end) return -1;
/* Ignore seconds float part if present */
if (p[0] == '.') {
do {
if (++p == end) return -1;
} while (p[0] >= '0' && p[0] <= '9');
}
nosec:
if (p[0] == 'Z') {
if (end - p != 1) return -1;
return epoch;
}
else if (p[0] == '+') {
if (end - p != 5) return -1;
/* Apply timezone offset */
BUG/MEDIUM: ssl: fix OCSP expiry calculation The hour part of the timezone offset was multiplied by 60 instead of 3600, resulting in an inaccurate expiry. This bug was introduced in 1.6-dev1 by commit 4f3c87a ("BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses."), so this fix must be backported into 1.7 and 1.6.
2017-10-16 10:37:31 -04:00
return epoch - ((10 * (p[1] - '0') + p[2] - '0') * 60 * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses. For some browsers (firefox), an expired OCSP Response causes unwanted behavior. Haproxy stops serving OCSP response if nextupdate date minus the supported time skew (#define OCSP_MAX_RESPONSE_TIME_SKEW) is in the past.
2014-06-20 09:46:13 -04:00
}
else if (p[0] == '-') {
if (end - p != 5) return -1;
/* Apply timezone offset */
BUG/MEDIUM: ssl: fix OCSP expiry calculation The hour part of the timezone offset was multiplied by 60 instead of 3600, resulting in an inaccurate expiry. This bug was introduced in 1.6-dev1 by commit 4f3c87a ("BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses."), so this fix must be backported into 1.7 and 1.6.
2017-10-16 10:37:31 -04:00
return epoch + ((10 * (p[1] - '0') + p[2] - '0') * 60 * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses. For some browsers (firefox), an expired OCSP Response causes unwanted behavior. Haproxy stops serving OCSP response if nextupdate date minus the supported time skew (#define OCSP_MAX_RESPONSE_TIME_SKEW) is in the past.
2014-06-20 09:46:13 -04:00
}
return -1;
}
BUG/MINOR: ssl: Fix OCSP resp update fails with the same certificate configured twice.
2014-06-20 09:37:32 -04:00
static struct eb_root cert_ocsp_tree = EB_ROOT_UNIQUE;
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
/* This function starts to check if the OCSP response (in DER format) contained
* in chunk 'ocsp_response' is valid (else exits on error).
* If 'cid' is not NULL, it will be compared to the OCSP certificate ID
* contained in the OCSP Response and exits on error if no match.
* If it's a valid OCSP Response:
* If 'ocsp' is not NULL, the chunk is copied in the OCSP response's container
* pointed by 'ocsp'.
* If 'ocsp' is NULL, the function looks up into the OCSP response's
* containers tree (using as index the ASN1 form of the OCSP Certificate ID extracted
* from the response) and exits on error if not found. Finally, If an OCSP response is
* already present in the container, it will be overwritten.
*
* Note: OCSP response containing more than one OCSP Single response is not
* considered valid.
*
* Returns 0 on success, 1 in error case.
*/
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
static int ssl_sock_load_ocsp_response(struct buffer *ocsp_response,
struct certificate_ocsp *ocsp,
OCSP_CERTID *cid, char **err)
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
{
OCSP_RESPONSE *resp;
OCSP_BASICRESP *bs = NULL;
OCSP_SINGLERESP *sr;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
OCSP_CERTID *id;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
unsigned char *p = (unsigned char *) ocsp_response->area;
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
int rc , count_sr;
BUG/MINOR: ssl: rejects OCSP response without nextupdate. To cache an OCSP Response without expiration time is not safe.
2014-06-20 09:44:34 -04:00
ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
int reason;
int ret = 1;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p,
ocsp_response->data);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
if (!resp) {
memprintf(err, "Unable to parse OCSP response");
goto out;
}
rc = OCSP_response_status(resp);
if (rc != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
memprintf(err, "OCSP response status not successful");
goto out;
}
bs = OCSP_response_get1_basic(resp);
if (!bs) {
memprintf(err, "Failed to get basic response from OCSP Response");
goto out;
}
count_sr = OCSP_resp_count(bs);
if (count_sr > 1) {
memprintf(err, "OCSP response ignored because contains multiple single responses (%d)", count_sr);
goto out;
}
sr = OCSP_resp_get0(bs, 0);
if (!sr) {
memprintf(err, "Failed to get OCSP single response");
goto out;
}
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
BUG/MINOR: ssl: OCSP_single_get0_status can return -1 Commit 872085ce "BUG/MINOR: ssl: ocsp response with 'revoked' status is correct" introduce a regression. OCSP_single_get0_status can return -1 and haproxy must generate an error in this case. Thanks to Sander Hoentjen who have spotted the regression. This patch should be backported in 1.7, 1.6 and 1.5 if the patch above is backported.
2017-10-24 08:57:16 -04:00
if (rc != V_OCSP_CERTSTATUS_GOOD && rc != V_OCSP_CERTSTATUS_REVOKED) {
BUG/MINOR: ssl: ocsp response with 'revoked' status is correct ocsp_status can be 'good', 'revoked', or 'unknown'. 'revoked' status is a correct status and should not be dropped. In case of certificate with OCSP must-stapling extension, response with 'revoked' status must be provided as well as 'good' status. This patch can be backported in 1.7, 1.6 and 1.5.
2017-10-10 09:18:52 -04:00
memprintf(err, "OCSP single response: certificate status is unknown");
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
goto out;
}
BUG/MINOR: ssl: rejects OCSP response without nextupdate. To cache an OCSP Response without expiration time is not safe.
2014-06-20 09:44:34 -04:00
if (!nextupd) {
memprintf(err, "OCSP single response: missing nextupdate");
goto out;
}
MEDIUM: ssl: add 300s supported time skew on OCSP response update. OCSP_MAX_RESPONSE_TIME_SKEW can be set to a different value at compilation (default is 300 seconds).
2014-06-19 08:16:17 -04:00
rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
if (!rc) {
memprintf(err, "OCSP single response: no longer valid.");
goto out;
}
if (cid) {
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
if (OCSP_id_cmp(id, cid)) {
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
memprintf(err, "OCSP single response: Certificate ID does not match certificate and issuer");
goto out;
}
}
if (!ocsp) {
unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH];
unsigned char *p;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
rc = i2d_OCSP_CERTID(id, NULL);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
if (!rc) {
memprintf(err, "OCSP single response: Unable to encode Certificate ID");
goto out;
}
if (rc > OCSP_MAX_CERTID_ASN1_LENGTH) {
memprintf(err, "OCSP single response: Certificate ID too long");
goto out;
}
p = key;
memset(key, 0, OCSP_MAX_CERTID_ASN1_LENGTH);
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
i2d_OCSP_CERTID(id, &p);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
ocsp = (struct certificate_ocsp *)ebmb_lookup(&cert_ocsp_tree, key, OCSP_MAX_CERTID_ASN1_LENGTH);
if (!ocsp) {
memprintf(err, "OCSP single response: Certificate ID does not match any certificate or issuer");
goto out;
}
}
/* According to comments on "chunk_dup", the
previous chunk buffer will be freed */
if (!chunk_dup(&ocsp->response, ocsp_response)) {
memprintf(err, "OCSP response: Memory allocation error");
goto out;
}
BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses. For some browsers (firefox), an expired OCSP Response causes unwanted behavior. Haproxy stops serving OCSP response if nextupdate date minus the supported time skew (#define OCSP_MAX_RESPONSE_TIME_SKEW) is in the past.
2014-06-20 09:46:13 -04:00
ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW;
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
ret = 0;
out:
BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file Invalid OCSP file (for example empty one that can be used to enable OCSP response to be set dynamically later) causes errors that are placed on OpenSSL error stack. Those errors are not cleared so anything that checks this stack later will fail. Following configuration: bind :443 ssl crt crt1.pem crt crt2.pem With following files: crt1.pem crt1.pem.ocsp - empty one crt2.pem.rsa crt2.pem.ecdsa Will fail to load. This patch should be backported to 1.7.
2017-03-08 10:59:41 -05:00
ERR_clear_error();
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
if (bs)
OCSP_BASICRESP_free(bs);
if (resp)
OCSP_RESPONSE_free(resp);
return ret;
}
/*
* External function use to update the OCSP response in the OCSP response's
* containers tree. The chunk 'ocsp_response' must contain the OCSP response
* to update in DER format.
*
* Returns 0 on success, 1 in error case.
*/
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err)
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
{
return ssl_sock_load_ocsp_response(ocsp_response, NULL, NULL, err);
}
/*
* This function load the OCSP Resonse in DER format contained in file at
* path 'ocsp_path' and call 'ssl_sock_load_ocsp_response'
*
* Returns 0 on success, 1 in error case.
*/
static int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, struct certificate_ocsp *ocsp, OCSP_CERTID *cid, char **err)
{
int fd = -1;
int r = 0;
int ret = 1;
fd = open(ocsp_path, O_RDONLY);
if (fd == -1) {
memprintf(err, "Error opening OCSP response file");
goto end;
}
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.data = 0;
while (trash.data < trash.size) {
r = read(fd, trash.area + trash.data, trash.size - trash.data);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
if (r < 0) {
if (errno == EINTR)
continue;
memprintf(err, "Error reading OCSP response from file");
goto end;
}
else if (r == 0) {
break;
}
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.data += r;
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
}
close(fd);
fd = -1;
ret = ssl_sock_load_ocsp_response(&trash, ocsp, cid, err);
end:
if (fd != -1)
close(fd);
return ret;
}
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#endif
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc)
{
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
struct tls_keys_ref *ref;
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
union tls_sess_key *keys;
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
struct connection *conn;
int head;
int i;
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
int ret = -1; /* error by default */
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
conn = SSL_get_ex_data(s, ssl_app_data_index);
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
ref = __objt_listener(conn->target)->bind_conf->keys_ref;
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
HA_RWLOCK_RDLOCK(TLSKEYS_REF_LOCK, &ref->lock);
keys = ref->tlskeys;
head = ref->tls_ticket_enc_index;
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
if (enc) {
memcpy(key_name, keys[head].name, 16);
if(!RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH))
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
goto end;
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
if (ref->key_size_bits == 128) {
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
if(!EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, keys[head].key_128.aes_key, iv))
goto end;
HMAC_Init_ex(hctx, keys[head].key_128.hmac_key, 16, HASH_FUNCT(), NULL);
ret = 1;
}
else if (ref->key_size_bits == 256 ) {
if(!EVP_EncryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, keys[head].key_256.aes_key, iv))
goto end;
HMAC_Init_ex(hctx, keys[head].key_256.hmac_key, 32, HASH_FUNCT(), NULL);
ret = 1;
}
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
} else {
for (i = 0; i < TLS_TICKETS_NO; i++) {
if (!memcmp(key_name, keys[(head + i) % TLS_TICKETS_NO].name, 16))
goto found;
}
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
ret = 0;
goto end;
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
found:
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
if (ref->key_size_bits == 128) {
HMAC_Init_ex(hctx, keys[(head + i) % TLS_TICKETS_NO].key_128.hmac_key, 16, HASH_FUNCT(), NULL);
if(!EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), NULL, keys[(head + i) % TLS_TICKETS_NO].key_128.aes_key, iv))
goto end;
/* 2 for key renewal, 1 if current key is still valid */
ret = i ? 2 : 1;
}
else if (ref->key_size_bits == 256) {
HMAC_Init_ex(hctx, keys[(head + i) % TLS_TICKETS_NO].key_256.hmac_key, 32, HASH_FUNCT(), NULL);
if(!EVP_DecryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, keys[(head + i) % TLS_TICKETS_NO].key_256.aes_key, iv))
goto end;
/* 2 for key renewal, 1 if current key is still valid */
ret = i ? 2 : 1;
}
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
}
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
end:
HA_RWLOCK_RDUNLOCK(TLSKEYS_REF_LOCK, &ref->lock);
return ret;
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
}
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
struct tls_keys_ref *tlskeys_ref_lookup(const char *filename)
{
struct tls_keys_ref *ref;
list_for_each_entry(ref, &tlskeys_reference, list)
if (ref->filename && strcmp(filename, ref->filename) == 0)
return ref;
return NULL;
}
struct tls_keys_ref *tlskeys_ref_lookupid(int unique_id)
{
struct tls_keys_ref *ref;
list_for_each_entry(ref, &tlskeys_reference, list)
if (ref->unique_id == unique_id)
return ref;
return NULL;
}
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
/* Update the key into ref: if keysize doesnt
* match existing ones, this function returns -1
* else it returns 0 on success.
*/
int ssl_sock_update_tlskey_ref(struct tls_keys_ref *ref,
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *tlskey)
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
{
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
if (ref->key_size_bits == 128) {
if (tlskey->data != sizeof(struct tls_sess_key_128))
return -1;
}
else if (ref->key_size_bits == 256) {
if (tlskey->data != sizeof(struct tls_sess_key_256))
return -1;
}
else
return -1;
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
HA_RWLOCK_WRLOCK(TLSKEYS_REF_LOCK, &ref->lock);
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
memcpy((char *) (ref->tlskeys + ((ref->tls_ticket_enc_index + 2) % TLS_TICKETS_NO)),
tlskey->area, tlskey->data);
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
ref->tls_ticket_enc_index = (ref->tls_ticket_enc_index + 1) % TLS_TICKETS_NO;
HA_RWLOCK_WRUNLOCK(TLSKEYS_REF_LOCK, &ref->lock);
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
return 0;
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
}
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
int ssl_sock_update_tlskey(char *filename, struct buffer *tlskey, char **err)
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
{
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
struct tls_keys_ref *ref = tlskeys_ref_lookup(filename);
if(!ref) {
memprintf(err, "Unable to locate the referenced filename: %s", filename);
return 1;
}
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
if (ssl_sock_update_tlskey_ref(ref, tlskey) < 0) {
memprintf(err, "Invalid key size");
return 1;
}
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
return 0;
}
/* This function finalize the configuration parsing. Its set all the
CLEANUP: ssl: move tlskeys_finalize_config() to a post_check callback tlskeys_finalize_config() was the only reason for haproxy.c to still require ifdef and includes for ssl_sock. This one fits perfectly well in the late initializers so it was changed to be registered with hap_register_post_check().
2016-12-22 16:46:15 -05:00
* automatic ids. It's called just after the basic checks. It returns
* 0 on success otherwise ERR_*.
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
*/
CLEANUP: ssl: move tlskeys_finalize_config() to a post_check callback tlskeys_finalize_config() was the only reason for haproxy.c to still require ifdef and includes for ssl_sock. This one fits perfectly well in the late initializers so it was changed to be registered with hap_register_post_check().
2016-12-22 16:46:15 -05:00
static int tlskeys_finalize_config(void)
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
{
int i = 0;
struct tls_keys_ref *ref, *ref2, *ref3;
struct list tkr = LIST_HEAD_INIT(tkr);
list_for_each_entry(ref, &tlskeys_reference, list) {
if (ref->unique_id == -1) {
/* Look for the first free id. */
while (1) {
list_for_each_entry(ref2, &tlskeys_reference, list) {
if (ref2->unique_id == i) {
i++;
break;
}
}
if (&ref2->list == &tlskeys_reference)
break;
}
/* Uses the unique id and increment it for the next entry. */
ref->unique_id = i;
i++;
}
}
/* This sort the reference list by id. */
list_for_each_entry_safe(ref, ref2, &tlskeys_reference, list) {
LIST_DEL(&ref->list);
list_for_each_entry(ref3, &tkr, list) {
if (ref->unique_id < ref3->unique_id) {
LIST_ADDQ(&ref3->list, &ref->list);
break;
}
}
if (&ref3->list == &tkr)
LIST_ADDQ(&tkr, &ref->list);
}
/* swap root */
LIST_ADD(&tkr, &tlskeys_reference);
LIST_DEL(&tkr);
CLEANUP: ssl: move tlskeys_finalize_config() to a post_check callback tlskeys_finalize_config() was the only reason for haproxy.c to still require ifdef and includes for ssl_sock. This one fits perfectly well in the late initializers so it was changed to be registered with hap_register_post_check().
2016-12-22 16:46:15 -05:00
return 0;
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
}
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
#endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#ifndef OPENSSL_NO_OCSP
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
int ssl_sock_get_ocsp_arg_kt_index(int evp_keytype)
{
switch (evp_keytype) {
case EVP_PKEY_RSA:
return 2;
case EVP_PKEY_DSA:
return 0;
case EVP_PKEY_EC:
return 1;
}
return -1;
}
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
/*
* Callback used to set OCSP status extension content in server hello.
*/
int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
{
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
struct certificate_ocsp *ocsp;
struct ocsp_cbk_arg *ocsp_arg;
char *ssl_buf;
EVP_PKEY *ssl_pkey;
int key_type;
int index;
CLEANUP: remove unneeded casts In C89, "void *" is automatically promoted to any pointer type. Casting the result of malloc/calloc to the type of the LHS variable is therefore unneeded. Most of this patch was built using this Coccinelle patch: @@ type T; @@ - (T *) (\(lua_touserdata\|malloc\|calloc\|SSL_get_app_data\|hlua_checkudata\|lua_newuserdata\)(...)) @@ type T; T *x; void *data; @@ x = - (T *) data @@ type T; T *x; T *data; @@ x = - (T *) data Unfortunately, either Coccinelle or I is too limited to detect situation where a complex RHS expression is of type "void *" and therefore casting is not needed. Those cases were manually examined and corrected.
2016-04-03 07:48:42 -04:00
ocsp_arg = arg;
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
ssl_pkey = SSL_get_privatekey(ssl);
if (!ssl_pkey)
return SSL_TLSEXT_ERR_NOACK;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
key_type = EVP_PKEY_base_id(ssl_pkey);
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
if (ocsp_arg->is_single && ocsp_arg->single_kt == key_type)
ocsp = ocsp_arg->s_ocsp;
else {
/* For multiple certs per context, we have to find the correct OCSP response based on
* the certificate type
*/
index = ssl_sock_get_ocsp_arg_kt_index(key_type);
if (index < 0)
return SSL_TLSEXT_ERR_NOACK;
ocsp = ocsp_arg->m_ocsp[index];
}
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
if (!ocsp ||
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
!ocsp->response.area ||
!ocsp->response.data ||
BUG/MEDIUM: ssl: Fix to not serve expired OCSP responses. For some browsers (firefox), an expired OCSP Response causes unwanted behavior. Haproxy stops serving OCSP response if nextupdate date minus the supported time skew (#define OCSP_MAX_RESPONSE_TIME_SKEW) is in the past.
2014-06-20 09:46:13 -04:00
(ocsp->expire < now.tv_sec))
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
return SSL_TLSEXT_ERR_NOACK;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
ssl_buf = OPENSSL_malloc(ocsp->response.data);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
if (!ssl_buf)
return SSL_TLSEXT_ERR_NOACK;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
memcpy(ssl_buf, ocsp->response.area, ocsp->response.data);
SSL_set_tlsext_status_ocsp_resp(ssl, ssl_buf, ocsp->response.data);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
return SSL_TLSEXT_ERR_OK;
}
/*
* This function enables the handling of OCSP status extension on 'ctx' if a
* file name 'cert_path' suffixed using ".ocsp" is present.
* To enable OCSP status extension, the issuer's certificate is mandatory.
* It should be present in the certificate's extra chain builded from file
* 'cert_path'. If not found, the issuer certificate is loaded from a file
* named 'cert_path' suffixed using '.issuer'.
*
* In addition, ".ocsp" file content is loaded as a DER format of an OCSP
* response. If file is empty or content is not a valid OCSP response,
* OCSP status extension is enabled but OCSP response is ignored (a warning
* is displayed).
*
* Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
CLEANUP: fix typos in the ssl_sock subsystem Fix some typos found in the code comments of the ssl_sock subsystem.
2018-11-15 12:07:59 -05:00
* successfully enabled, or -1 in other error case.
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
*/
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const char *cert_path)
{
BIO *in = NULL;
X509 *x, *xi = NULL, *issuer = NULL;
STACK_OF(X509) *chain = NULL;
OCSP_CERTID *cid = NULL;
SSL *ssl;
char ocsp_path[MAXPATHLEN+1];
int i, ret = -1;
struct stat st;
struct certificate_ocsp *ocsp = NULL, *iocsp;
char *warn = NULL;
unsigned char *p;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
pem_password_cb *passwd_cb;
void *passwd_cb_userdata;
void (*callback) (void);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
snprintf(ocsp_path, MAXPATHLEN+1, "%s.ocsp", cert_path);
if (stat(ocsp_path, &st))
return 1;
ssl = SSL_new(ctx);
if (!ssl)
goto out;
x = SSL_get_certificate(ssl);
if (!x)
goto out;
/* Try to lookup for issuer in certificate extra chain */
#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
SSL_CTX_get_extra_chain_certs(ctx, &chain);
#else
chain = ctx->extra_certs;
#endif
for (i = 0; i < sk_X509_num(chain); i++) {
issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, x) == X509_V_OK)
break;
else
issuer = NULL;
}
/* If not found try to load issuer from a suffixed file */
if (!issuer) {
char issuer_path[MAXPATHLEN+1];
in = BIO_new(BIO_s_file());
if (!in)
goto out;
snprintf(issuer_path, MAXPATHLEN+1, "%s.issuer", cert_path);
if (BIO_read_filename(in, issuer_path) <= 0)
goto out;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
passwd_cb = SSL_CTX_get_default_passwd_cb(ctx);
passwd_cb_userdata = SSL_CTX_get_default_passwd_cb_userdata(ctx);
xi = PEM_read_bio_X509_AUX(in, NULL, passwd_cb, passwd_cb_userdata);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
if (!xi)
goto out;
if (X509_check_issued(xi, x) != X509_V_OK)
goto out;
issuer = xi;
}
cid = OCSP_cert_to_id(0, x, issuer);
if (!cid)
goto out;
i = i2d_OCSP_CERTID(cid, NULL);
if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
goto out;
CLEANUP: uniformize last argument of malloc/calloc Instead of repeating the type of the LHS argument (sizeof(struct ...)) in calls to malloc/calloc, we directly use the pointer name (sizeof(*...)). The following Coccinelle patch was used: @@ type T; T *x; @@ x = malloc( - sizeof(T) + sizeof(*x) ) @@ type T; T *x; @@ x = calloc(1, - sizeof(T) + sizeof(*x) ) When the LHS is not just a variable name, no change is made. Moreover, the following patch was used to ensure that "1" is consistently used as a first argument of calloc, not the last one: @@ @@ calloc( + 1, ... - ,1 )
2016-04-03 07:48:43 -04:00
ocsp = calloc(1, sizeof(*ocsp));
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
if (!ocsp)
goto out;
p = ocsp->key_data;
i2d_OCSP_CERTID(cid, &p);
iocsp = (struct certificate_ocsp *)ebmb_insert(&cert_ocsp_tree, &ocsp->key, OCSP_MAX_CERTID_ASN1_LENGTH);
if (iocsp == ocsp)
ocsp = NULL;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
#ifndef SSL_CTX_get_tlsext_status_cb
# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
*cb = (void (*) (void))ctx->tlsext_status_cb;
#endif
SSL_CTX_get_tlsext_status_cb(ctx, &callback);
if (!callback) {
CLEANUP: uniformize last argument of malloc/calloc Instead of repeating the type of the LHS argument (sizeof(struct ...)) in calls to malloc/calloc, we directly use the pointer name (sizeof(*...)). The following Coccinelle patch was used: @@ type T; T *x; @@ x = malloc( - sizeof(T) + sizeof(*x) ) @@ type T; T *x; @@ x = calloc(1, - sizeof(T) + sizeof(*x) ) When the LHS is not just a variable name, no change is made. Moreover, the following patch was used to ensure that "1" is consistently used as a first argument of calloc, not the last one: @@ @@ calloc( + 1, ... - ,1 )
2016-04-03 07:48:43 -04:00
struct ocsp_cbk_arg *cb_arg = calloc(1, sizeof(*cb_arg));
BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey usage "X509_get_pubkey() attempts to decode the public key for certificate x. If successful it returns the public key as an EVP_PKEY pointer with its reference count incremented: this means the returned key must be freed up after use."
2017-01-06 06:57:46 -05:00
EVP_PKEY *pkey;
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
cb_arg->is_single = 1;
cb_arg->s_ocsp = iocsp;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey usage "X509_get_pubkey() attempts to decode the public key for certificate x. If successful it returns the public key as an EVP_PKEY pointer with its reference count incremented: this means the returned key must be freed up after use."
2017-01-06 06:57:46 -05:00
pkey = X509_get_pubkey(x);
cb_arg->single_kt = EVP_PKEY_base_id(pkey);
EVP_PKEY_free(pkey);
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
SSL_CTX_set_tlsext_status_cb(ctx, ssl_sock_ocsp_stapling_cbk);
SSL_CTX_set_tlsext_status_arg(ctx, cb_arg);
} else {
/*
* If the ctx has a status CB, then we have previously set an OCSP staple for this ctx
* Update that cb_arg with the new cert's staple
*/
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
struct ocsp_cbk_arg *cb_arg;
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
struct certificate_ocsp *tmp_ocsp;
int index;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
int key_type;
BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey usage "X509_get_pubkey() attempts to decode the public key for certificate x. If successful it returns the public key as an EVP_PKEY pointer with its reference count incremented: this means the returned key must be freed up after use."
2017-01-06 06:57:46 -05:00
EVP_PKEY *pkey;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
#ifdef SSL_CTX_get_tlsext_status_arg
SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
#else
cb_arg = ctx->tlsext_status_arg;
#endif
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
/*
* The following few lines will convert cb_arg from a single ocsp to multi ocsp
* the order of operations below matter, take care when changing it
*/
tmp_ocsp = cb_arg->s_ocsp;
index = ssl_sock_get_ocsp_arg_kt_index(cb_arg->single_kt);
cb_arg->s_ocsp = NULL;
cb_arg->m_ocsp[index] = tmp_ocsp;
cb_arg->is_single = 0;
cb_arg->single_kt = 0;
BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey usage "X509_get_pubkey() attempts to decode the public key for certificate x. If successful it returns the public key as an EVP_PKEY pointer with its reference count incremented: this means the returned key must be freed up after use."
2017-01-06 06:57:46 -05:00
pkey = X509_get_pubkey(x);
key_type = EVP_PKEY_base_id(pkey);
EVP_PKEY_free(pkey);
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
index = ssl_sock_get_ocsp_arg_kt_index(key_type);
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
if (index >= 0 && !cb_arg->m_ocsp[index])
cb_arg->m_ocsp[index] = iocsp;
}
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
ret = 0;
warn = NULL;
if (ssl_sock_load_ocsp_response_from_file(ocsp_path, iocsp, cid, &warn)) {
memprintf(&warn, "Loading '%s': %s. Content will be ignored", ocsp_path, warn ? warn : "failure");
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("%s.\n", warn);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
}
out:
if (ssl)
SSL_free(ssl);
if (in)
BIO_free(in);
if (xi)
X509_free(xi);
if (cid)
OCSP_CERTID_free(cid);
if (ocsp)
free(ocsp);
if (warn)
free(warn);
return ret;
}
#endif
MINOR: boringssl: basic support for OCSP Stapling Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with '.ocsp' extension. CLI update is not supported.
2017-05-22 08:58:00 -04:00
#ifdef OPENSSL_IS_BORINGSSL
static int ssl_sock_set_ocsp_response_from_file(SSL_CTX *ctx, const char *cert_path)
{
char ocsp_path[MAXPATHLEN+1];
struct stat st;
int fd = -1, r = 0;
snprintf(ocsp_path, MAXPATHLEN+1, "%s.ocsp", cert_path);
if (stat(ocsp_path, &st))
return 0;
fd = open(ocsp_path, O_RDONLY);
if (fd == -1) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("Error opening OCSP response file %s.\n", ocsp_path);
MINOR: boringssl: basic support for OCSP Stapling Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with '.ocsp' extension. CLI update is not supported.
2017-05-22 08:58:00 -04:00
return -1;
}
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.data = 0;
while (trash.data < trash.size) {
r = read(fd, trash.area + trash.data, trash.size - trash.data);
MINOR: boringssl: basic support for OCSP Stapling Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with '.ocsp' extension. CLI update is not supported.
2017-05-22 08:58:00 -04:00
if (r < 0) {
if (errno == EINTR)
continue;
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("Error reading OCSP response from file %s.\n", ocsp_path);
MINOR: boringssl: basic support for OCSP Stapling Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with '.ocsp' extension. CLI update is not supported.
2017-05-22 08:58:00 -04:00
close(fd);
return -1;
}
else if (r == 0) {
break;
}
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.data += r;
MINOR: boringssl: basic support for OCSP Stapling Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with '.ocsp' extension. CLI update is not supported.
2017-05-22 08:58:00 -04:00
}
close(fd);
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *) trash.area,
trash.data);
MINOR: boringssl: basic support for OCSP Stapling Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with '.ocsp' extension. CLI update is not supported.
2017-05-22 08:58:00 -04:00
}
#endif
BUILD: check for libressl to be able to build against it [wt: might be worth backporting it to 1.6]
2015-11-06 14:02:41 -05:00
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
#define CT_EXTENSION_TYPE 18
static int sctl_ex_index = -1;
/*
* Try to parse Signed Certificate Timestamp List structure. This function
* makes only basic test if the data seems like SCTL. No signature validation
* is performed.
*/
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
static int ssl_sock_parse_sctl(struct buffer *sctl)
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
{
int ret = 1;
int len, pos, sct_len;
unsigned char *data;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
if (sctl->data < 2)
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
goto out;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
data = (unsigned char *) sctl->area;
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
len = (data[0] << 8) | data[1];
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
if (len + 2 != sctl->data)
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
goto out;
data = data + 2;
pos = 0;
while (pos < len) {
if (len - pos < 2)
goto out;
sct_len = (data[pos] << 8) | data[pos + 1];
if (pos + sct_len + 2 > len)
goto out;
pos += sct_len + 2;
}
ret = 0;
out:
return ret;
}
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
static int ssl_sock_load_sctl_from_file(const char *sctl_path,
struct buffer **sctl)
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
{
int fd = -1;
int r = 0;
int ret = 1;
*sctl = NULL;
fd = open(sctl_path, O_RDONLY);
if (fd == -1)
goto end;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.data = 0;
while (trash.data < trash.size) {
r = read(fd, trash.area + trash.data, trash.size - trash.data);
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
if (r < 0) {
if (errno == EINTR)
continue;
goto end;
}
else if (r == 0) {
break;
}
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.data += r;
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
}
ret = ssl_sock_parse_sctl(&trash);
if (ret)
goto end;
CLEANUP: uniformize last argument of malloc/calloc Instead of repeating the type of the LHS argument (sizeof(struct ...)) in calls to malloc/calloc, we directly use the pointer name (sizeof(*...)). The following Coccinelle patch was used: @@ type T; T *x; @@ x = malloc( - sizeof(T) + sizeof(*x) ) @@ type T; T *x; @@ x = calloc(1, - sizeof(T) + sizeof(*x) ) When the LHS is not just a variable name, no change is made. Moreover, the following patch was used to ensure that "1" is consistently used as a first argument of calloc, not the last one: @@ @@ calloc( + 1, ... - ,1 )
2016-04-03 07:48:43 -04:00
*sctl = calloc(1, sizeof(**sctl));
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
if (!chunk_dup(*sctl, &trash)) {
free(*sctl);
*sctl = NULL;
goto end;
}
end:
if (fd != -1)
close(fd);
return ret;
}
int ssl_sock_sctl_add_cbk(SSL *ssl, unsigned ext_type, const unsigned char **out, size_t *outlen, int *al, void *add_arg)
{
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *sctl = add_arg;
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
*out = (unsigned char *) sctl->area;
*outlen = sctl->data;
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
return 1;
}
int ssl_sock_sctl_parse_cbk(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, int *al, void *parse_arg)
{
return 1;
}
static int ssl_sock_load_sctl(SSL_CTX *ctx, const char *cert_path)
{
char sctl_path[MAXPATHLEN+1];
int ret = -1;
struct stat st;
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *sctl = NULL;
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
snprintf(sctl_path, MAXPATHLEN+1, "%s.sctl", cert_path);
if (stat(sctl_path, &st))
return 1;
if (ssl_sock_load_sctl_from_file(sctl_path, &sctl))
goto out;
if (!SSL_CTX_add_server_custom_ext(ctx, CT_EXTENSION_TYPE, ssl_sock_sctl_add_cbk, NULL, sctl, ssl_sock_sctl_parse_cbk, NULL)) {
free(sctl);
goto out;
}
SSL_CTX_set_ex_data(ctx, sctl_ex_index, sctl);
ret = 0;
out:
return ret;
}
#endif
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
void ssl_sock_infocbk(const SSL *ssl, int where, int ret)
{
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index);
MINOR: ssl: handshake optim for long certificate chains. Suggested on the mailing list by Ilya Grigorik and greatly inspired from Nginx code: we try to dynamicaly rise the output buffer size from 4k to 16k during the handshake to reduce the number of round trips. This is mostly beneficial when initcwnd==10. Ilya's tests confirm the gain and show a handshake time divided by 3 : before: http://www.webpagetest.org/result/140116_VW_3bd95a5cfb7e667498ef13b59639b9bf/2/details/ after: http://www.webpagetest.org/result/140201_2X_03511ec63344f442b81c24d2bf39f59d/3/details/
2014-01-28 09:43:53 -05:00
BIO *write_bio;
BUILD/CLEANUP: ssl: avoid a warning due to mixed code and declaration Actually it was caused by some dummy code meant to shut gcc up for an unused argument!
2015-02-27 10:36:16 -05:00
(void)ret; /* shut gcc stupid warning */
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages In OpenSSL 1.1.1 TLS 1.3 KeyUpdate messages will trigger the callback that is used to verify renegotiation is disabled. This means that these KeyUpdate messages fail. In OpenSSL 1.1.1 a better mechanism is available with the SSL_OP_NO_RENEGOTIATION flag that disables any TLS 1.2 and earlier negotiation. So if this SSL_OP_NO_RENEGOTIATION flag is available, instead of having a manual check, trust OpenSSL and disable the check. This means that TLS 1.3 KeyUpdate messages will work properly. Reported-By: Adam Langley <agl@imperialviolet.org>
2019-01-21 12:35:03 -05:00
#ifndef SSL_OP_NO_RENEGOTIATION
/* Please note that BoringSSL defines this macro to zero so don't
* change this to #if and do not assign a default value to this macro!
*/
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
if (where & SSL_CB_HANDSHAKE_START) {
/* Disable renegotiation (CVE-2009-3555) */
MINOR: ssl: Handle reading early data after writing better. It can happen that we want to read early data, write some, and then continue reading them. To do so, we can't reuse tmp_early_data to store the amount of data sent, so introduce a new member. If we read early data, then ssl_sock_to_buf() is now the only responsible for getting back to the handshake, to make sure we don't miss any early data.
2017-11-23 12:21:29 -05:00
if ((conn->flags & (CO_FL_CONNECTED | CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA)) == CO_FL_CONNECTED) {
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
conn->flags |= CO_FL_ERROR;
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
conn->err_code = CO_ER_SSL_RENEG;
}
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
}
BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages In OpenSSL 1.1.1 TLS 1.3 KeyUpdate messages will trigger the callback that is used to verify renegotiation is disabled. This means that these KeyUpdate messages fail. In OpenSSL 1.1.1 a better mechanism is available with the SSL_OP_NO_RENEGOTIATION flag that disables any TLS 1.2 and earlier negotiation. So if this SSL_OP_NO_RENEGOTIATION flag is available, instead of having a manual check, trust OpenSSL and disable the check. This means that TLS 1.3 KeyUpdate messages will work properly. Reported-By: Adam Langley <agl@imperialviolet.org>
2019-01-21 12:35:03 -05:00
#endif
MINOR: ssl: handshake optim for long certificate chains. Suggested on the mailing list by Ilya Grigorik and greatly inspired from Nginx code: we try to dynamicaly rise the output buffer size from 4k to 16k during the handshake to reduce the number of round trips. This is mostly beneficial when initcwnd==10. Ilya's tests confirm the gain and show a handshake time divided by 3 : before: http://www.webpagetest.org/result/140116_VW_3bd95a5cfb7e667498ef13b59639b9bf/2/details/ after: http://www.webpagetest.org/result/140201_2X_03511ec63344f442b81c24d2bf39f59d/3/details/
2014-01-28 09:43:53 -05:00
if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
if (!(conn->xprt_st & SSL_SOCK_ST_FL_16K_WBFSIZE)) {
/* Long certificate chains optimz
If write and read bios are differents, we
consider that the buffering was activated,
so we rise the output buffer size from 4k
to 16k */
write_bio = SSL_get_wbio(ssl);
if (write_bio != SSL_get_rbio(ssl)) {
BIO_set_write_buffer_size(write_bio, 16384);
conn->xprt_st |= SSL_SOCK_ST_FL_16K_WBFSIZE;
}
}
}
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
}
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
/* Callback is called for each certificate of the chain during a verify
ok is set to 1 if preverify detect no error on current certificate.
Returns 0 to break the handshake, 1 otherwise. */
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store)
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
{
SSL *ssl;
struct connection *conn;
MINOR: ssl: add ignore verify errors options Allow to ignore some verify errors and to let them pass the handshake. Add option 'crt-ignore-err <list>' Ignore verify errors at depth == 0 (client certificate) <list> is string 'all' or a comma separated list of verify error IDs (see http://www.openssl.org/docs/apps/verify.html) Add option 'ca-ignore-err <list>' Same as 'crt-ignore-err' for all depths > 0 (CA chain certs) Ex ignore all errors on CA and expired or not-yet-valid errors on client certificate: bind 0.0.0.0:443 ssl crt crt.pem verify required cafile ca.pem ca-ignore-err all crt-ignore-err 10,9
2012-09-21 08:31:21 -04:00
int err, depth;
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
ssl = X509_STORE_CTX_get_ex_data(x_store, SSL_get_ex_data_X509_STORE_CTX_idx());
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
conn = SSL_get_ex_data(ssl, ssl_app_data_index);
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
conn->xprt_st |= SSL_SOCK_ST_FL_VERIFY_DONE;
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
MINOR: ssl: add ignore verify errors options Allow to ignore some verify errors and to let them pass the handshake. Add option 'crt-ignore-err <list>' Ignore verify errors at depth == 0 (client certificate) <list> is string 'all' or a comma separated list of verify error IDs (see http://www.openssl.org/docs/apps/verify.html) Add option 'ca-ignore-err <list>' Same as 'crt-ignore-err' for all depths > 0 (CA chain certs) Ex ignore all errors on CA and expired or not-yet-valid errors on client certificate: bind 0.0.0.0:443 ssl crt crt.pem verify required cafile ca.pem ca-ignore-err all crt-ignore-err 10,9
2012-09-21 08:31:21 -04:00
if (ok) /* no errors */
return ok;
depth = X509_STORE_CTX_get_error_depth(x_store);
err = X509_STORE_CTX_get_error(x_store);
/* check if CA error needs to be ignored */
if (depth > 0) {
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
if (!SSL_SOCK_ST_TO_CA_ERROR(conn->xprt_st)) {
conn->xprt_st |= SSL_SOCK_CA_ERROR_TO_ST(err);
conn->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
}
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
if (__objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
MINOR: ssl: add debug traces Add some debug trace when haproxy is configured in debug & verbose mode. This is useful for openssl tests. Typically, the error "SSL handshake failure" can be caused by a lot of protocol error. This patch details the encountered error. For exemple: OpenSSL error 0x1408a0c1: ssl3_get_client_hello: no shared cipher Note that my compilator (gcc-4.7) refuse to considers the function ssl_sock_dump_errors() as inline. The condition "if" ensure that the content of the function is not executed in normal case. It should be a pity to call a function just for testing its execution condition, so I use the macro "forceinline".
2016-10-10 05:59:50 -04:00
ssl_sock_dump_errors(conn);
BUG/MEDIUM: ssl: first outgoing connection would fail with {ca,crt}-ignore-err When using ca_ignore_err/crt_ignore_err, a connection to an untrusted server raises an error which is ignored. But the next SSL_read() that encounters EAGAIN raises the error again, breaking the connection. Subsequent connections don't have this problem because the session has been stored and is correctly reused without performing a verify again. The solution consists in correctly flushing the SSL error stack when ignoring the crt/ca error.
2012-12-03 07:24:29 -05:00
ERR_clear_error();
MINOR: ssl: add ignore verify errors options Allow to ignore some verify errors and to let them pass the handshake. Add option 'crt-ignore-err <list>' Ignore verify errors at depth == 0 (client certificate) <list> is string 'all' or a comma separated list of verify error IDs (see http://www.openssl.org/docs/apps/verify.html) Add option 'ca-ignore-err <list>' Same as 'crt-ignore-err' for all depths > 0 (CA chain certs) Ex ignore all errors on CA and expired or not-yet-valid errors on client certificate: bind 0.0.0.0:443 ssl crt crt.pem verify required cafile ca.pem ca-ignore-err all crt-ignore-err 10,9
2012-09-21 08:31:21 -04:00
return 1;
BUG/MEDIUM: ssl: first outgoing connection would fail with {ca,crt}-ignore-err When using ca_ignore_err/crt_ignore_err, a connection to an untrusted server raises an error which is ignored. But the next SSL_read() that encounters EAGAIN raises the error again, breaking the connection. Subsequent connections don't have this problem because the session has been stored and is correctly reused without performing a verify again. The solution consists in correctly flushing the SSL error stack when ignoring the crt/ca error.
2012-12-03 07:24:29 -05:00
}
MINOR: ssl: add ignore verify errors options Allow to ignore some verify errors and to let them pass the handshake. Add option 'crt-ignore-err <list>' Ignore verify errors at depth == 0 (client certificate) <list> is string 'all' or a comma separated list of verify error IDs (see http://www.openssl.org/docs/apps/verify.html) Add option 'ca-ignore-err <list>' Same as 'crt-ignore-err' for all depths > 0 (CA chain certs) Ex ignore all errors on CA and expired or not-yet-valid errors on client certificate: bind 0.0.0.0:443 ssl crt crt.pem verify required cafile ca.pem ca-ignore-err all crt-ignore-err 10,9
2012-09-21 08:31:21 -04:00
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
conn->err_code = CO_ER_SSL_CA_FAIL;
MINOR: ssl: add ignore verify errors options Allow to ignore some verify errors and to let them pass the handshake. Add option 'crt-ignore-err <list>' Ignore verify errors at depth == 0 (client certificate) <list> is string 'all' or a comma separated list of verify error IDs (see http://www.openssl.org/docs/apps/verify.html) Add option 'ca-ignore-err <list>' Same as 'crt-ignore-err' for all depths > 0 (CA chain certs) Ex ignore all errors on CA and expired or not-yet-valid errors on client certificate: bind 0.0.0.0:443 ssl crt crt.pem verify required cafile ca.pem ca-ignore-err all crt-ignore-err 10,9
2012-09-21 08:31:21 -04:00
return 0;
}
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
if (!SSL_SOCK_ST_TO_CRTERROR(conn->xprt_st))
conn->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
MINOR: ssl: add ignore verify errors options Allow to ignore some verify errors and to let them pass the handshake. Add option 'crt-ignore-err <list>' Ignore verify errors at depth == 0 (client certificate) <list> is string 'all' or a comma separated list of verify error IDs (see http://www.openssl.org/docs/apps/verify.html) Add option 'ca-ignore-err <list>' Same as 'crt-ignore-err' for all depths > 0 (CA chain certs) Ex ignore all errors on CA and expired or not-yet-valid errors on client certificate: bind 0.0.0.0:443 ssl crt crt.pem verify required cafile ca.pem ca-ignore-err all crt-ignore-err 10,9
2012-09-21 08:31:21 -04:00
/* check if certificate error needs to be ignored */
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
if (__objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
MINOR: ssl: add debug traces Add some debug trace when haproxy is configured in debug & verbose mode. This is useful for openssl tests. Typically, the error "SSL handshake failure" can be caused by a lot of protocol error. This patch details the encountered error. For exemple: OpenSSL error 0x1408a0c1: ssl3_get_client_hello: no shared cipher Note that my compilator (gcc-4.7) refuse to considers the function ssl_sock_dump_errors() as inline. The condition "if" ensure that the content of the function is not executed in normal case. It should be a pity to call a function just for testing its execution condition, so I use the macro "forceinline".
2016-10-10 05:59:50 -04:00
ssl_sock_dump_errors(conn);
BUG/MEDIUM: ssl: first outgoing connection would fail with {ca,crt}-ignore-err When using ca_ignore_err/crt_ignore_err, a connection to an untrusted server raises an error which is ignored. But the next SSL_read() that encounters EAGAIN raises the error again, breaking the connection. Subsequent connections don't have this problem because the session has been stored and is correctly reused without performing a verify again. The solution consists in correctly flushing the SSL error stack when ignoring the crt/ca error.
2012-12-03 07:24:29 -05:00
ERR_clear_error();
MINOR: ssl: add ignore verify errors options Allow to ignore some verify errors and to let them pass the handshake. Add option 'crt-ignore-err <list>' Ignore verify errors at depth == 0 (client certificate) <list> is string 'all' or a comma separated list of verify error IDs (see http://www.openssl.org/docs/apps/verify.html) Add option 'ca-ignore-err <list>' Same as 'crt-ignore-err' for all depths > 0 (CA chain certs) Ex ignore all errors on CA and expired or not-yet-valid errors on client certificate: bind 0.0.0.0:443 ssl crt crt.pem verify required cafile ca.pem ca-ignore-err all crt-ignore-err 10,9
2012-09-21 08:31:21 -04:00
return 1;
BUG/MEDIUM: ssl: first outgoing connection would fail with {ca,crt}-ignore-err When using ca_ignore_err/crt_ignore_err, a connection to an untrusted server raises an error which is ignored. But the next SSL_read() that encounters EAGAIN raises the error again, breaking the connection. Subsequent connections don't have this problem because the session has been stored and is correctly reused without performing a verify again. The solution consists in correctly flushing the SSL error stack when ignoring the crt/ca error.
2012-12-03 07:24:29 -05:00
}
MINOR: ssl: add ignore verify errors options Allow to ignore some verify errors and to let them pass the handshake. Add option 'crt-ignore-err <list>' Ignore verify errors at depth == 0 (client certificate) <list> is string 'all' or a comma separated list of verify error IDs (see http://www.openssl.org/docs/apps/verify.html) Add option 'ca-ignore-err <list>' Same as 'crt-ignore-err' for all depths > 0 (CA chain certs) Ex ignore all errors on CA and expired or not-yet-valid errors on client certificate: bind 0.0.0.0:443 ssl crt crt.pem verify required cafile ca.pem ca-ignore-err all crt-ignore-err 10,9
2012-09-21 08:31:21 -04:00
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
conn->err_code = CO_ER_SSL_CRT_FAIL;
MINOR: ssl: add ignore verify errors options Allow to ignore some verify errors and to let them pass the handshake. Add option 'crt-ignore-err <list>' Ignore verify errors at depth == 0 (client certificate) <list> is string 'all' or a comma separated list of verify error IDs (see http://www.openssl.org/docs/apps/verify.html) Add option 'ca-ignore-err <list>' Same as 'crt-ignore-err' for all depths > 0 (CA chain certs) Ex ignore all errors on CA and expired or not-yet-valid errors on client certificate: bind 0.0.0.0:443 ssl crt crt.pem verify required cafile ca.pem ca-ignore-err all crt-ignore-err 10,9
2012-09-21 08:31:21 -04:00
return 0;
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
}
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
static inline
void ssl_sock_parse_clienthello(int write_p, int version, int content_type,
MINOR: ssl: improved cipherlist captures Alloc capture buffer later (when filling), parse client-hello after heartbeat check and remove capture->conn (unused).
2017-03-08 05:07:10 -05:00
const void *buf, size_t len, SSL *ssl)
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
{
MINOR: ssl: improved cipherlist captures Alloc capture buffer later (when filling), parse client-hello after heartbeat check and remove capture->conn (unused).
2017-03-08 05:07:10 -05:00
struct ssl_capture *capture;
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
unsigned char *msg;
unsigned char *end;
MINOR: ssl: improved cipherlist captures Alloc capture buffer later (when filling), parse client-hello after heartbeat check and remove capture->conn (unused).
2017-03-08 05:07:10 -05:00
size_t rec_len;
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
/* This function is called for "from client" and "to server"
* connections. The combination of write_p == 0 and content_type == 22
CLEANUP: fix typos in the ssl_sock subsystem Fix some typos found in the code comments of the ssl_sock subsystem.
2018-11-15 12:07:59 -05:00
* is only available during "from client" connection.
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
*/
/* "write_p" is set to 0 is the bytes are received messages,
* otherwise it is set to 1.
*/
if (write_p != 0)
return;
/* content_type contains the type of message received or sent
* according with the SSL/TLS protocol spec. This message is
* encoded with one byte. The value 256 (two bytes) is used
* for designing the SSL/TLS record layer. According with the
* rfc6101, the expected message (other than 256) are:
* - change_cipher_spec(20)
* - alert(21)
* - handshake(22)
* - application_data(23)
* - (255)
* We are interessed by the handshake and specially the client
* hello.
*/
if (content_type != 22)
return;
/* The message length is at least 4 bytes, containing the
* message type and the message length.
*/
if (len < 4)
return;
/* First byte of the handshake message id the type of
* message. The konwn types are:
* - hello_request(0)
* - client_hello(1)
* - server_hello(2)
* - certificate(11)
* - server_key_exchange (12)
* - certificate_request(13)
* - server_hello_done(14)
* We are interested by the client hello.
*/
msg = (unsigned char *)buf;
if (msg[0] != 1)
return;
/* Next three bytes are the length of the message. The total length
* must be this decoded length + 4. If the length given as argument
* is not the same, we abort the protocol dissector.
*/
rec_len = (msg[1] << 16) + (msg[2] << 8) + msg[3];
if (len < rec_len + 4)
return;
msg += 4;
end = msg + rec_len;
if (end < msg)
return;
/* Expect 2 bytes for protocol version (1 byte for major and 1 byte
* for minor, the random, composed by 4 bytes for the unix time and
BUG/MINOR: ssl: ssl_sock_parse_clienthello ignores session id In ssl_sock_parse_clienthello(), the code considers that SSL Sessionid size is '1', and then considers that the SSL cipher suite is availble right after the session id size information. This actually works in a single case, when the client does not send a session id. This patch fixes this issue by introducing the a propoer way to parse the session id and move forward the cursor by the session id length when required. Need to be backported to 1.8.
2018-11-28 09:20:25 -05:00
* 28 bytes for unix payload. So we jump 1 + 1 + 4 + 28.
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
*/
BUG/MINOR: ssl: ssl_sock_parse_clienthello ignores session id In ssl_sock_parse_clienthello(), the code considers that SSL Sessionid size is '1', and then considers that the SSL cipher suite is availble right after the session id size information. This actually works in a single case, when the client does not send a session id. This patch fixes this issue by introducing the a propoer way to parse the session id and move forward the cursor by the session id length when required. Need to be backported to 1.8.
2018-11-28 09:20:25 -05:00
msg += 1 + 1 + 4 + 28;
if (msg > end)
return;
/* Next, is session id:
* if present, we have to jump by length + 1 for the size information
* if not present, we have to jump by 1 only
*/
if (msg[0] > 0)
msg += msg[0];
msg += 1;
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
if (msg > end)
return;
/* Next two bytes are the ciphersuite length. */
if (msg + 2 > end)
return;
rec_len = (msg[0] << 8) + msg[1];
msg += 2;
if (msg + rec_len > end || msg + rec_len < msg)
return;
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
capture = pool_alloc_dirty(pool_head_ssl_capture);
MINOR: ssl: improved cipherlist captures Alloc capture buffer later (when filling), parse client-hello after heartbeat check and remove capture->conn (unused).
2017-03-08 05:07:10 -05:00
if (!capture)
return;
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
/* Compute the xxh64 of the ciphersuite. */
capture->xxh64 = XXH64(msg, rec_len, 0);
/* Capture the ciphersuite. */
MINOR: ssl: improved cipherlist captures Alloc capture buffer later (when filling), parse client-hello after heartbeat check and remove capture->conn (unused).
2017-03-08 05:07:10 -05:00
capture->ciphersuite_len = (global_ssl.capture_cipherlist < rec_len) ?
global_ssl.capture_cipherlist : rec_len;
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
memcpy(capture->ciphersuite, msg, capture->ciphersuite_len);
MINOR: ssl: improved cipherlist captures Alloc capture buffer later (when filling), parse client-hello after heartbeat check and remove capture->conn (unused).
2017-03-08 05:07:10 -05:00
SSL_set_ex_data(ssl, ssl_capture_ptr_index, capture);
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
}
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
/* Callback is called for ssl protocol analyse */
void ssl_sock_msgcbk(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
{
#ifdef TLS1_RT_HEARTBEAT
/* test heartbeat received (write_p is set to 0
for a received record) */
MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack Using the previous callback, it's trivial to block the heartbeat attack, first we control the message length, then we emit an SSL error if it is out of bounds. A special log is emitted, indicating that a heartbleed attack was stopped so that they are not confused with other failures. That way, haproxy can protect itself even when running on an unpatched SSL stack. Tests performed with openssl-1.0.1c indicate a total success.
2014-04-25 14:02:39 -04:00
if ((content_type == TLS1_RT_HEARTBEAT) && (write_p == 0)) {
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index);
MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack Using the previous callback, it's trivial to block the heartbeat attack, first we control the message length, then we emit an SSL error if it is out of bounds. A special log is emitted, indicating that a heartbleed attack was stopped so that they are not confused with other failures. That way, haproxy can protect itself even when running on an unpatched SSL stack. Tests performed with openssl-1.0.1c indicate a total success.
2014-04-25 14:02:39 -04:00
const unsigned char *p = buf;
unsigned int payload;
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
conn->xprt_st |= SSL_SOCK_RECV_HEARTBEAT;
MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack Using the previous callback, it's trivial to block the heartbeat attack, first we control the message length, then we emit an SSL error if it is out of bounds. A special log is emitted, indicating that a heartbleed attack was stopped so that they are not confused with other failures. That way, haproxy can protect itself even when running on an unpatched SSL stack. Tests performed with openssl-1.0.1c indicate a total success.
2014-04-25 14:02:39 -04:00
/* Check if this is a CVE-2014-0160 exploitation attempt. */
if (*p != TLS1_HB_REQUEST)
return;
MINOR: ssl: finally catch the heartbeats missing the padding Previous patch only focused on parsing the packet right and blocking it, so it relaxed one test on the packet length. The difference is not usable for attacking but the logs will not report an attack for such cases, which is probably bad. Better report all known invalid packets cases.
2014-04-25 17:59:58 -04:00
if (len < 1 + 2 + 16) /* 1 type + 2 size + 0 payload + 16 padding */
MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack Using the previous callback, it's trivial to block the heartbeat attack, first we control the message length, then we emit an SSL error if it is out of bounds. A special log is emitted, indicating that a heartbleed attack was stopped so that they are not confused with other failures. That way, haproxy can protect itself even when running on an unpatched SSL stack. Tests performed with openssl-1.0.1c indicate a total success.
2014-04-25 14:02:39 -04:00
goto kill_it;
payload = (p[1] * 256) + p[2];
BUG/MINOR: ssl: really block OpenSSL's response to heartbleed attack Recent commit f51c698 ("MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack") did not always work well, because OpenSSL is fun enough for not testing errors before sending data... So the output sometimes contained some data. The OpenSSL code relies on the max_send_segment value to limit the packet length. The code ensures that a value of zero will result in no single byte leaking. So we're forcing this instead and that definitely fixes the issue. Note that we need to set it the hard way since the regular API checks for valid values.
2014-04-25 17:44:22 -04:00
if (3 + payload + 16 <= len)
MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack Using the previous callback, it's trivial to block the heartbeat attack, first we control the message length, then we emit an SSL error if it is out of bounds. A special log is emitted, indicating that a heartbleed attack was stopped so that they are not confused with other failures. That way, haproxy can protect itself even when running on an unpatched SSL stack. Tests performed with openssl-1.0.1c indicate a total success.
2014-04-25 14:02:39 -04:00
return; /* OK no problem */
MINOR: ssl: finally catch the heartbeats missing the padding Previous patch only focused on parsing the packet right and blocking it, so it relaxed one test on the packet length. The difference is not usable for attacking but the logs will not report an attack for such cases, which is probably bad. Better report all known invalid packets cases.
2014-04-25 17:59:58 -04:00
kill_it:
BUG/MINOR: ssl: really block OpenSSL's response to heartbleed attack Recent commit f51c698 ("MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack") did not always work well, because OpenSSL is fun enough for not testing errors before sending data... So the output sometimes contained some data. The OpenSSL code relies on the max_send_segment value to limit the packet length. The code ensures that a value of zero will result in no single byte leaking. So we're forcing this instead and that definitely fixes the issue. Note that we need to set it the hard way since the regular API checks for valid values.
2014-04-25 17:44:22 -04:00
/* We have a clear heartbleed attack (CVE-2014-0160), the
* advertised payload is larger than the advertised packet
* length, so we have garbage in the buffer between the
* payload and the end of the buffer (p+len). We can't know
* if the SSL stack is patched, and we don't know if we can
* safely wipe out the area between p+3+len and payload.
* So instead, we prevent the response from being sent by
* setting the max_send_fragment to 0 and we report an SSL
* error, which will kill this connection. It will be reported
* above as SSL_ERROR_SSL while an other handshake failure with
MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack Using the previous callback, it's trivial to block the heartbeat attack, first we control the message length, then we emit an SSL error if it is out of bounds. A special log is emitted, indicating that a heartbleed attack was stopped so that they are not confused with other failures. That way, haproxy can protect itself even when running on an unpatched SSL stack. Tests performed with openssl-1.0.1c indicate a total success.
2014-04-25 14:02:39 -04:00
* a heartbeat message will be reported as SSL_ERROR_SYSCALL.
*/
BUG/MINOR: ssl: really block OpenSSL's response to heartbleed attack Recent commit f51c698 ("MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack") did not always work well, because OpenSSL is fun enough for not testing errors before sending data... So the output sometimes contained some data. The OpenSSL code relies on the max_send_segment value to limit the packet length. The code ensures that a value of zero will result in no single byte leaking. So we're forcing this instead and that definitely fixes the issue. Note that we need to set it the hard way since the regular API checks for valid values.
2014-04-25 17:44:22 -04:00
ssl->max_send_fragment = 0;
MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack Using the previous callback, it's trivial to block the heartbeat attack, first we control the message length, then we emit an SSL error if it is out of bounds. A special log is emitted, indicating that a heartbleed attack was stopped so that they are not confused with other failures. That way, haproxy can protect itself even when running on an unpatched SSL stack. Tests performed with openssl-1.0.1c indicate a total success.
2014-04-25 14:02:39 -04:00
SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_SSL_HANDSHAKE_FAILURE);
return;
}
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
#endif
MINOR: ssl: improved cipherlist captures Alloc capture buffer later (when filling), parse client-hello after heartbeat check and remove capture->conn (unused).
2017-03-08 05:07:10 -05:00
if (global_ssl.capture_cipherlist > 0)
ssl_sock_parse_clienthello(write_p, version, content_type, buf, len, ssl);
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
}
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
static int ssl_sock_srv_select_protos(SSL *s, unsigned char **out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen,
void *arg)
{
struct server *srv = arg;
if (SSL_select_next_proto(out, outlen, in, inlen, (unsigned char *)srv->ssl_ctx.npn_str,
srv->ssl_ctx.npn_len) == OPENSSL_NPN_NEGOTIATED)
return SSL_TLSEXT_ERR_OK;
return SSL_TLSEXT_ERR_NOACK;
}
#endif
BUILD: ssl: Fix build with OpenSSL without NPN capability OpenSSL can be built without NEXTPROTONEG support by passing -no-npn to the configure script. This sets the OPENSSL_NO_NEXTPROTONEG flag in opensslconf.h Since NEXTPROTONEG is now considered deprecated, it is superseeded by ALPN (Application Layer Protocol Next), HAProxy should allow building withough NPN support.
2018-02-15 07:34:58 -05:00
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
MEDIUM: ssl: add support for the "npn" bind keyword The ssl_npn match could not work by itself because clients do not use the NPN extension unless the server advertises the protocols it supports. Thanks to Simone Bordet for the explanations on how to get it right.
2012-10-18 12:57:14 -04:00
/* This callback is used so that the server advertises the list of
* negociable protocols for NPN.
*/
static int ssl_sock_advertise_npn_protos(SSL *s, const unsigned char **data,
unsigned int *len, void *arg)
{
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
struct ssl_bind_conf *conf = arg;
MEDIUM: ssl: add support for the "npn" bind keyword The ssl_npn match could not work by itself because clients do not use the NPN extension unless the server advertises the protocols it supports. Thanks to Simone Bordet for the explanations on how to get it right.
2012-10-18 12:57:14 -04:00
*data = (const unsigned char *)conf->npn_str;
*len = conf->npn_len;
return SSL_TLSEXT_ERR_OK;
}
#endif
MEDIUM: ssl: Use ALPN support as it will be available in OpenSSL 1.0.2 The current ALPN support is based on custom OpenSSL patches. These are however not the same as what has landed on OpenSSL: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691 This patch change the code so it supports ALPN as it will be part of OpenSSL.
2014-02-13 06:29:42 -05:00
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
/* This callback is used so that the server advertises the list of
* negociable protocols for ALPN.
*/
MEDIUM: ssl: Use ALPN support as it will be available in OpenSSL 1.0.2 The current ALPN support is based on custom OpenSSL patches. These are however not the same as what has landed on OpenSSL: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691 This patch change the code so it supports ALPN as it will be part of OpenSSL.
2014-02-13 06:29:42 -05:00
static int ssl_sock_advertise_alpn_protos(SSL *s, const unsigned char **out,
unsigned char *outlen,
const unsigned char *server,
unsigned int server_len, void *arg)
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
{
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
struct ssl_bind_conf *conf = arg;
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
MEDIUM: ssl: Use ALPN support as it will be available in OpenSSL 1.0.2 The current ALPN support is based on custom OpenSSL patches. These are however not the same as what has landed on OpenSSL: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691 This patch change the code so it supports ALPN as it will be part of OpenSSL.
2014-02-13 06:29:42 -05:00
if (SSL_select_next_proto((unsigned char**) out, outlen, (const unsigned char *)conf->alpn_str,
conf->alpn_len, server, server_len) != OPENSSL_NPN_NEGOTIATED) {
return SSL_TLSEXT_ERR_NOACK;
}
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
return SSL_TLSEXT_ERR_OK;
}
#endif
BUILD: ssl: fix recent build breakage on older SSL libs Commit 31af49d ("MEDIUM: ssl: Add options to forge SSL certificates") introduced some dependencies on SSL_CTRL_SET_TLSEXT_HOSTNAME for which a few checks were missing, breaking the build on openssl 0.9.8.
2015-06-17 09:48:26 -04:00
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#ifndef SSL_NO_GENERATE_CERTIFICATES
MINOR: ssl: Add callbacks to set DH/ECDH params for generated certificates Now, A callback is defined for generated certificates to set DH parameters for ephemeral key exchange when required. In same way, when possible, we also defined Elliptic Curve DH (ECDH) parameters.
2015-10-09 05:46:32 -04:00
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
/* Create a X509 certificate with the specified servername and serial. This
* function returns a SSL_CTX object or NULL if an error occurs. */
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
static SSL_CTX *
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL *ssl)
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
{
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
X509 *cacert = bind_conf->ca_sign_cert;
EVP_PKEY *capkey = bind_conf->ca_sign_pkey;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
SSL_CTX *ssl_ctx = NULL;
X509 *newcrt = NULL;
EVP_PKEY *pkey = NULL;
BUILD: ssl: replace SSL_CTX_get0_privatekey for openssl < 1.0.2 Commit 48a8332a introduce SSL_CTX_get0_privatekey in openssl-compat.h but SSL_CTX_get0_privatekey access internal structure and can't be a candidate to openssl-compat.h. The workaround with openssl < 1.0.2 is to use SSL_new then SSL_get_privatekey.
2017-08-11 04:56:00 -04:00
SSL *tmp_ssl = NULL;
MINOR: ssl: cleanup old openssl API call For generate-certificates, X509V3_EXT_conf is used but it's an old API call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5 years after X509V3_EXT_nconf.
2018-10-01 12:41:36 -04:00
CONF *ctmp = NULL;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
X509_NAME *name;
const EVP_MD *digest;
X509V3_CTX ctx;
unsigned int i;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
int key_type;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
BUG/MEDIUM: ssl: Fix regression about certificates generation Since the commit f6b37c67 ["BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored."], the certificates generation is broken. To generate a certificate, we retrieved the private key of the default certificate using the SSL object. But since the commit f6b37c67, the SSL object is created with a dummy certificate (initial_ctx). So to fix the bug, we use directly the default certificate in the bind_conf structure. We use SSL_CTX_get0_privatekey function to do so. Because this function does not exist for OpenSSL < 1.0.2 and for LibreSSL, it has been added in openssl-compat.h with the right #ifdef.
2017-07-28 10:56:09 -04:00
/* Get the private key of the default certificate and use it */
BUILD: ssl: replace SSL_CTX_get0_privatekey for openssl < 1.0.2 Commit 48a8332a introduce SSL_CTX_get0_privatekey in openssl-compat.h but SSL_CTX_get0_privatekey access internal structure and can't be a candidate to openssl-compat.h. The workaround with openssl < 1.0.2 is to use SSL_new then SSL_get_privatekey.
2017-08-11 04:56:00 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined LIBRESSL_VERSION_NUMBER)
pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx);
#else
tmp_ssl = SSL_new(bind_conf->default_ctx);
if (tmp_ssl)
pkey = SSL_get_privatekey(tmp_ssl);
#endif
if (!pkey)
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
goto mkcert_error;
/* Create the certificate */
if (!(newcrt = X509_new()))
goto mkcert_error;
/* Set version number for the certificate (X509v3) and the serial
* number */
if (X509_set_version(newcrt, 2L) != 1)
goto mkcert_error;
MEDIUM: ssl: Use the new _HA_ATOMIC_* macros. Use the new _HA_ATOMIC_* macros and add barriers where needed.
2019-03-08 12:54:43 -05:00
ASN1_INTEGER_set(X509_get_serialNumber(newcrt), _HA_ATOMIC_ADD(&ssl_ctx_serial, 1));
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
/* Set duration for the certificate */
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
if (!X509_gmtime_adj(X509_getm_notBefore(newcrt), (long)-60*60*24) ||
!X509_gmtime_adj(X509_getm_notAfter(newcrt),(long)60*60*24*365))
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
goto mkcert_error;
/* set public key in the certificate */
if (X509_set_pubkey(newcrt, pkey) != 1)
goto mkcert_error;
/* Set issuer name from the CA */
if (!(name = X509_get_subject_name(cacert)))
goto mkcert_error;
if (X509_set_issuer_name(newcrt, name) != 1)
goto mkcert_error;
/* Set the subject name using the same, but the CN */
name = X509_NAME_dup(name);
if (X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
(const unsigned char *)servername,
-1, -1, 0) != 1) {
X509_NAME_free(name);
goto mkcert_error;
}
if (X509_set_subject_name(newcrt, name) != 1) {
X509_NAME_free(name);
goto mkcert_error;
}
X509_NAME_free(name);
/* Add x509v3 extensions as specified */
MINOR: ssl: cleanup old openssl API call For generate-certificates, X509V3_EXT_conf is used but it's an old API call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5 years after X509V3_EXT_nconf.
2018-10-01 12:41:36 -04:00
ctmp = NCONF_new(NULL);
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
X509V3_set_ctx(&ctx, cacert, newcrt, NULL, NULL, 0);
for (i = 0; i < X509V3_EXT_SIZE; i++) {
X509_EXTENSION *ext;
MINOR: ssl: cleanup old openssl API call For generate-certificates, X509V3_EXT_conf is used but it's an old API call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5 years after X509V3_EXT_nconf.
2018-10-01 12:41:36 -04:00
if (!(ext = X509V3_EXT_nconf(ctmp, &ctx, x509v3_ext_names[i], x509v3_ext_values[i])))
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
goto mkcert_error;
if (!X509_add_ext(newcrt, ext, -1)) {
X509_EXTENSION_free(ext);
goto mkcert_error;
}
X509_EXTENSION_free(ext);
}
/* Sign the certificate with the CA private key */
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
key_type = EVP_PKEY_base_id(capkey);
if (key_type == EVP_PKEY_DSA)
digest = EVP_sha1();
else if (key_type == EVP_PKEY_RSA)
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
digest = EVP_sha256();
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
else if (key_type == EVP_PKEY_EC)
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
digest = EVP_sha256();
else {
MINOR: ssl: generate-certificates for BoringSSL
2018-10-01 12:45:19 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL) && !defined(OPENSSL_IS_BORINGSSL)
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
int nid;
if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0)
goto mkcert_error;
if (!(digest = EVP_get_digestbynid(nid)))
goto mkcert_error;
BUILD: ssl: fix build error introduced in commit 7969a3 with OpenSSL < 1.0.0 The function 'EVP_PKEY_get_default_digest_nid()' was introduced in OpenSSL 1.0.0. So for older version of OpenSSL, compiled with the SNI support, the HAProxy compilation fails with the following error: src/ssl_sock.c: In function 'ssl_sock_do_create_cert': src/ssl_sock.c:1096:7: warning: implicit declaration of function 'EVP_PKEY_get_default_digest_nid' if (EVP_PKEY_get_default_digest_nid(capkey, &nid) <= 0) [...] src/ssl_sock.c:1096: undefined reference to `EVP_PKEY_get_default_digest_nid' collect2: error: ld returned 1 exit status Makefile:760: recipe for target 'haproxy' failed make: *** [haproxy] Error 1 So we must add a #ifdef to check the OpenSSL version (>= 1.0.0) to use this function. It is used to get default signature digest associated to the private key used to sign generated X509 certificates. It is called when the private key differs than EVP_PKEY_RSA, EVP_PKEY_DSA and EVP_PKEY_EC. It should be enough for most of cases.
2015-10-19 07:59:24 -04:00
#else
goto mkcert_error;
#endif
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
}
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
if (!(X509_sign(newcrt, capkey, digest)))
goto mkcert_error;
/* Create and set the new SSL_CTX */
if (!(ssl_ctx = SSL_CTX_new(SSLv23_server_method())))
goto mkcert_error;
if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
goto mkcert_error;
if (!SSL_CTX_use_certificate(ssl_ctx, newcrt))
goto mkcert_error;
if (!SSL_CTX_check_private_key(ssl_ctx))
goto mkcert_error;
if (newcrt) X509_free(newcrt);
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
BUILD: ssl: fix build with -DOPENSSL_NO_DH
2017-03-03 11:04:14 -05:00
#ifndef OPENSSL_NO_DH
MINOR: ssl: Add callbacks to set DH/ECDH params for generated certificates Now, A callback is defined for generated certificates to set DH parameters for ephemeral key exchange when required. In same way, when possible, we also defined Elliptic Curve DH (ECDH) parameters.
2015-10-09 05:46:32 -04:00
SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_get_tmp_dh);
BUILD: ssl: fix build with -DOPENSSL_NO_DH
2017-03-03 11:04:14 -05:00
#endif
MINOR: ssl: Add callbacks to set DH/ECDH params for generated certificates Now, A callback is defined for generated certificates to set DH parameters for ephemeral key exchange when required. In same way, when possible, we also defined Elliptic Curve DH (ECDH) parameters.
2015-10-09 05:46:32 -04:00
#if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)
{
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
const char *ecdhe = (bind_conf->ssl_conf.ecdhe ? bind_conf->ssl_conf.ecdhe : ECDHE_DEFAULT_CURVE);
MINOR: ssl: Add callbacks to set DH/ECDH params for generated certificates Now, A callback is defined for generated certificates to set DH parameters for ephemeral key exchange when required. In same way, when possible, we also defined Elliptic Curve DH (ECDH) parameters.
2015-10-09 05:46:32 -04:00
EC_KEY *ecc;
int nid;
if ((nid = OBJ_sn2nid(ecdhe)) == NID_undef)
goto end;
if (!(ecc = EC_KEY_new_by_curve_name(nid)))
goto end;
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecc);
EC_KEY_free(ecc);
}
#endif
end:
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
return ssl_ctx;
mkcert_error:
MINOR: ssl: cleanup old openssl API call For generate-certificates, X509V3_EXT_conf is used but it's an old API call: X509V3_EXT_nconf must be preferred. Openssl compatibility is ok because it's inside #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME, introduce 5 years after X509V3_EXT_nconf.
2018-10-01 12:41:36 -04:00
if (ctmp) NCONF_free(ctmp);
BUILD: ssl: replace SSL_CTX_get0_privatekey for openssl < 1.0.2 Commit 48a8332a introduce SSL_CTX_get0_privatekey in openssl-compat.h but SSL_CTX_get0_privatekey access internal structure and can't be a candidate to openssl-compat.h. The workaround with openssl < 1.0.2 is to use SSL_new then SSL_get_privatekey.
2017-08-11 04:56:00 -04:00
if (tmp_ssl) SSL_free(tmp_ssl);
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
if (ssl_ctx) SSL_CTX_free(ssl_ctx);
if (newcrt) X509_free(newcrt);
return NULL;
}
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
SSL_CTX *
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
ssl_sock_create_cert(struct connection *conn, const char *servername, unsigned int key)
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
{
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
struct bind_conf *bind_conf = __objt_listener(conn->target)->bind_conf;
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
return ssl_sock_do_create_cert(servername, bind_conf, conn->xprt_ctx);
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
}
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
/* Do a lookup for a certificate in the LRU cache used to store generated
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
* certificates and immediately assign it to the SSL session if not null. */
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
SSL_CTX *
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind_conf, SSL *ssl)
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
{
struct lru64 *lru = NULL;
if (ssl_ctx_lru_tree) {
BUG/MEDIUM: ssl: properly protect SSL cert generation Commit 821bb9b ("MAJOR: threads/ssl: Make SSL part thread-safe") added insufficient locking to the cert lookup and generation code : it uses lru64_lookup(), which will automatically remove and add a list element to the LRU list. It cannot be simply read-locked. A long-term improvement should consist in using a lockless mechanism in lru64_lookup() to safely move the list element at the head. For now let's simply use a write lock during the lookup. The effect will be minimal since it's used only in conjunction with automatically generated certificates, which are much more expensive and rarely used. This fix must be backported to 1.8.
2018-05-17 04:56:47 -04:00
HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
lru = lru64_lookup(key, ssl_ctx_lru_tree, bind_conf->ca_sign_cert, 0);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
if (lru && lru->domain) {
if (ssl)
SSL_set_SSL_CTX(ssl, (SSL_CTX *)lru->data);
BUG/MEDIUM: ssl: properly protect SSL cert generation Commit 821bb9b ("MAJOR: threads/ssl: Make SSL part thread-safe") added insufficient locking to the cert lookup and generation code : it uses lru64_lookup(), which will automatically remove and add a list element to the LRU list. It cannot be simply read-locked. A long-term improvement should consist in using a lockless mechanism in lru64_lookup() to safely move the list element at the head. For now let's simply use a write lock during the lookup. The effect will be minimal since it's used only in conjunction with automatically generated certificates, which are much more expensive and rarely used. This fix must be backported to 1.8.
2018-05-17 04:56:47 -04:00
HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
return (SSL_CTX *)lru->data;
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
}
BUG/MEDIUM: ssl: properly protect SSL cert generation Commit 821bb9b ("MAJOR: threads/ssl: Make SSL part thread-safe") added insufficient locking to the cert lookup and generation code : it uses lru64_lookup(), which will automatically remove and add a list element to the LRU list. It cannot be simply read-locked. A long-term improvement should consist in using a lockless mechanism in lru64_lookup() to safely move the list element at the head. For now let's simply use a write lock during the lookup. The effect will be minimal since it's used only in conjunction with automatically generated certificates, which are much more expensive and rarely used. This fix must be backported to 1.8.
2018-05-17 04:56:47 -04:00
HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
}
return NULL;
}
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
/* Same as <ssl_sock_assign_generated_cert> but without SSL session. This
* function is not thread-safe, it should only be used to check if a certificate
* exists in the lru cache (with no warranty it will not be removed by another
* thread). It is kept for backward compatibility. */
SSL_CTX *
ssl_sock_get_generated_cert(unsigned int key, struct bind_conf *bind_conf)
{
return ssl_sock_assign_generated_cert(key, bind_conf, NULL);
}
BUG/MINOR: ssl: fix management of the cache where forged certificates are stored First, the LRU cache must be initialized after the configuration parsing to correctly set its size. Next, the function 'ssl_sock_set_generated_cert' returns -1 when an error occurs (0 if success). In that case, the caller is responsible to free the memory allocated for the certificate. Finally, when a SSL certificate is generated by HAProxy but cannot be inserted in the cache, it must be freed when the SSL connection is closed. This happens when 'tune.ssl.ssl-ctx-cache-size' is set to 0.
2015-07-28 10:03:47 -04:00
/* Set a certificate int the LRU cache used to store generated
* certificate. Return 0 on success, otherwise -1 */
int
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
ssl_sock_set_generated_cert(SSL_CTX *ssl_ctx, unsigned int key, struct bind_conf *bind_conf)
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
{
struct lru64 *lru = NULL;
if (ssl_ctx_lru_tree) {
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
lru = lru64_get(key, ssl_ctx_lru_tree, bind_conf->ca_sign_cert, 0);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
if (!lru) {
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
BUG/MINOR: ssl: fix management of the cache where forged certificates are stored First, the LRU cache must be initialized after the configuration parsing to correctly set its size. Next, the function 'ssl_sock_set_generated_cert' returns -1 when an error occurs (0 if success). In that case, the caller is responsible to free the memory allocated for the certificate. Finally, when a SSL certificate is generated by HAProxy but cannot be inserted in the cache, it must be freed when the SSL connection is closed. This happens when 'tune.ssl.ssl-ctx-cache-size' is set to 0.
2015-07-28 10:03:47 -04:00
return -1;
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
}
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
if (lru->domain && lru->data)
lru->free((SSL_CTX *)lru->data);
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
lru64_commit(lru, ssl_ctx, bind_conf->ca_sign_cert, 0, (void (*)(void *))SSL_CTX_free);
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
BUG/MINOR: ssl: fix management of the cache where forged certificates are stored First, the LRU cache must be initialized after the configuration parsing to correctly set its size. Next, the function 'ssl_sock_set_generated_cert' returns -1 when an error occurs (0 if success). In that case, the caller is responsible to free the memory allocated for the certificate. Finally, when a SSL certificate is generated by HAProxy but cannot be inserted in the cache, it must be freed when the SSL connection is closed. This happens when 'tune.ssl.ssl-ctx-cache-size' is set to 0.
2015-07-28 10:03:47 -04:00
return 0;
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
}
BUG/MINOR: ssl: fix management of the cache where forged certificates are stored First, the LRU cache must be initialized after the configuration parsing to correctly set its size. Next, the function 'ssl_sock_set_generated_cert' returns -1 when an error occurs (0 if success). In that case, the caller is responsible to free the memory allocated for the certificate. Finally, when a SSL certificate is generated by HAProxy but cannot be inserted in the cache, it must be freed when the SSL connection is closed. This happens when 'tune.ssl.ssl-ctx-cache-size' is set to 0.
2015-07-28 10:03:47 -04:00
return -1;
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
}
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
/* Compute the key of the certificate. */
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
unsigned int
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
ssl_sock_generated_cert_key(const void *data, size_t len)
MINOR: ssl: Export functions to manipulate generated certificates Following functions are now available in the SSL public API: * ssl_sock_create_cert * ssl_sock_get_generated_cert * ssl_sock_set_generated_cert * ssl_sock_generated_cert_serial These functions could be used to create a certificate by hand, set it in the cache used to store generated certificates and retrieve it. Here is an example (pseudo code): X509 *cacert = ...; EVP_PKEY *capkey = ...; char *servername = ...; unsigned int serial; serial = ssl_sock_generated_cert_serial(servername, strlen(servername)); if (!ssl_sock_get_generated_cert(serial, cacert)) { SSL_CTX *ctx = ssl_sock_create_cert(servername, serial, cacert, capkey); ssl_sock_set_generated_cert(ctx, serial, cacert); }
2015-06-11 07:39:32 -04:00
{
return XXH32(data, len, ssl_ctx_lru_seed);
}
BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is disabled Kim Seri reported that haproxy 1.6.0 crashes after a few requests when a bind line has SSL enabled with more than one certificate. This was caused by an insufficient condition to free generated certs during ssl_sock_close() which can also catch other certs. Christopher Faulet analysed the situation like this : ------- First the LRU tree is only initialized when the SSL certs generation is configured on a bind line. So, in the most of cases, it is NULL (it is not the same thing than empty). When the SSL certs generation is used, if the cache is not NULL, a such certificate is pushed in the cache and there is no need to release it when the connection is closed. But it can be disabled in the configuration. So in that case, we must free the generated certificate when the connection is closed. Then here, we have really a bug. Here is the buggy part: 3125) if (conn->xprt_ctx) { 3126) #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 3127) if (!ssl_ctx_lru_tree && objt_listener(conn->target)) { 3128) SSL_CTX *ctx = SSL_get_SSL_CTX(conn->xprt_ctx); 3129) if (ctx != 3130) SSL_CTX_free(ctx); 3131) } 3133) SSL_free(conn->xprt_ctx); 3134) conn->xprt_ctx = NULL; 3135) sslconns--; 3136) } The check on the line 3127 is not enough to determine if this is a generated certificate or not. Because ssl_ctx_lru_tree is NULL, generated certificates, if any, must be freed. But here ctx should also be compared to all SNI certificates and not only to default_ctx. Because of this bug, when a SNI certificate is used for a connection, it is erroneously freed when this connection is closed. ------- Christopher provided this reliable reproducer : ---------- global tune.ssl.default-dh-param 2048 daemon listen ssl_server mode tcp bind 127.0.0.1:4443 ssl crt srv1.test.com.pem crt srv2.test.com.pem timeout connect 5000 timeout client 30000 timeout server 30000 server srv A.B.C.D:80 You just need to generate 2 SSL certificates with 2 CN (here srv1.test.com and srv2.test.com). Then, by doing SSL requests with the first CN, there is no problem. But with the second CN, it should segfault on the 2nd request. openssl s_client -connect 127.0.0.1:4443 -servername srv1.test.com // OK openssl s_client -connect 127.0.0.1:4443 -servername srv1.test.com // OK But, openssl s_client -connect 127.0.0.1:4443 -servername srv2.test.com // OK openssl s_client -connect 127.0.0.1:4443 -servername srv2.test.com // KO ----------- A long discussion led to the following proposal which this patch implements : - the cert is generated. It gets a refcount = 1. - we assign it to the SSL. Its refcount becomes two. - we try to insert it into the tree. The tree will handle its freeing using SSL_CTX_free() during eviction. - if we can't insert into the tree because the tree is disabled, then we have to call SSL_CTX_free() ourselves, then we'd rather do it immediately. It will more closely mimmick the case where the cert is added to the tree and immediately evicted by concurrent activity on the cache. - we never have to call SSL_CTX_free() during ssl_sock_close() because the SSL session only relies on openssl doing the right thing based on the refcount only. - thus we never need to know how the cert was created since the SSL_CTX_free() is either guaranteed or already done for generated certs, and this protects other ones against any accidental call to SSL_CTX_free() without having to track where the cert comes from. This patch also reduces the inter-dependence between the LRU tree and the SSL stack, so it should cause less sweating to migrate to threads later. This bug is specific to 1.6.0, as it was introduced after dev7 by this fix : d2cab92 ("BUG/MINOR: ssl: fix management of the cache where forged certificates are stored") Thus a backport to 1.6 is required, but not to 1.5.
2015-10-20 09:16:01 -04:00
/* Generate a cert and immediately assign it to the SSL session so that the cert's
* refcount is maintained regardless of the cert's presence in the LRU cache.
*/
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
static int
MINOR: ssl: Add support for EC for the CA used to sign generated certificates This is done by adding EVP_PKEY_EC type in supported types for the CA private key when we get the message digest used to sign a generated X509 certificate. So now, we support DSA, RSA and EC private keys. And to be sure, when the type of the private key is not directly supported, we get its default message digest using the function 'EVP_PKEY_get_default_digest_nid'. We also use the key of the default certificate instead of generated it. So we are sure to use the same key type instead of always using a RSA key.
2015-10-09 05:15:03 -04:00
ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind_conf, SSL *ssl)
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
{
X509 *cacert = bind_conf->ca_sign_cert;
SSL_CTX *ssl_ctx = NULL;
struct lru64 *lru = NULL;
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
unsigned int key;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
key = ssl_sock_generated_cert_key(servername, strlen(servername));
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
if (ssl_ctx_lru_tree) {
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_WRLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
lru = lru64_get(key, ssl_ctx_lru_tree, cacert, 0);
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
if (lru && lru->domain)
ssl_ctx = (SSL_CTX *)lru->data;
BUG/MINOR: ssl: fix management of the cache where forged certificates are stored First, the LRU cache must be initialized after the configuration parsing to correctly set its size. Next, the function 'ssl_sock_set_generated_cert' returns -1 when an error occurs (0 if success). In that case, the caller is responsible to free the memory allocated for the certificate. Finally, when a SSL certificate is generated by HAProxy but cannot be inserted in the cache, it must be freed when the SSL connection is closed. This happens when 'tune.ssl.ssl-ctx-cache-size' is set to 0.
2015-07-28 10:03:47 -04:00
if (!ssl_ctx && lru) {
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free);
BUG/MINOR: ssl: fix management of the cache where forged certificates are stored First, the LRU cache must be initialized after the configuration parsing to correctly set its size. Next, the function 'ssl_sock_set_generated_cert' returns -1 when an error occurs (0 if success). In that case, the caller is responsible to free the memory allocated for the certificate. Finally, when a SSL certificate is generated by HAProxy but cannot be inserted in the cache, it must be freed when the SSL connection is closed. This happens when 'tune.ssl.ssl-ctx-cache-size' is set to 0.
2015-07-28 10:03:47 -04:00
}
BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is disabled Kim Seri reported that haproxy 1.6.0 crashes after a few requests when a bind line has SSL enabled with more than one certificate. This was caused by an insufficient condition to free generated certs during ssl_sock_close() which can also catch other certs. Christopher Faulet analysed the situation like this : ------- First the LRU tree is only initialized when the SSL certs generation is configured on a bind line. So, in the most of cases, it is NULL (it is not the same thing than empty). When the SSL certs generation is used, if the cache is not NULL, a such certificate is pushed in the cache and there is no need to release it when the connection is closed. But it can be disabled in the configuration. So in that case, we must free the generated certificate when the connection is closed. Then here, we have really a bug. Here is the buggy part: 3125) if (conn->xprt_ctx) { 3126) #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 3127) if (!ssl_ctx_lru_tree && objt_listener(conn->target)) { 3128) SSL_CTX *ctx = SSL_get_SSL_CTX(conn->xprt_ctx); 3129) if (ctx != 3130) SSL_CTX_free(ctx); 3131) } 3133) SSL_free(conn->xprt_ctx); 3134) conn->xprt_ctx = NULL; 3135) sslconns--; 3136) } The check on the line 3127 is not enough to determine if this is a generated certificate or not. Because ssl_ctx_lru_tree is NULL, generated certificates, if any, must be freed. But here ctx should also be compared to all SNI certificates and not only to default_ctx. Because of this bug, when a SNI certificate is used for a connection, it is erroneously freed when this connection is closed. ------- Christopher provided this reliable reproducer : ---------- global tune.ssl.default-dh-param 2048 daemon listen ssl_server mode tcp bind 127.0.0.1:4443 ssl crt srv1.test.com.pem crt srv2.test.com.pem timeout connect 5000 timeout client 30000 timeout server 30000 server srv A.B.C.D:80 You just need to generate 2 SSL certificates with 2 CN (here srv1.test.com and srv2.test.com). Then, by doing SSL requests with the first CN, there is no problem. But with the second CN, it should segfault on the 2nd request. openssl s_client -connect 127.0.0.1:4443 -servername srv1.test.com // OK openssl s_client -connect 127.0.0.1:4443 -servername srv1.test.com // OK But, openssl s_client -connect 127.0.0.1:4443 -servername srv2.test.com // OK openssl s_client -connect 127.0.0.1:4443 -servername srv2.test.com // KO ----------- A long discussion led to the following proposal which this patch implements : - the cert is generated. It gets a refcount = 1. - we assign it to the SSL. Its refcount becomes two. - we try to insert it into the tree. The tree will handle its freeing using SSL_CTX_free() during eviction. - if we can't insert into the tree because the tree is disabled, then we have to call SSL_CTX_free() ourselves, then we'd rather do it immediately. It will more closely mimmick the case where the cert is added to the tree and immediately evicted by concurrent activity on the cache. - we never have to call SSL_CTX_free() during ssl_sock_close() because the SSL session only relies on openssl doing the right thing based on the refcount only. - thus we never need to know how the cert was created since the SSL_CTX_free() is either guaranteed or already done for generated certs, and this protects other ones against any accidental call to SSL_CTX_free() without having to track where the cert comes from. This patch also reduces the inter-dependence between the LRU tree and the SSL stack, so it should cause less sweating to migrate to threads later. This bug is specific to 1.6.0, as it was introduced after dev7 by this fix : d2cab92 ("BUG/MINOR: ssl: fix management of the cache where forged certificates are stored") Thus a backport to 1.6 is required, but not to 1.5.
2015-10-20 09:16:01 -04:00
SSL_set_SSL_CTX(ssl, ssl_ctx);
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
return 1;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
}
BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is disabled Kim Seri reported that haproxy 1.6.0 crashes after a few requests when a bind line has SSL enabled with more than one certificate. This was caused by an insufficient condition to free generated certs during ssl_sock_close() which can also catch other certs. Christopher Faulet analysed the situation like this : ------- First the LRU tree is only initialized when the SSL certs generation is configured on a bind line. So, in the most of cases, it is NULL (it is not the same thing than empty). When the SSL certs generation is used, if the cache is not NULL, a such certificate is pushed in the cache and there is no need to release it when the connection is closed. But it can be disabled in the configuration. So in that case, we must free the generated certificate when the connection is closed. Then here, we have really a bug. Here is the buggy part: 3125) if (conn->xprt_ctx) { 3126) #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 3127) if (!ssl_ctx_lru_tree && objt_listener(conn->target)) { 3128) SSL_CTX *ctx = SSL_get_SSL_CTX(conn->xprt_ctx); 3129) if (ctx != 3130) SSL_CTX_free(ctx); 3131) } 3133) SSL_free(conn->xprt_ctx); 3134) conn->xprt_ctx = NULL; 3135) sslconns--; 3136) } The check on the line 3127 is not enough to determine if this is a generated certificate or not. Because ssl_ctx_lru_tree is NULL, generated certificates, if any, must be freed. But here ctx should also be compared to all SNI certificates and not only to default_ctx. Because of this bug, when a SNI certificate is used for a connection, it is erroneously freed when this connection is closed. ------- Christopher provided this reliable reproducer : ---------- global tune.ssl.default-dh-param 2048 daemon listen ssl_server mode tcp bind 127.0.0.1:4443 ssl crt srv1.test.com.pem crt srv2.test.com.pem timeout connect 5000 timeout client 30000 timeout server 30000 server srv A.B.C.D:80 You just need to generate 2 SSL certificates with 2 CN (here srv1.test.com and srv2.test.com). Then, by doing SSL requests with the first CN, there is no problem. But with the second CN, it should segfault on the 2nd request. openssl s_client -connect 127.0.0.1:4443 -servername srv1.test.com // OK openssl s_client -connect 127.0.0.1:4443 -servername srv1.test.com // OK But, openssl s_client -connect 127.0.0.1:4443 -servername srv2.test.com // OK openssl s_client -connect 127.0.0.1:4443 -servername srv2.test.com // KO ----------- A long discussion led to the following proposal which this patch implements : - the cert is generated. It gets a refcount = 1. - we assign it to the SSL. Its refcount becomes two. - we try to insert it into the tree. The tree will handle its freeing using SSL_CTX_free() during eviction. - if we can't insert into the tree because the tree is disabled, then we have to call SSL_CTX_free() ourselves, then we'd rather do it immediately. It will more closely mimmick the case where the cert is added to the tree and immediately evicted by concurrent activity on the cache. - we never have to call SSL_CTX_free() during ssl_sock_close() because the SSL session only relies on openssl doing the right thing based on the refcount only. - thus we never need to know how the cert was created since the SSL_CTX_free() is either guaranteed or already done for generated certs, and this protects other ones against any accidental call to SSL_CTX_free() without having to track where the cert comes from. This patch also reduces the inter-dependence between the LRU tree and the SSL stack, so it should cause less sweating to migrate to threads later. This bug is specific to 1.6.0, as it was introduced after dev7 by this fix : d2cab92 ("BUG/MINOR: ssl: fix management of the cache where forged certificates are stored") Thus a backport to 1.6 is required, but not to 1.5.
2015-10-20 09:16:01 -04:00
else {
BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated certificate was computed using the requested servername, without any variable/random part. It is not a problem from the moment it is not regenerated. But if the cache is disabled or when the certificate is evicted from the cache, we may need to regenerate it. It is important to not reuse the same serial number for the new certificate. Else clients (especially browsers) trigger a warning because 2 certificates issued by the same CA have the same serial number. So now, the serial is a static variable initialized with now_ms (internal date in milliseconds) and incremented at each new certificate generation. (Ref MPS-2031)
2015-11-12 05:35:51 -05:00
ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is disabled Kim Seri reported that haproxy 1.6.0 crashes after a few requests when a bind line has SSL enabled with more than one certificate. This was caused by an insufficient condition to free generated certs during ssl_sock_close() which can also catch other certs. Christopher Faulet analysed the situation like this : ------- First the LRU tree is only initialized when the SSL certs generation is configured on a bind line. So, in the most of cases, it is NULL (it is not the same thing than empty). When the SSL certs generation is used, if the cache is not NULL, a such certificate is pushed in the cache and there is no need to release it when the connection is closed. But it can be disabled in the configuration. So in that case, we must free the generated certificate when the connection is closed. Then here, we have really a bug. Here is the buggy part: 3125) if (conn->xprt_ctx) { 3126) #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 3127) if (!ssl_ctx_lru_tree && objt_listener(conn->target)) { 3128) SSL_CTX *ctx = SSL_get_SSL_CTX(conn->xprt_ctx); 3129) if (ctx != 3130) SSL_CTX_free(ctx); 3131) } 3133) SSL_free(conn->xprt_ctx); 3134) conn->xprt_ctx = NULL; 3135) sslconns--; 3136) } The check on the line 3127 is not enough to determine if this is a generated certificate or not. Because ssl_ctx_lru_tree is NULL, generated certificates, if any, must be freed. But here ctx should also be compared to all SNI certificates and not only to default_ctx. Because of this bug, when a SNI certificate is used for a connection, it is erroneously freed when this connection is closed. ------- Christopher provided this reliable reproducer : ---------- global tune.ssl.default-dh-param 2048 daemon listen ssl_server mode tcp bind 127.0.0.1:4443 ssl crt srv1.test.com.pem crt srv2.test.com.pem timeout connect 5000 timeout client 30000 timeout server 30000 server srv A.B.C.D:80 You just need to generate 2 SSL certificates with 2 CN (here srv1.test.com and srv2.test.com). Then, by doing SSL requests with the first CN, there is no problem. But with the second CN, it should segfault on the 2nd request. openssl s_client -connect 127.0.0.1:4443 -servername srv1.test.com // OK openssl s_client -connect 127.0.0.1:4443 -servername srv1.test.com // OK But, openssl s_client -connect 127.0.0.1:4443 -servername srv2.test.com // OK openssl s_client -connect 127.0.0.1:4443 -servername srv2.test.com // KO ----------- A long discussion led to the following proposal which this patch implements : - the cert is generated. It gets a refcount = 1. - we assign it to the SSL. Its refcount becomes two. - we try to insert it into the tree. The tree will handle its freeing using SSL_CTX_free() during eviction. - if we can't insert into the tree because the tree is disabled, then we have to call SSL_CTX_free() ourselves, then we'd rather do it immediately. It will more closely mimmick the case where the cert is added to the tree and immediately evicted by concurrent activity on the cache. - we never have to call SSL_CTX_free() during ssl_sock_close() because the SSL session only relies on openssl doing the right thing based on the refcount only. - thus we never need to know how the cert was created since the SSL_CTX_free() is either guaranteed or already done for generated certs, and this protects other ones against any accidental call to SSL_CTX_free() without having to track where the cert comes from. This patch also reduces the inter-dependence between the LRU tree and the SSL stack, so it should cause less sweating to migrate to threads later. This bug is specific to 1.6.0, as it was introduced after dev7 by this fix : d2cab92 ("BUG/MINOR: ssl: fix management of the cache where forged certificates are stored") Thus a backport to 1.6 is required, but not to 1.5.
2015-10-20 09:16:01 -04:00
SSL_set_SSL_CTX(ssl, ssl_ctx);
/* No LRU cache, this CTX will be released as soon as the session dies */
SSL_CTX_free(ssl_ctx);
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
return 1;
BUG/MAJOR: ssl: free the generated SSL_CTX if the LRU cache is disabled Kim Seri reported that haproxy 1.6.0 crashes after a few requests when a bind line has SSL enabled with more than one certificate. This was caused by an insufficient condition to free generated certs during ssl_sock_close() which can also catch other certs. Christopher Faulet analysed the situation like this : ------- First the LRU tree is only initialized when the SSL certs generation is configured on a bind line. So, in the most of cases, it is NULL (it is not the same thing than empty). When the SSL certs generation is used, if the cache is not NULL, a such certificate is pushed in the cache and there is no need to release it when the connection is closed. But it can be disabled in the configuration. So in that case, we must free the generated certificate when the connection is closed. Then here, we have really a bug. Here is the buggy part: 3125) if (conn->xprt_ctx) { 3126) #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 3127) if (!ssl_ctx_lru_tree && objt_listener(conn->target)) { 3128) SSL_CTX *ctx = SSL_get_SSL_CTX(conn->xprt_ctx); 3129) if (ctx != 3130) SSL_CTX_free(ctx); 3131) } 3133) SSL_free(conn->xprt_ctx); 3134) conn->xprt_ctx = NULL; 3135) sslconns--; 3136) } The check on the line 3127 is not enough to determine if this is a generated certificate or not. Because ssl_ctx_lru_tree is NULL, generated certificates, if any, must be freed. But here ctx should also be compared to all SNI certificates and not only to default_ctx. Because of this bug, when a SNI certificate is used for a connection, it is erroneously freed when this connection is closed. ------- Christopher provided this reliable reproducer : ---------- global tune.ssl.default-dh-param 2048 daemon listen ssl_server mode tcp bind 127.0.0.1:4443 ssl crt srv1.test.com.pem crt srv2.test.com.pem timeout connect 5000 timeout client 30000 timeout server 30000 server srv A.B.C.D:80 You just need to generate 2 SSL certificates with 2 CN (here srv1.test.com and srv2.test.com). Then, by doing SSL requests with the first CN, there is no problem. But with the second CN, it should segfault on the 2nd request. openssl s_client -connect 127.0.0.1:4443 -servername srv1.test.com // OK openssl s_client -connect 127.0.0.1:4443 -servername srv1.test.com // OK But, openssl s_client -connect 127.0.0.1:4443 -servername srv2.test.com // OK openssl s_client -connect 127.0.0.1:4443 -servername srv2.test.com // KO ----------- A long discussion led to the following proposal which this patch implements : - the cert is generated. It gets a refcount = 1. - we assign it to the SSL. Its refcount becomes two. - we try to insert it into the tree. The tree will handle its freeing using SSL_CTX_free() during eviction. - if we can't insert into the tree because the tree is disabled, then we have to call SSL_CTX_free() ourselves, then we'd rather do it immediately. It will more closely mimmick the case where the cert is added to the tree and immediately evicted by concurrent activity on the cache. - we never have to call SSL_CTX_free() during ssl_sock_close() because the SSL session only relies on openssl doing the right thing based on the refcount only. - thus we never need to know how the cert was created since the SSL_CTX_free() is either guaranteed or already done for generated certs, and this protects other ones against any accidental call to SSL_CTX_free() without having to track where the cert comes from. This patch also reduces the inter-dependence between the LRU tree and the SSL stack, so it should cause less sweating to migrate to threads later. This bug is specific to 1.6.0, as it was introduced after dev7 by this fix : d2cab92 ("BUG/MINOR: ssl: fix management of the cache where forged certificates are stored") Thus a backport to 1.6 is required, but not to 1.5.
2015-10-20 09:16:01 -04:00
}
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
return 0;
}
static int
ssl_sock_generate_certificate_from_conn(struct bind_conf *bind_conf, SSL *ssl)
{
unsigned int key;
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index);
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
conn_get_to_addr(conn);
if (conn->flags & CO_FL_ADDR_TO_SET) {
key = ssl_sock_generated_cert_key(&conn->addr.to, get_addr_len(&conn->addr.to));
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
if (ssl_sock_assign_generated_cert(key, bind_conf, ssl))
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
return 1;
}
return 0;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
}
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#endif /* !defined SSL_NO_GENERATE_CERTIFICATES */
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
#ifndef SSL_OP_CIPHER_SERVER_PREFERENCE /* needs OpenSSL >= 0.9.7 */
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0
#endif
#ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION /* needs OpenSSL >= 0.9.7 */
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
#define SSL_renegotiate_pending(arg) 0
#endif
#ifndef SSL_OP_SINGLE_ECDH_USE /* needs OpenSSL >= 0.9.8 */
#define SSL_OP_SINGLE_ECDH_USE 0
#endif
#ifndef SSL_OP_NO_TICKET /* needs OpenSSL >= 0.9.8 */
#define SSL_OP_NO_TICKET 0
#endif
#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
#define SSL_OP_NO_COMPRESSION 0
#endif
BUG/MINOR: ssl: remove haproxy SSLv3 support when ssl lib have no SSLv3 The commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx" drop the case when ssl lib have removed SSLv3. The commit 1e59fcc5 "BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0" fix build but it's false because haproxy think that ssl lib support SSLv3. SSL_OP_NO_* are flags to set in ssl_options and is the way haproxy do the link between ssl capabilities and haproxy configuration. (The mapping table is done via methodVersions). SSL_OP_NO_* is set to 0 when ssl lib doesn't support a new TLS version. Older version (like SSLv3) can be removed at build or unsupported (like libressl). In all case OPENSSL_NO_SSL3 is define. To keep the same logic, this patch alter SSL_OP_NO_SSLv3 to 0 when SSLv3 is not supported by ssl lib (when OPENSSL_NO_SSL3 is define).
2017-07-12 06:53:02 -04:00
#ifdef OPENSSL_NO_SSL3 /* SSLv3 support removed */
#undef SSL_OP_NO_SSLv3
#define SSL_OP_NO_SSLv3 0
#endif
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
#ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= 1.0.1 */
#define SSL_OP_NO_TLSv1_1 0
#endif
#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
#define SSL_OP_NO_TLSv1_2 0
#endif
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#ifndef SSL_OP_NO_TLSv1_3 /* needs OpenSSL >= 1.1.1 */
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
#define SSL_OP_NO_TLSv1_3 0
#endif
#ifndef SSL_OP_SINGLE_DH_USE /* needs OpenSSL >= 0.9.6 */
#define SSL_OP_SINGLE_DH_USE 0
#endif
#ifndef SSL_OP_SINGLE_ECDH_USE /* needs OpenSSL >= 1.0.0 */
#define SSL_OP_SINGLE_ECDH_USE 0
#endif
#ifndef SSL_MODE_RELEASE_BUFFERS /* needs OpenSSL >= 1.0.0 */
#define SSL_MODE_RELEASE_BUFFERS 0
#endif
#ifndef SSL_MODE_SMALL_BUFFERS /* needs small_records.patch */
#define SSL_MODE_SMALL_BUFFERS 0
#endif
MINOR: ssl: set SSL_OP_PRIORITIZE_CHACHA Sets OpenSSL 1.1.1's SSL_OP_PRIORITIZE_CHACHA unconditionally, as per [1]: When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize ChaCha20-Poly1305 ciphers to the top of the server cipher list if a ChaCha20-Poly1305 cipher is at the top of the client cipher list. This helps those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher is anywhere in the server cipher list; but still allows other clients to use AES and other ciphers. Requires SSL_OP_CIPHER_SERVER_PREFERENCE. [1] https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_clear_options.html
2018-05-18 11:55:57 -04:00
#ifndef SSL_OP_PRIORITIZE_CHACHA /* needs OpenSSL >= 1.1.1 */
#define SSL_OP_PRIORITIZE_CHACHA 0
#endif
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
MINOR: ssl: build with recent BoringSSL library BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility. Fix BoringSSL call and openssl-compat.h/#define occordingly. This will not break openssl/libressl compat.
2017-10-02 11:12:06 -04:00
#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
typedef enum { SET_CLIENT, SET_SERVER } set_context_func;
static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c)
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
{
BUG/MINOR: ssl: remove haproxy SSLv3 support when ssl lib have no SSLv3 The commit 5db33cbd "MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx" drop the case when ssl lib have removed SSLv3. The commit 1e59fcc5 "BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0" fix build but it's false because haproxy think that ssl lib support SSLv3. SSL_OP_NO_* are flags to set in ssl_options and is the way haproxy do the link between ssl capabilities and haproxy configuration. (The mapping table is done via methodVersions). SSL_OP_NO_* is set to 0 when ssl lib doesn't support a new TLS version. Older version (like SSLv3) can be removed at build or unsupported (like libressl). In all case OPENSSL_NO_SSL3 is define. To keep the same logic, this patch alter SSL_OP_NO_SSLv3 to 0 when SSLv3 is not supported by ssl lib (when OPENSSL_NO_SSL3 is define).
2017-07-12 06:53:02 -04:00
#if SSL_OP_NO_SSLv3
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, SSLv3_server_method())
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
: SSL_CTX_set_ssl_version(ctx, SSLv3_client_method());
#endif
}
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
static void ctx_set_TLSv10_func(SSL_CTX *ctx, set_context_func c) {
c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, TLSv1_server_method())
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
: SSL_CTX_set_ssl_version(ctx, TLSv1_client_method());
}
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
static void ctx_set_TLSv11_func(SSL_CTX *ctx, set_context_func c) {
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
#if SSL_OP_NO_TLSv1_1
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method())
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
: SSL_CTX_set_ssl_version(ctx, TLSv1_1_client_method());
#endif
}
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
static void ctx_set_TLSv12_func(SSL_CTX *ctx, set_context_func c) {
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
#if SSL_OP_NO_TLSv1_2
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method())
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
: SSL_CTX_set_ssl_version(ctx, TLSv1_2_client_method());
#endif
}
DOC: ssl: Use consistent naming for TLS protocols In most cases, "TLSv1.x" naming is used across and documentation, lazy people tend to grep too much and may not find what they are looking for. Fixing people is hard.
2018-08-13 19:56:13 -04:00
/* TLSv1.2 is the last supported version in this context. */
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) {}
/* Unusable in this context. */
static void ssl_set_SSLv3_func(SSL *ssl, set_context_func c) {}
static void ssl_set_TLSv10_func(SSL *ssl, set_context_func c) {}
static void ssl_set_TLSv11_func(SSL *ssl, set_context_func c) {}
static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) {}
static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) {}
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
#else /* openssl >= 1.1.0 */
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
typedef enum { SET_MIN, SET_MAX } set_context_func;
static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c) {
c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION)
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
: SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
}
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
static void ssl_set_SSLv3_func(SSL *ssl, set_context_func c) {
c == SET_MAX ? SSL_set_max_proto_version(ssl, SSL3_VERSION)
: SSL_set_min_proto_version(ssl, SSL3_VERSION);
}
static void ctx_set_TLSv10_func(SSL_CTX *ctx, set_context_func c) {
c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION)
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
: SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
}
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
static void ssl_set_TLSv10_func(SSL *ssl, set_context_func c) {
c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_VERSION)
: SSL_set_min_proto_version(ssl, TLS1_VERSION);
}
static void ctx_set_TLSv11_func(SSL_CTX *ctx, set_context_func c) {
c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION)
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
: SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
}
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
static void ssl_set_TLSv11_func(SSL *ssl, set_context_func c) {
c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_1_VERSION)
: SSL_set_min_proto_version(ssl, TLS1_1_VERSION);
}
static void ctx_set_TLSv12_func(SSL_CTX *ctx, set_context_func c) {
c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
: SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
}
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) {
c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_2_VERSION)
: SSL_set_min_proto_version(ssl, TLS1_2_VERSION);
}
static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) {
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
#if SSL_OP_NO_TLSv1_3
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION)
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
: SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
#endif
}
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) {
#if SSL_OP_NO_TLSv1_3
c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_3_VERSION)
: SSL_set_min_proto_version(ssl, TLS1_3_VERSION);
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
#endif
}
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
#endif
static void ctx_set_None_func(SSL_CTX *ctx, set_context_func c) { }
static void ssl_set_None_func(SSL *ssl, set_context_func c) { }
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
static struct {
int option;
uint16_t flag;
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
void (*ctx_set_version)(SSL_CTX *, set_context_func);
void (*ssl_set_version)(SSL *, set_context_func);
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
const char *name;
} methodVersions[] = {
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
{0, 0, ctx_set_None_func, ssl_set_None_func, "NONE"}, /* CONF_TLSV_NONE */
{SSL_OP_NO_SSLv3, MC_SSL_O_NO_SSLV3, ctx_set_SSLv3_func, ssl_set_SSLv3_func, "SSLv3"}, /* CONF_SSLV3 */
{SSL_OP_NO_TLSv1, MC_SSL_O_NO_TLSV10, ctx_set_TLSv10_func, ssl_set_TLSv10_func, "TLSv1.0"}, /* CONF_TLSV10 */
{SSL_OP_NO_TLSv1_1, MC_SSL_O_NO_TLSV11, ctx_set_TLSv11_func, ssl_set_TLSv11_func, "TLSv1.1"}, /* CONF_TLSV11 */
{SSL_OP_NO_TLSv1_2, MC_SSL_O_NO_TLSV12, ctx_set_TLSv12_func, ssl_set_TLSv12_func, "TLSv1.2"}, /* CONF_TLSV12 */
{SSL_OP_NO_TLSv1_3, MC_SSL_O_NO_TLSV13, ctx_set_TLSv13_func, ssl_set_TLSv13_func, "TLSv1.3"}, /* CONF_TLSV13 */
REORG: ssl: move defines and methodVersions table upper It will used in ssl_sock_switchctx_cbk.
2017-05-18 05:56:58 -04:00
};
BUG/MEDIUM: ssl: fix verify/ca-file per certificate SSL verify and client_CA inherits from the initial ctx (default_ctx). When a certificate is found, the SSL connection environment must be replaced by the certificate configuration (via SSL_set_verify and SSL_set_client_CA_list).
2017-03-01 12:54:56 -05:00
static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
{
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), ssl_sock_bind_verifycbk);
SSL_set_client_CA_list(ssl, SSL_dup_CA_list(SSL_CTX_get_client_CA_list(ctx)));
SSL_set_SSL_CTX(ssl, ctx);
}
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
{
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
struct bind_conf *s = priv;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
(void)al; /* shut gcc stupid warning */
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) || s->generate_certs)
return SSL_TLSEXT_ERR_OK;
return SSL_TLSEXT_ERR_NOACK;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
}
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#ifdef OPENSSL_IS_BORINGSSL
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
static int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx)
{
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
SSL *ssl = ctx->ssl;
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#else
static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
{
#endif
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
struct connection *conn;
struct bind_conf *s;
const uint8_t *extension_data;
size_t extension_len;
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
int has_rsa_sig = 0, has_ecdsa_sig = 0;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
char *wildp = NULL;
const uint8_t *servername;
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
size_t servername_len;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
struct ebmb_node *node, *n, *node_ecdsa = NULL, *node_rsa = NULL, *node_anonymous = NULL;
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
int allow_early = 0;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
int i;
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
conn = SSL_get_ex_data(ssl, ssl_app_data_index);
BUILD: ssl: fix another null-deref warning in ssl_sock_switchctx_cbk() This null-deref cannot happen either as there necesarily is a listener where this function is called. Let's use __objt_listener() to address this. This may be backported to 1.8.
2018-10-15 07:20:07 -04:00
s = __objt_listener(conn->target)->bind_conf;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
MINOR: ssl: Don't abuse ssl_options. A bind_conf does contain a ssl_bind_conf, which already has a flag to know if early data are activated, so use that, instead of adding a new flag in the ssl_options field.
2017-10-27 08:58:08 -04:00
if (s->ssl_conf.early_data)
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
allow_early = 1;
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#ifdef OPENSSL_IS_BORINGSSL
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name,
&extension_data, &extension_len)) {
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#else
if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &extension_data, &extension_len)) {
#endif
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
/*
* The server_name extension was given too much extensibility when it
* was written, so parsing the normal case is a bit complex.
*/
size_t len;
if (extension_len <= 2)
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
goto abort;
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
/* Extract the length of the supplied list of names. */
len = (*extension_data++) << 8;
len |= *extension_data++;
if (len + 2 != extension_len)
goto abort;
/*
* The list in practice only has a single element, so we only consider
* the first one.
*/
if (len == 0 || *extension_data++ != TLSEXT_NAMETYPE_host_name)
goto abort;
extension_len = len - 1;
/* Now we can finally pull out the byte array with the actual hostname. */
if (extension_len <= 2)
goto abort;
len = (*extension_data++) << 8;
len |= *extension_data++;
if (len == 0 || len + 2 > extension_len || len > TLSEXT_MAXLEN_host_name
|| memchr(extension_data, 0, len) != NULL)
goto abort;
servername = extension_data;
servername_len = len;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
} else {
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
if (s->generate_certs && ssl_sock_generate_certificate_from_conn(s, ssl)) {
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
goto allow_early;
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
}
#endif
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
/* without SNI extension, is the default_ctx (need SSL_TLSEXT_ERR_NOACK) */
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
if (!s->strict_sni) {
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
ssl_sock_switchctx_set(ssl, s->default_ctx);
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
goto allow_early;
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
}
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
goto abort;
}
/* extract/check clientHello informations */
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#ifdef OPENSSL_IS_BORINGSSL
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
if (SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_signature_algorithms, &extension_data, &extension_len)) {
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#else
if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_signature_algorithms, &extension_data, &extension_len)) {
#endif
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
uint8_t sign;
size_t len;
if (extension_len < 2)
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
goto abort;
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
len = (*extension_data++) << 8;
len |= *extension_data++;
if (len + 2 != extension_len)
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
goto abort;
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
if (len % 2 != 0)
goto abort;
for (; len > 0; len -= 2) {
extension_data++; /* hash */
sign = *extension_data++;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
switch (sign) {
case TLSEXT_signature_rsa:
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
has_rsa_sig = 1;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
break;
case TLSEXT_signature_ecdsa:
has_ecdsa_sig = 1;
break;
default:
continue;
}
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
if (has_ecdsa_sig && has_rsa_sig)
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
break;
}
} else {
DOC: ssl: Use consistent naming for TLS protocols In most cases, "TLSv1.x" naming is used across and documentation, lazy people tend to grep too much and may not find what they are looking for. Fixing people is hard.
2018-08-13 19:56:13 -04:00
/* without TLSEXT_TYPE_signature_algorithms extension (< TLSv1.2) */
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
has_rsa_sig = 1;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
}
if (has_ecdsa_sig) { /* in very rare case: has ecdsa sign but not a ECDSA cipher */
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
const SSL_CIPHER *cipher;
size_t len;
const uint8_t *cipher_suites;
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
has_ecdsa_sig = 0;
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#ifdef OPENSSL_IS_BORINGSSL
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
len = ctx->cipher_suites_len;
cipher_suites = ctx->cipher_suites;
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#else
len = SSL_client_hello_get0_ciphers(ssl, &cipher_suites);
#endif
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
if (len % 2 != 0)
goto abort;
for (; len != 0; len -= 2, cipher_suites += 2) {
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#ifdef OPENSSL_IS_BORINGSSL
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
uint16_t cipher_suite = (cipher_suites[0] << 8) | cipher_suites[1];
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
cipher = SSL_get_cipher_by_value(cipher_suite);
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#else
cipher = SSL_CIPHER_find(ssl, cipher_suites);
#endif
MINOR: ssl: build with recent BoringSSL library BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility. Fix BoringSSL call and openssl-compat.h/#define occordingly. This will not break openssl/libressl compat.
2017-10-02 11:12:06 -04:00
if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
has_ecdsa_sig = 1;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
break;
}
}
}
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
for (i = 0; i < trash.size && i < servername_len; i++) {
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.area[i] = tolower(servername[i]);
if (!wildp && (trash.area[i] == '.'))
wildp = &trash.area[i];
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
}
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.area[i] = 0;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
/* lookup in full qualified names */
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
node = ebst_lookup(&s->sni_ctx, trash.area);
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
/* lookup a not neg filter */
for (n = node; n; n = ebmb_next_dup(n)) {
if (!container_of(n, struct sni_ctx, name)->neg) {
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
switch(container_of(n, struct sni_ctx, name)->kinfo.sig) {
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
case TLSEXT_signature_ecdsa:
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
if (!node_ecdsa)
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
node_ecdsa = n;
break;
case TLSEXT_signature_rsa:
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
if (!node_rsa)
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
node_rsa = n;
break;
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
default: /* TLSEXT_signature_anonymous|dsa */
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
if (!node_anonymous)
node_anonymous = n;
break;
}
}
}
if (wildp) {
/* lookup in wildcards names */
node = ebst_lookup(&s->sni_w_ctx, wildp);
for (n = node; n; n = ebmb_next_dup(n)) {
if (!container_of(n, struct sni_ctx, name)->neg) {
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
switch(container_of(n, struct sni_ctx, name)->kinfo.sig) {
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
case TLSEXT_signature_ecdsa:
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
if (!node_ecdsa)
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
node_ecdsa = n;
break;
case TLSEXT_signature_rsa:
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
if (!node_rsa)
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
node_rsa = n;
break;
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
default: /* TLSEXT_signature_anonymous|dsa */
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
if (!node_anonymous)
node_anonymous = n;
break;
}
}
}
}
/* select by key_signature priority order */
BUG/MEDIUM: ECC cert should work with TLS < v1.2 and openssl >= 1.1.1 With openssl >= 1.1.1 and boringssl multi-cert is natively supported. ECDSA/RSA selection is done and work correctly with TLS >= v1.2. TLS < v1.2 have no TLSEXT_TYPE_signature_algorithms extension: ECC certificate can't be selected, and handshake fail if no RSA cert is present. Safe ECC certificate selection without client announcement can be very tricky (browser compatibilty). The safer approach is to select ECDSA certificate if no other certificate matches, like it is with openssl < 1.1.1: certificate selection is only done via the SNI. Thanks to Lukas Tribus for reporting this and analysing the problem. This patch should be backported to 1.8
2018-09-03 10:29:16 -04:00
node = (has_ecdsa_sig && node_ecdsa) ? node_ecdsa
: ((has_rsa_sig && node_rsa) ? node_rsa
: (node_anonymous ? node_anonymous
: (node_ecdsa ? node_ecdsa /* no ecdsa signature case (< TLSv1.2) */
: node_rsa /* no rsa signature case (far far away) */
)));
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
if (node) {
/* switch ctx */
MINOR: ssl: remove duplicate ssl_methods in struct bind_conf Patch "MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list" introduce ssl_methods in struct ssl_bind_conf. struct bind_conf have now ssl_methods and ssl_conf.ssl_methods (unused). It's error-prone. This patch remove the duplicate structure to avoid any confusion.
2017-08-09 12:26:20 -04:00
struct ssl_bind_conf *conf = container_of(node, struct sni_ctx, name)->conf;
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
ssl_sock_switchctx_set(ssl, container_of(node, struct sni_ctx, name)->ctx);
BUG/MINOR; ssl: Don't assume we have a ssl_bind_conf because a SNI is matched. We only have a ssl_bind_conf if crt-list is used, however we can still match a certificate SNI, so don't assume we have a ssl_bind_conf.
2017-11-02 14:04:38 -04:00
if (conf) {
methodVersions[conf->ssl_methods.min].ssl_set_version(ssl, SET_MIN);
methodVersions[conf->ssl_methods.max].ssl_set_version(ssl, SET_MAX);
if (conf->early_data)
allow_early = 1;
}
goto allow_early;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
}
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
if (s->generate_certs && ssl_sock_generate_certificate(trash.area, s, ssl)) {
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
/* switch ctx done in ssl_sock_generate_certificate */
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
goto allow_early;
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
}
#endif
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
if (!s->strict_sni) {
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
/* no certificate match, is the default_ctx */
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
ssl_sock_switchctx_set(ssl, s->default_ctx);
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
}
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
allow_early:
#ifdef OPENSSL_IS_BORINGSSL
if (allow_early)
SSL_set_early_data_enabled(ssl, 1);
#else
if (!allow_early)
SSL_set_max_early_data(ssl, 0);
#endif
return 1;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
abort:
/* abort handshake (was SSL_TLSEXT_ERR_ALERT_FATAL) */
conn->err_code = CO_ER_SSL_HANDSHAKE;
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#ifdef OPENSSL_IS_BORINGSSL
MEDIUM: ssl: convert CBS (BoringSSL api) usage to neutral code switchctx early callback is only supported for BoringSSL. To prepare the support of openssl 1.1.1 early callback, convert CBS api to neutral code to work with any ssl libs.
2017-08-16 05:28:44 -04:00
return ssl_select_cert_error;
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#else
*al = SSL_AD_UNRECOGNIZED_NAME;
return 0;
#endif
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
}
#else /* OPENSSL_IS_BORINGSSL */
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
/* Sets the SSL ctx of <ssl> to match the advertised server name. Returns a
* warning when no match is found, which implies the default (first) cert
* will keep being used.
*/
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
{
const char *servername;
const char *wildp = NULL;
MEDIUM: ssl: improve crt-list format to support negation Improve the crt-list file format to allow a rule to negate a certain SNI : <crtfile> [[!]<snifilter> ...] This can be useful when a domain supports a wildcard but you don't want to deliver the wildcard cert for certain specific domains.
2013-05-07 14:20:06 -04:00
struct ebmb_node *node, *n;
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
struct bind_conf *s = priv;
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
int i;
(void)al; /* shut gcc stupid warning */
servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
MEDIUM: ssl: add bind-option "strict-sni" This new option ensures that there is no possible fallback to a default certificate if the client does not provide an SNI which is explicitly handled by a certificate.
2013-01-24 11:17:15 -05:00
if (!servername) {
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
if (s->generate_certs && ssl_sock_generate_certificate_from_conn(s, ssl))
return SSL_TLSEXT_ERR_OK;
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#endif
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
if (s->strict_sni)
return SSL_TLSEXT_ERR_ALERT_FATAL;
ssl_sock_switchctx_set(ssl, s->default_ctx);
return SSL_TLSEXT_ERR_NOACK;
MEDIUM: ssl: add bind-option "strict-sni" This new option ensures that there is no possible fallback to a default certificate if the client does not provide an SNI which is explicitly handled by a certificate.
2013-01-24 11:17:15 -05:00
}
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
MEDIUM: make the trash be a chunk instead of a char * The trash is used everywhere to store the results of temporary strings built out of s(n)printf, or as a storage for a chunk when chunks are needed. Using global.tune.bufsize is not the most convenient thing either. So let's replace trash with a chunk and directly use it as such. We can then use trash.size as the natural way to get its size, and get rid of many intermediary chunks that were previously used. The patch is huge because it touches many areas but it makes the code a lot more clear and even outlines places where trash was used without being that obvious.
2012-10-29 11:51:55 -04:00
for (i = 0; i < trash.size; i++) {
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
if (!servername[i])
break;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.area[i] = tolower(servername[i]);
if (!wildp && (trash.area[i] == '.'))
wildp = &trash.area[i];
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
}
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.area[i] = 0;
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
/* lookup in full qualified names */
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
node = ebst_lookup(&s->sni_ctx, trash.area);
MEDIUM: ssl: improve crt-list format to support negation Improve the crt-list file format to allow a rule to negate a certain SNI : <crtfile> [[!]<snifilter> ...] This can be useful when a domain supports a wildcard but you don't want to deliver the wildcard cert for certain specific domains.
2013-05-07 14:20:06 -04:00
/* lookup a not neg filter */
for (n = node; n; n = ebmb_next_dup(n)) {
if (!container_of(n, struct sni_ctx, name)->neg) {
node = n;
break;
MEDIUM: ssl: add bind-option "strict-sni" This new option ensures that there is no possible fallback to a default certificate if the client does not provide an SNI which is explicitly handled by a certificate.
2013-01-24 11:17:15 -05:00
}
MEDIUM: ssl: improve crt-list format to support negation Improve the crt-list file format to allow a rule to negate a certain SNI : <crtfile> [[!]<snifilter> ...] This can be useful when a domain supports a wildcard but you don't want to deliver the wildcard cert for certain specific domains.
2013-05-07 14:20:06 -04:00
}
if (!node && wildp) {
/* lookup in wildcards names */
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
node = ebst_lookup(&s->sni_w_ctx, wildp);
MEDIUM: ssl: improve crt-list format to support negation Improve the crt-list file format to allow a rule to negate a certain SNI : <crtfile> [[!]<snifilter> ...] This can be useful when a domain supports a wildcard but you don't want to deliver the wildcard cert for certain specific domains.
2013-05-07 14:20:06 -04:00
}
if (!node || container_of(node, struct sni_ctx, name)->neg) {
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
if (s->generate_certs && ssl_sock_generate_certificate(servername, s, ssl)) {
/* switch ctx done in ssl_sock_generate_certificate */
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
return SSL_TLSEXT_ERR_OK;
}
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#endif
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
if (s->strict_sni)
return SSL_TLSEXT_ERR_ALERT_FATAL;
ssl_sock_switchctx_set(ssl, s->default_ctx);
return SSL_TLSEXT_ERR_OK;
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
}
/* switch ctx */
BUG/MEDIUM: ssl: fix verify/ca-file per certificate SSL verify and client_CA inherits from the initial ctx (default_ctx). When a certificate is found, the SSL connection environment must be replaced by the certificate configuration (via SSL_set_verify and SSL_set_client_CA_list).
2017-03-01 12:54:56 -05:00
ssl_sock_switchctx_set(ssl, container_of(node, struct sni_ctx, name)->ctx);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
return SSL_TLSEXT_ERR_OK;
}
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
#endif /* (!) OPENSSL_IS_BORINGSSL */
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
MINOR: ssl: try to load Diffie-Hellman parameters from cert file Feature is disabled if openssl compiled with OPENSSL_NO_DH.
2012-09-20 10:19:02 -04:00
#ifndef OPENSSL_NO_DH
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
static DH * ssl_get_dh_1024(void)
{
MEDIUM: ssl: replace standards DH groups with custom ones It is likely that powerful adversaries have been pre-computing the standardized DH groups, because being widely used have made them valuable targets. While users are advised to generate their own DH parameters, replace the ones we ship by values been randomly generated for this product only. [wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated ones as recommended by Rmi]
2015-05-29 10:26:17 -04:00
static unsigned char dh1024_p[]={
0xFA,0xF9,0x2A,0x22,0x2A,0xA7,0x7F,0xE1,0x67,0x4E,0x53,0xF7,
0x56,0x13,0xC3,0xB1,0xE3,0x29,0x6B,0x66,0x31,0x6A,0x7F,0xB3,
0xC2,0x68,0x6B,0xCB,0x1D,0x57,0x39,0x1D,0x1F,0xFF,0x1C,0xC9,
0xA6,0xA4,0x98,0x82,0x31,0x5D,0x25,0xFF,0x8A,0xE0,0x73,0x96,
0x81,0xC8,0x83,0x79,0xC1,0x5A,0x04,0xF8,0x37,0x0D,0xA8,0x3D,
0xAE,0x74,0xBC,0xDB,0xB6,0xA4,0x75,0xD9,0x71,0x8A,0xA0,0x17,
0x9E,0x2D,0xC8,0xA8,0xDF,0x2C,0x5F,0x82,0x95,0xF8,0x92,0x9B,
0xA7,0x33,0x5F,0x89,0x71,0xC8,0x2D,0x6B,0x18,0x86,0xC4,0x94,
0x22,0xA5,0x52,0x8D,0xF6,0xF6,0xD2,0x37,0x92,0x0F,0xA5,0xCC,
0xDB,0x7B,0x1D,0x3D,0xA1,0x31,0xB7,0x80,0x8F,0x0B,0x67,0x5E,
0x36,0xA5,0x60,0x0C,0xF1,0x95,0x33,0x8B,
};
static unsigned char dh1024_g[]={
0x02,
};
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
BIGNUM *p;
BIGNUM *g;
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
DH *dh = DH_new();
if (dh) {
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
p = BN_bin2bn(dh1024_p, sizeof dh1024_p, NULL);
g = BN_bin2bn(dh1024_g, sizeof dh1024_g, NULL);
MEDIUM: ssl: replace standards DH groups with custom ones It is likely that powerful adversaries have been pre-computing the standardized DH groups, because being widely used have made them valuable targets. While users are advised to generate their own DH parameters, replace the ones we ship by values been randomly generated for this product only. [wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated ones as recommended by Rmi]
2015-05-29 10:26:17 -04:00
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
if (!p || !g) {
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
DH_free(dh);
dh = NULL;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
} else {
DH_set0_pqg(dh, p, NULL, g);
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
}
return dh;
}
static DH *ssl_get_dh_2048(void)
{
MEDIUM: ssl: replace standards DH groups with custom ones It is likely that powerful adversaries have been pre-computing the standardized DH groups, because being widely used have made them valuable targets. While users are advised to generate their own DH parameters, replace the ones we ship by values been randomly generated for this product only. [wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated ones as recommended by Rmi]
2015-05-29 10:26:17 -04:00
static unsigned char dh2048_p[]={
0xEC,0x86,0xF8,0x70,0xA0,0x33,0x16,0xEC,0x05,0x1A,0x73,0x59,
0xCD,0x1F,0x8B,0xF8,0x29,0xE4,0xD2,0xCF,0x52,0xDD,0xC2,0x24,
0x8D,0xB5,0x38,0x9A,0xFB,0x5C,0xA4,0xE4,0xB2,0xDA,0xCE,0x66,
0x50,0x74,0xA6,0x85,0x4D,0x4B,0x1D,0x30,0xB8,0x2B,0xF3,0x10,
0xE9,0xA7,0x2D,0x05,0x71,0xE7,0x81,0xDF,0x8B,0x59,0x52,0x3B,
0x5F,0x43,0x0B,0x68,0xF1,0xDB,0x07,0xBE,0x08,0x6B,0x1B,0x23,
0xEE,0x4D,0xCC,0x9E,0x0E,0x43,0xA0,0x1E,0xDF,0x43,0x8C,0xEC,
0xBE,0xBE,0x90,0xB4,0x51,0x54,0xB9,0x2F,0x7B,0x64,0x76,0x4E,
0x5D,0xD4,0x2E,0xAE,0xC2,0x9E,0xAE,0x51,0x43,0x59,0xC7,0x77,
0x9C,0x50,0x3C,0x0E,0xED,0x73,0x04,0x5F,0xF1,0x4C,0x76,0x2A,
0xD8,0xF8,0xCF,0xFC,0x34,0x40,0xD1,0xB4,0x42,0x61,0x84,0x66,
0x42,0x39,0x04,0xF8,0x68,0xB2,0x62,0xD7,0x55,0xED,0x1B,0x74,
0x75,0x91,0xE0,0xC5,0x69,0xC1,0x31,0x5C,0xDB,0x7B,0x44,0x2E,
0xCE,0x84,0x58,0x0D,0x1E,0x66,0x0C,0xC8,0x44,0x9E,0xFD,0x40,
0x08,0x67,0x5D,0xFB,0xA7,0x76,0x8F,0x00,0x11,0x87,0xE9,0x93,
0xF9,0x7D,0xC4,0xBC,0x74,0x55,0x20,0xD4,0x4A,0x41,0x2F,0x43,
0x42,0x1A,0xC1,0xF2,0x97,0x17,0x49,0x27,0x37,0x6B,0x2F,0x88,
0x7E,0x1C,0xA0,0xA1,0x89,0x92,0x27,0xD9,0x56,0x5A,0x71,0xC1,
0x56,0x37,0x7E,0x3A,0x9D,0x05,0xE7,0xEE,0x5D,0x8F,0x82,0x17,
0xBC,0xE9,0xC2,0x93,0x30,0x82,0xF9,0xF4,0xC9,0xAE,0x49,0xDB,
0xD0,0x54,0xB4,0xD9,0x75,0x4D,0xFA,0x06,0xB8,0xD6,0x38,0x41,
0xB7,0x1F,0x77,0xF3,
};
static unsigned char dh2048_g[]={
0x02,
};
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
BIGNUM *p;
BIGNUM *g;
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
DH *dh = DH_new();
if (dh) {
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
p = BN_bin2bn(dh2048_p, sizeof dh2048_p, NULL);
g = BN_bin2bn(dh2048_g, sizeof dh2048_g, NULL);
MEDIUM: ssl: replace standards DH groups with custom ones It is likely that powerful adversaries have been pre-computing the standardized DH groups, because being widely used have made them valuable targets. While users are advised to generate their own DH parameters, replace the ones we ship by values been randomly generated for this product only. [wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated ones as recommended by Rmi]
2015-05-29 10:26:17 -04:00
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
if (!p || !g) {
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
DH_free(dh);
dh = NULL;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
} else {
DH_set0_pqg(dh, p, NULL, g);
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
}
return dh;
}
static DH *ssl_get_dh_4096(void)
{
MEDIUM: ssl: replace standards DH groups with custom ones It is likely that powerful adversaries have been pre-computing the standardized DH groups, because being widely used have made them valuable targets. While users are advised to generate their own DH parameters, replace the ones we ship by values been randomly generated for this product only. [wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated ones as recommended by Rmi]
2015-05-29 10:26:17 -04:00
static unsigned char dh4096_p[]={
0xDE,0x16,0x94,0xCD,0x99,0x58,0x07,0xF1,0xF7,0x32,0x96,0x11,
0x04,0x82,0xD4,0x84,0x72,0x80,0x99,0x06,0xCA,0xF0,0xA3,0x68,
0x07,0xCE,0x64,0x50,0xE7,0x74,0x45,0x20,0x80,0x5E,0x4D,0xAD,
0xA5,0xB6,0xED,0xFA,0x80,0x6C,0x3B,0x35,0xC4,0x9A,0x14,0x6B,
0x32,0xBB,0xFD,0x1F,0x17,0x8E,0xB7,0x1F,0xD6,0xFA,0x3F,0x7B,
0xEE,0x16,0xA5,0x62,0x33,0x0D,0xED,0xBC,0x4E,0x58,0xE5,0x47,
0x4D,0xE9,0xAB,0x8E,0x38,0xD3,0x6E,0x90,0x57,0xE3,0x22,0x15,
0x33,0xBD,0xF6,0x43,0x45,0xB5,0x10,0x0A,0xBE,0x2C,0xB4,0x35,
0xB8,0x53,0x8D,0xAD,0xFB,0xA7,0x1F,0x85,0x58,0x41,0x7A,0x79,
0x20,0x68,0xB3,0xE1,0x3D,0x08,0x76,0xBF,0x86,0x0D,0x49,0xE3,
0x82,0x71,0x8C,0xB4,0x8D,0x81,0x84,0xD4,0xE7,0xBE,0x91,0xDC,
0x26,0x39,0x48,0x0F,0x35,0xC4,0xCA,0x65,0xE3,0x40,0x93,0x52,
0x76,0x58,0x7D,0xDD,0x51,0x75,0xDC,0x69,0x61,0xBF,0x47,0x2C,
0x16,0x68,0x2D,0xC9,0x29,0xD3,0xE6,0xC0,0x99,0x48,0xA0,0x9A,
0xC8,0x78,0xC0,0x6D,0x81,0x67,0x12,0x61,0x3F,0x71,0xBA,0x41,
0x1F,0x6C,0x89,0x44,0x03,0xBA,0x3B,0x39,0x60,0xAA,0x28,0x55,
0x59,0xAE,0xB8,0xFA,0xCB,0x6F,0xA5,0x1A,0xF7,0x2B,0xDD,0x52,
0x8A,0x8B,0xE2,0x71,0xA6,0x5E,0x7E,0xD8,0x2E,0x18,0xE0,0x66,
0xDF,0xDD,0x22,0x21,0x99,0x52,0x73,0xA6,0x33,0x20,0x65,0x0E,
0x53,0xE7,0x6B,0x9B,0xC5,0xA3,0x2F,0x97,0x65,0x76,0xD3,0x47,
0x23,0x77,0x12,0xB6,0x11,0x7B,0x24,0xED,0xF1,0xEF,0xC0,0xE2,
0xA3,0x7E,0x67,0x05,0x3E,0x96,0x4D,0x45,0xC2,0x18,0xD1,0x73,
0x9E,0x07,0xF3,0x81,0x6E,0x52,0x63,0xF6,0x20,0x76,0xB9,0x13,
0xD2,0x65,0x30,0x18,0x16,0x09,0x16,0x9E,0x8F,0xF1,0xD2,0x10,
0x5A,0xD3,0xD4,0xAF,0x16,0x61,0xDA,0x55,0x2E,0x18,0x5E,0x14,
0x08,0x54,0x2E,0x2A,0x25,0xA2,0x1A,0x9B,0x8B,0x32,0xA9,0xFD,
0xC2,0x48,0x96,0xE1,0x80,0xCA,0xE9,0x22,0x17,0xBB,0xCE,0x3E,
0x9E,0xED,0xC7,0xF1,0x1F,0xEC,0x17,0x21,0xDC,0x7B,0x82,0x48,
0x8E,0xBB,0x4B,0x9D,0x5B,0x04,0x04,0xDA,0xDB,0x39,0xDF,0x01,
0x40,0xC3,0xAA,0x26,0x23,0x89,0x75,0xC6,0x0B,0xD0,0xA2,0x60,
0x6A,0xF1,0xCC,0x65,0x18,0x98,0x1B,0x52,0xD2,0x74,0x61,0xCC,
0xBD,0x60,0xAE,0xA3,0xA0,0x66,0x6A,0x16,0x34,0x92,0x3F,0x41,
0x40,0x31,0x29,0xC0,0x2C,0x63,0xB2,0x07,0x8D,0xEB,0x94,0xB8,
0xE8,0x47,0x92,0x52,0x93,0x6A,0x1B,0x7E,0x1A,0x61,0xB3,0x1B,
0xF0,0xD6,0x72,0x9B,0xF1,0xB0,0xAF,0xBF,0x3E,0x65,0xEF,0x23,
0x1D,0x6F,0xFF,0x70,0xCD,0x8A,0x4C,0x8A,0xA0,0x72,0x9D,0xBE,
0xD4,0xBB,0x24,0x47,0x4A,0x68,0xB5,0xF5,0xC6,0xD5,0x7A,0xCD,
0xCA,0x06,0x41,0x07,0xAD,0xC2,0x1E,0xE6,0x54,0xA7,0xAD,0x03,
0xD9,0x12,0xC1,0x9C,0x13,0xB1,0xC9,0x0A,0x43,0x8E,0x1E,0x08,
0xCE,0x50,0x82,0x73,0x5F,0xA7,0x55,0x1D,0xD9,0x59,0xAC,0xB5,
0xEA,0x02,0x7F,0x6C,0x5B,0x74,0x96,0x98,0x67,0x24,0xA3,0x0F,
0x15,0xFC,0xA9,0x7D,0x3E,0x67,0xD1,0x70,0xF8,0x97,0xF3,0x67,
0xC5,0x8C,0x88,0x44,0x08,0x02,0xC7,0x2B,
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
};
MEDIUM: ssl: replace standards DH groups with custom ones It is likely that powerful adversaries have been pre-computing the standardized DH groups, because being widely used have made them valuable targets. While users are advised to generate their own DH parameters, replace the ones we ship by values been randomly generated for this product only. [wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated ones as recommended by Rmi]
2015-05-29 10:26:17 -04:00
static unsigned char dh4096_g[]={
0x02,
};
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
BIGNUM *p;
BIGNUM *g;
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
DH *dh = DH_new();
if (dh) {
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
p = BN_bin2bn(dh4096_p, sizeof dh4096_p, NULL);
g = BN_bin2bn(dh4096_g, sizeof dh4096_g, NULL);
MEDIUM: ssl: replace standards DH groups with custom ones It is likely that powerful adversaries have been pre-computing the standardized DH groups, because being widely used have made them valuable targets. While users are advised to generate their own DH parameters, replace the ones we ship by values been randomly generated for this product only. [wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated ones as recommended by Rmi]
2015-05-29 10:26:17 -04:00
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
if (!p || !g) {
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
DH_free(dh);
dh = NULL;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
} else {
DH_set0_pqg(dh, p, NULL, g);
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
}
return dh;
}
/* Returns Diffie-Hellman parameters matching the private key length
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
but not exceeding global_ssl.default_dh_param */
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
{
DH *dh = NULL;
EVP_PKEY *pkey = SSL_get_privatekey(ssl);
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
int type;
type = pkey ? EVP_PKEY_base_id(pkey) : EVP_PKEY_NONE;
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
/* The keylen supplied by OpenSSL can only be 512 or 1024.
See ssl3_send_server_key_exchange() in ssl/s3_srvr.c
*/
if (type == EVP_PKEY_RSA || type == EVP_PKEY_DSA) {
keylen = EVP_PKEY_bits(pkey);
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if (keylen > global_ssl.default_dh_param) {
keylen = global_ssl.default_dh_param;
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
MEDIUM: ssl: replace standards DH groups with custom ones It is likely that powerful adversaries have been pre-computing the standardized DH groups, because being widely used have made them valuable targets. While users are advised to generate their own DH parameters, replace the ones we ship by values been randomly generated for this product only. [wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated ones as recommended by Rmi]
2015-05-29 10:26:17 -04:00
if (keylen >= 4096) {
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
dh = local_dh_4096;
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
else if (keylen >= 2048) {
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
dh = local_dh_2048;
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
else {
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
dh = local_dh_1024;
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
return dh;
}
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
static DH * ssl_sock_get_dh_from_file(const char *filename)
MINOR: ssl: try to load Diffie-Hellman parameters from cert file Feature is disabled if openssl compiled with OPENSSL_NO_DH.
2012-09-20 10:19:02 -04:00
{
DH *dh = NULL;
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
BIO *in = BIO_new(BIO_s_file());
MINOR: ssl: try to load Diffie-Hellman parameters from cert file Feature is disabled if openssl compiled with OPENSSL_NO_DH.
2012-09-20 10:19:02 -04:00
if (in == NULL)
goto end;
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
if (BIO_read_filename(in, filename) <= 0)
MINOR: ssl: try to load Diffie-Hellman parameters from cert file Feature is disabled if openssl compiled with OPENSSL_NO_DH.
2012-09-20 10:19:02 -04:00
goto end;
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
end:
if (in)
BIO_free(in);
BUG/MEDIUM: ssl: loading dh param from certifile causes unpredictable error. If the dh parameter is not found, the openssl's error global stack was not correctly cleared causing unpredictable error during the following parsing (chain cert parsing for instance). This patch should be backported in 1.8 (and perhaps 1.7)
2018-08-16 09:14:12 -04:00
ERR_clear_error();
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
return dh;
}
int ssl_sock_load_global_dh_param_from_file(const char *filename)
{
global_dh = ssl_sock_get_dh_from_file(filename);
if (global_dh) {
return 0;
}
return -1;
}
/* Loads Diffie-Hellman parameter from a file. Returns 1 if loaded, else -1
CLEANUP: fix typos in the ssl_sock subsystem Fix some typos found in the code comments of the ssl_sock subsystem.
2018-11-15 12:07:59 -05:00
if an error occurred, and 0 if parameter not found. */
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
{
int ret = -1;
DH *dh = ssl_sock_get_dh_from_file(file);
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
if (dh) {
ret = 1;
SSL_CTX_set_tmp_dh(ctx, dh);
BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten Herv Commowick reported that the logic used to avoid complaining about ssl-default-dh-param not being set when static DH params are present in the certificate file was clearly wrong when more than one sni_ctx is used. This patch stores whether static DH params are being used for each SSL_CTX individually, and does not overwrite the value of tune.ssl.default-dh-param.
2015-05-28 10:23:00 -04:00
if (ssl_dh_ptr_index >= 0) {
/* store a pointer to the DH params to avoid complaining about
ssl-default-dh-param not being set for this SSL_CTX */
SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, dh);
}
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
else if (global_dh) {
SSL_CTX_set_tmp_dh(ctx, global_dh);
ret = 0; /* DH params not found */
}
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
else {
BUG/MEDIUM: ssl: EDH ciphers are not usable if no DH parameters present in pem file. Uses default defined DH parameters when none present in pem file.
2013-04-26 05:05:44 -04:00
/* Clear openssl global errors stack */
ERR_clear_error();
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if (global_ssl.default_dh_param <= 1024) {
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
/* we are limited to DH parameter of 1024 bits anyway */
BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params() Roberto Guimaraes reported that Valgrind complains about a leak in ssl_get_dh_1024(). This is caused caused by an oversight in ssl_sock_load_dh_params(), where local_dh_1024 is always replaced by a new DH object even if it already holds one. This patch simply checks whether local_dh_1024 is NULL before calling ssl_get_dh_1024().
2016-07-02 10:26:10 -04:00
if (local_dh_1024 == NULL)
local_dh_1024 = ssl_get_dh_1024();
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
if (local_dh_1024 == NULL)
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
goto end;
BUG/MEDIUM: Revert "MEDIUM: ssl: Add standardized DH parameters >= 1024 bits" This reverts commit 9ece05f590e9ce9a9e276652b1ec1f3c08ce8d25. Sander Klein reported an important performance regression with this patch applied. It is not yet certain what is exactly the cause but let's not break other setups now and sort this out after dev24. The commit was merged into dev23, no need to backport.
2014-04-25 15:35:23 -04:00
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
else {
SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
}
BUG/MEDIUM: Revert "MEDIUM: ssl: Add standardized DH parameters >= 1024 bits" This reverts commit 9ece05f590e9ce9a9e276652b1ec1f3c08ce8d25. Sander Klein reported an important performance regression with this patch applied. It is not yet certain what is exactly the cause but let's not break other setups now and sort this out after dev24. The commit was merged into dev23, no need to backport.
2014-04-25 15:35:23 -04:00
BUG/MEDIUM: ssl: EDH ciphers are not usable if no DH parameters present in pem file. Uses default defined DH parameters when none present in pem file.
2013-04-26 05:05:44 -04:00
ret = 0; /* DH params not found */
MINOR: ssl: try to load Diffie-Hellman parameters from cert file Feature is disabled if openssl compiled with OPENSSL_NO_DH.
2012-09-20 10:19:02 -04:00
}
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
MINOR: ssl: try to load Diffie-Hellman parameters from cert file Feature is disabled if openssl compiled with OPENSSL_NO_DH.
2012-09-20 10:19:02 -04:00
end:
if (dh)
DH_free(dh);
return ret;
}
#endif
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
static int ssl_sock_add_cert_sni(SSL_CTX *ctx, struct bind_conf *s, struct ssl_bind_conf *conf,
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
struct pkey_info kinfo, char *name, int order)
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
{
struct sni_ctx *sc;
MEDIUM: ssl: improve crt-list format to support negation Improve the crt-list file format to allow a rule to negate a certain SNI : <crtfile> [[!]<snifilter> ...] This can be useful when a domain supports a wildcard but you don't want to deliver the wildcard cert for certain specific domains.
2013-05-07 14:20:06 -04:00
int wild = 0, neg = 0;
BUG/MINOR: ssl: prevent multiple entries for the same certificate Today, the certificate are indexed int he SNI tree using their CN and the list of thier AltNames. So, Some certificates have the same names in the CN and one of the AltNames entries. Typically Let's Encrypt duplicate the the DNS name in the CN and the AltName. This patch prevents the creation of identical entries in the trees. It checks the same DNS name and the same SSL context. If the same certificate is registered two time it will be duplicated. This patch should be backported in the 1.6 and 1.5 version.
2016-10-06 04:56:48 -04:00
struct ebmb_node *node;
MEDIUM: ssl: improve crt-list format to support negation Improve the crt-list file format to allow a rule to negate a certain SNI : <crtfile> [[!]<snifilter> ...] This can be useful when a domain supports a wildcard but you don't want to deliver the wildcard cert for certain specific domains.
2013-05-07 14:20:06 -04:00
if (*name == '!') {
neg = 1;
name++;
}
if (*name == '*') {
wild = 1;
name++;
}
/* !* filter is a nop */
if (neg && wild)
return order;
if (*name) {
int j, len;
len = strlen(name);
BUG/MINOR: ssl: prevent multiple entries for the same certificate Today, the certificate are indexed int he SNI tree using their CN and the list of thier AltNames. So, Some certificates have the same names in the CN and one of the AltNames entries. Typically Let's Encrypt duplicate the the DNS name in the CN and the AltName. This patch prevents the creation of identical entries in the trees. It checks the same DNS name and the same SSL context. If the same certificate is registered two time it will be duplicated. This patch should be backported in the 1.6 and 1.5 version.
2016-10-06 04:56:48 -04:00
for (j = 0; j < len && j < trash.size; j++)
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.area[j] = tolower(name[j]);
BUG/MINOR: ssl: prevent multiple entries for the same certificate Today, the certificate are indexed int he SNI tree using their CN and the list of thier AltNames. So, Some certificates have the same names in the CN and one of the AltNames entries. Typically Let's Encrypt duplicate the the DNS name in the CN and the AltName. This patch prevents the creation of identical entries in the trees. It checks the same DNS name and the same SSL context. If the same certificate is registered two time it will be duplicated. This patch should be backported in the 1.6 and 1.5 version.
2016-10-06 04:56:48 -04:00
if (j >= trash.size)
return order;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.area[j] = 0;
BUG/MINOR: ssl: prevent multiple entries for the same certificate Today, the certificate are indexed int he SNI tree using their CN and the list of thier AltNames. So, Some certificates have the same names in the CN and one of the AltNames entries. Typically Let's Encrypt duplicate the the DNS name in the CN and the AltName. This patch prevents the creation of identical entries in the trees. It checks the same DNS name and the same SSL context. If the same certificate is registered two time it will be duplicated. This patch should be backported in the 1.6 and 1.5 version.
2016-10-06 04:56:48 -04:00
/* Check for duplicates. */
if (wild)
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
node = ebst_lookup(&s->sni_w_ctx, trash.area);
BUG/MINOR: ssl: prevent multiple entries for the same certificate Today, the certificate are indexed int he SNI tree using their CN and the list of thier AltNames. So, Some certificates have the same names in the CN and one of the AltNames entries. Typically Let's Encrypt duplicate the the DNS name in the CN and the AltName. This patch prevents the creation of identical entries in the trees. It checks the same DNS name and the same SSL context. If the same certificate is registered two time it will be duplicated. This patch should be backported in the 1.6 and 1.5 version.
2016-10-06 04:56:48 -04:00
else
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
node = ebst_lookup(&s->sni_ctx, trash.area);
BUG/MINOR: ssl: prevent multiple entries for the same certificate Today, the certificate are indexed int he SNI tree using their CN and the list of thier AltNames. So, Some certificates have the same names in the CN and one of the AltNames entries. Typically Let's Encrypt duplicate the the DNS name in the CN and the AltName. This patch prevents the creation of identical entries in the trees. It checks the same DNS name and the same SSL context. If the same certificate is registered two time it will be duplicated. This patch should be backported in the 1.6 and 1.5 version.
2016-10-06 04:56:48 -04:00
for (; node; node = ebmb_next_dup(node)) {
sc = ebmb_entry(node, struct sni_ctx, name);
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
if (sc->ctx == ctx && sc->conf == conf && sc->neg == neg)
BUG/MINOR: ssl: prevent multiple entries for the same certificate Today, the certificate are indexed int he SNI tree using their CN and the list of thier AltNames. So, Some certificates have the same names in the CN and one of the AltNames entries. Typically Let's Encrypt duplicate the the DNS name in the CN and the AltName. This patch prevents the creation of identical entries in the trees. It checks the same DNS name and the same SSL context. If the same certificate is registered two time it will be duplicated. This patch should be backported in the 1.6 and 1.5 version.
2016-10-06 04:56:48 -04:00
return order;
}
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
sc = malloc(sizeof(struct sni_ctx) + len + 1);
BUG/MINOR: ssl: Check malloc return code If malloc() can't allocate memory and return NULL, a segfaut will raises. This patch should be backported in the 1.6 and 1.5 version.
2016-10-06 04:35:29 -04:00
if (!sc)
return order;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
memcpy(sc->name.key, trash.area, len + 1);
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
sc->ctx = ctx;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
sc->conf = conf;
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
sc->kinfo = kinfo;
MEDIUM: ssl: improve crt-list format to support negation Improve the crt-list file format to allow a rule to negate a certain SNI : <crtfile> [[!]<snifilter> ...] This can be useful when a domain supports a wildcard but you don't want to deliver the wildcard cert for certain specific domains.
2013-05-07 14:20:06 -04:00
sc->order = order++;
sc->neg = neg;
MINOR: ssl: add ssl_sock_get_pkey_algo function ssl_sock_get_pkey_algo can be used to report pkey algorithm to log and ppv2 (RSA2048, EC256,...). Extract pkey information is not free in ssl api (lock/alloc/free): haproxy can use the pkey information computed in load_certificate. Store and use this information in a SSL ex_data when available, compute it if not (SSL multicert bundled and generated cert).
2017-10-31 10:46:07 -04:00
if (kinfo.sig != TLSEXT_signature_anonymous)
SSL_CTX_set_ex_data(ctx, ssl_pkey_info_index, &sc->kinfo);
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
if (wild)
ebst_insert(&s->sni_w_ctx, &sc->name);
else
ebst_insert(&s->sni_ctx, &sc->name);
}
return order;
}
MINOR: ssl: Added cert_key_and_chain struct Added cert_key_and_chain struct to ssl. This struct will store the contents of a crt path (from the config file) into memory. This will allow us to use the data stored in memory instead of reading the file multiple times. This will be used to support a later commit to load multiple pkeys/certs into a single SSL_CTX
2015-12-01 15:16:07 -05:00
/* The following code is used for loading multiple crt files into
* SSL_CTX's based on CN/SAN
*/
BUILD/MEDIUM: Fixing the build using LibreSSL Fixing the build using LibreSSL as OpenSSL implementation. Currently, LibreSSL 2.4.4 provides the same API of OpenSSL 1.0.1x, but it redefine the OpenSSL version number as 2.0.x, breaking all checks with OpenSSL 1.1.x. The patch solves the issue checking the definition of the symbol LIBRESSL_VERSION_NUMBER when Openssl 1.1.x features are requested.
2016-12-12 04:56:56 -05:00
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(LIBRESSL_VERSION_NUMBER)
MINOR: ssl: Added cert_key_and_chain struct Added cert_key_and_chain struct to ssl. This struct will store the contents of a crt path (from the config file) into memory. This will allow us to use the data stored in memory instead of reading the file multiple times. This will be used to support a later commit to load multiple pkeys/certs into a single SSL_CTX
2015-12-01 15:16:07 -05:00
/* This is used to preload the certifcate, private key
* and Cert Chain of a file passed in via the crt
* argument
*
* This way, we do not have to read the file multiple times
*/
struct cert_key_and_chain {
X509 *cert;
EVP_PKEY *key;
unsigned int num_chain_certs;
/* This is an array of X509 pointers */
X509 **chain_certs;
};
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
#define SSL_SOCK_POSSIBLE_KT_COMBOS (1<<(SSL_SOCK_NUM_KEYTYPES))
struct key_combo_ctx {
SSL_CTX *ctx;
int order;
};
/* Map used for processing multiple keypairs for a single purpose
*
* This maps CN/SNI name to certificate type
*/
struct sni_keytype {
int keytypes; /* BITMASK for keytypes */
struct ebmb_node name; /* node holding the servername value */
};
MINOR: ssl: Added cert_key_and_chain struct Added cert_key_and_chain struct to ssl. This struct will store the contents of a crt path (from the config file) into memory. This will allow us to use the data stored in memory instead of reading the file multiple times. This will be used to support a later commit to load multiple pkeys/certs into a single SSL_CTX
2015-12-01 15:16:07 -05:00
/* Frees the contents of a cert_key_and_chain
*/
static void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
{
int i;
if (!ckch)
return;
/* Free the certificate and set pointer to NULL */
if (ckch->cert)
X509_free(ckch->cert);
ckch->cert = NULL;
/* Free the key and set pointer to NULL */
if (ckch->key)
EVP_PKEY_free(ckch->key);
ckch->key = NULL;
/* Free each certificate in the chain */
for (i = 0; i < ckch->num_chain_certs; i++) {
if (ckch->chain_certs[i])
X509_free(ckch->chain_certs[i]);
}
/* Free the chain obj itself and set to NULL */
if (ckch->num_chain_certs > 0) {
free(ckch->chain_certs);
ckch->num_chain_certs = 0;
ckch->chain_certs = NULL;
}
}
/* checks if a key and cert exists in the ckch
*/
static int ssl_sock_is_ckch_valid(struct cert_key_and_chain *ckch)
{
return (ckch->cert != NULL && ckch->key != NULL);
}
/* Loads the contents of a crt file (path) into a cert_key_and_chain
* This allows us to carry the contents of the file without having to
* read the file multiple times.
*
* returns:
* 0 on Success
* 1 on SSL Failure
* 2 on file not found
*/
static int ssl_sock_load_crt_file_into_ckch(const char *path, struct cert_key_and_chain *ckch, char **err)
{
BIO *in;
X509 *ca = NULL;
int ret = 1;
ssl_sock_free_cert_key_and_chain_contents(ckch);
in = BIO_new(BIO_s_file());
if (in == NULL)
goto end;
if (BIO_read_filename(in, path) <= 0)
goto end;
/* Read Private Key */
ckch->key = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL);
if (ckch->key == NULL) {
memprintf(err, "%sunable to load private key from file '%s'.\n",
err && *err ? *err : "", path);
goto end;
}
BUG/MEDIUM: ssl: rewind the BIO when reading certificates Emeric found that some certificate files that were valid with the old method (the one with the explicit name involving SSL_CTX_use_PrivateKey_file()) do not work anymore with the new one (the one trying to load multiple cert types using PEM_read_bio_PrivateKey()). With the last one, the private key couldn't be loaded. The difference was related to the ordering in the PEM file was different. The old method would always work. The new method only works if the private key is at the top, or if it appears as an "EC" private key. The cause in fact is that we never rewind the BIO between the various calls. So this patch moves the loading of the private key as the first step, then it rewinds the BIO, and then it loads the cert and the chain. With this everything works. No backport is needed, this issue came with the recent addition of the multi-cert support.
2016-04-06 13:02:38 -04:00
/* Seek back to beginning of file */
BUILD/CLEANUP: ssl: Check BIO_reset() return code The BIO_reset function can fails, and the error is not processed. This patch just take in account the return code of the BIO_reset() function.
2016-10-13 18:49:21 -04:00
if (BIO_reset(in) == -1) {
memprintf(err, "%san error occurred while reading the file '%s'.\n",
err && *err ? *err : "", path);
goto end;
}
BUG/MEDIUM: ssl: rewind the BIO when reading certificates Emeric found that some certificate files that were valid with the old method (the one with the explicit name involving SSL_CTX_use_PrivateKey_file()) do not work anymore with the new one (the one trying to load multiple cert types using PEM_read_bio_PrivateKey()). With the last one, the private key couldn't be loaded. The difference was related to the ordering in the PEM file was different. The old method would always work. The new method only works if the private key is at the top, or if it appears as an "EC" private key. The cause in fact is that we never rewind the BIO between the various calls. So this patch moves the loading of the private key as the first step, then it rewinds the BIO, and then it loads the cert and the chain. With this everything works. No backport is needed, this issue came with the recent addition of the multi-cert support.
2016-04-06 13:02:38 -04:00
/* Read Certificate */
ckch->cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
if (ckch->cert == NULL) {
memprintf(err, "%sunable to load certificate from file '%s'.\n",
err && *err ? *err : "", path);
goto end;
}
MINOR: ssl: Added cert_key_and_chain struct Added cert_key_and_chain struct to ssl. This struct will store the contents of a crt path (from the config file) into memory. This will allow us to use the data stored in memory instead of reading the file multiple times. This will be used to support a later commit to load multiple pkeys/certs into a single SSL_CTX
2015-12-01 15:16:07 -05:00
/* Read Certificate Chain */
while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
/* Grow the chain certs */
ckch->num_chain_certs++;
ckch->chain_certs = realloc(ckch->chain_certs, (ckch->num_chain_certs * sizeof(X509 *)));
/* use - 1 here since we just incremented it above */
ckch->chain_certs[ckch->num_chain_certs - 1] = ca;
}
ret = ERR_get_error();
if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM && ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
memprintf(err, "%sunable to load certificate chain from file '%s'.\n",
err && *err ? *err : "", path);
ret = 1;
goto end;
}
ret = 0;
end:
ERR_clear_error();
if (in)
BIO_free(in);
/* Something went wrong in one of the reads */
if (ret != 0)
ssl_sock_free_cert_key_and_chain_contents(ckch);
return ret;
}
/* Loads the info in ckch into ctx
* Currently, this does not process any information about ocsp, dhparams or
* sctl
* Returns
* 0 on success
* 1 on failure
*/
static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err)
{
int i = 0;
if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n",
err && *err ? *err : "", path);
return 1;
}
if (!SSL_CTX_use_certificate(ctx, ckch->cert)) {
memprintf(err, "%sunable to load SSL certificate into SSL Context '%s'.\n",
err && *err ? *err : "", path);
return 1;
}
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
for (i = 0; i < ckch->num_chain_certs; i++) {
if (!SSL_CTX_add1_chain_cert(ctx, ckch->chain_certs[i])) {
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
memprintf(err, "%sunable to load chain certificate #%d into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
err && *err ? *err : "", (i+1), path);
MINOR: ssl: Added cert_key_and_chain struct Added cert_key_and_chain struct to ssl. This struct will store the contents of a crt path (from the config file) into memory. This will allow us to use the data stored in memory instead of reading the file multiple times. This will be used to support a later commit to load multiple pkeys/certs into a single SSL_CTX
2015-12-01 15:16:07 -05:00
return 1;
}
}
if (SSL_CTX_check_private_key(ctx) <= 0) {
memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
err && *err ? *err : "", path);
return 1;
}
return 0;
}
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
static void ssl_sock_populate_sni_keytypes_hplr(const char *str, struct eb_root *sni_keytypes, int key_index)
{
struct sni_keytype *s_kt = NULL;
struct ebmb_node *node;
int i;
for (i = 0; i < trash.size; i++) {
if (!str[i])
break;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.area[i] = tolower(str[i]);
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
}
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
trash.area[i] = 0;
node = ebst_lookup(sni_keytypes, trash.area);
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
if (!node) {
/* CN not found in tree */
s_kt = malloc(sizeof(struct sni_keytype) + i + 1);
/* Using memcpy here instead of strncpy.
* strncpy will cause sig_abrt errors under certain versions of gcc with -O2
* See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60792
*/
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
memcpy(s_kt->name.key, trash.area, i+1);
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
s_kt->keytypes = 0;
ebst_insert(sni_keytypes, &s_kt->name);
} else {
/* CN found in tree */
s_kt = container_of(node, struct sni_keytype, name);
}
/* Mark that this CN has the keytype of key_index via keytypes mask */
s_kt->keytypes |= 1<<key_index;
}
/* Given a path that does not exist, try to check for path.rsa, path.dsa and path.ecdsa files.
* If any are found, group these files into a set of SSL_CTX*
* based on shared and unique CN and SAN entries. Add these SSL_CTX* to the SNI tree.
*
CLEANUP: fix typos in the ssl_sock subsystem Fix some typos found in the code comments of the ssl_sock subsystem.
2018-11-15 12:07:59 -05:00
* This will allow the user to explicitly group multiple cert/keys for a single purpose
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
*
* Returns
* 0 on success
* 1 on failure
*/
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf,
char **sni_filter, int fcount, char **err)
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
{
char fp[MAXPATHLEN+1] = {0};
int n = 0;
int i = 0;
struct cert_key_and_chain certs_and_keys[SSL_SOCK_NUM_KEYTYPES] = { {0} };
struct eb_root sni_keytypes_map = { {0} };
struct ebmb_node *node;
struct ebmb_node *next;
/* Array of SSL_CTX pointers corresponding to each possible combo
* of keytypes
*/
struct key_combo_ctx key_combos[SSL_SOCK_POSSIBLE_KT_COMBOS] = { {0} };
int rv = 0;
X509_NAME *xname = NULL;
char *str = NULL;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
STACK_OF(GENERAL_NAME) *names = NULL;
#endif
/* Load all possible certs and keys */
for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
struct stat buf;
snprintf(fp, sizeof(fp), "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
if (stat(fp, &buf) == 0) {
if (ssl_sock_load_crt_file_into_ckch(fp, &certs_and_keys[n], err) == 1) {
rv = 1;
goto end;
}
}
}
/* Process each ckch and update keytypes for each CN/SAN
* for example, if CN/SAN www.a.com is associated with
* certs with keytype 0 and 2, then at the end of the loop,
* www.a.com will have:
* keyindex = 0 | 1 | 4 = 5
*/
for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
if (!ssl_sock_is_ckch_valid(&certs_and_keys[n]))
continue;
MEDIUM: ssl: support SNI filters with multicerts SNI filters used to be ignored with multicerts (eg: those providing ECDSA and RSA at the same time). This patch makes them work like other certs. Note: most of the changes in this patch are due to an extra level of indent, read it with "git show -b".
2016-05-13 05:14:06 -04:00
if (fcount) {
BUILD: ssl: fix typo causing a build failure in the multicert patch I just noticed that SSL wouldn't build anymore since this afternoon's patch : src/ssl_sock.c: In function 'ssl_sock_load_multi_cert': src/ssl_sock.c:1982:26: warning: left-hand operand of comma expression has no effect [-Wunused-value] for (i = 0; i < fcount, i++) ^ src/ssl_sock.c:1982:31: error: expected ';' before ')' token for (i = 0; i < fcount, i++) ^ Makefile:791: recipe for target 'src/ssl_sock.o' failed make: *** [src/ssl_sock.o] Error 1
2016-06-20 17:01:57 -04:00
for (i = 0; i < fcount; i++)
MEDIUM: ssl: support SNI filters with multicerts SNI filters used to be ignored with multicerts (eg: those providing ECDSA and RSA at the same time). This patch makes them work like other certs. Note: most of the changes in this patch are due to an extra level of indent, read it with "git show -b".
2016-05-13 05:14:06 -04:00
ssl_sock_populate_sni_keytypes_hplr(sni_filter[i], &sni_keytypes_map, n);
} else {
/* A lot of the following code is OpenSSL boilerplate for processing CN's and SAN's,
* so the line that contains logic is marked via comments
*/
xname = X509_get_subject_name(certs_and_keys[n].cert);
i = -1;
while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) {
X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i);
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
ASN1_STRING *value;
value = X509_NAME_ENTRY_get_data(entry);
if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
MEDIUM: ssl: support SNI filters with multicerts SNI filters used to be ignored with multicerts (eg: those providing ECDSA and RSA at the same time). This patch makes them work like other certs. Note: most of the changes in this patch are due to an extra level of indent, read it with "git show -b".
2016-05-13 05:14:06 -04:00
/* Important line is here */
ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
MEDIUM: ssl: support SNI filters with multicerts SNI filters used to be ignored with multicerts (eg: those providing ECDSA and RSA at the same time). This patch makes them work like other certs. Note: most of the changes in this patch are due to an extra level of indent, read it with "git show -b".
2016-05-13 05:14:06 -04:00
OPENSSL_free(str);
str = NULL;
}
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
}
MEDIUM: ssl: support SNI filters with multicerts SNI filters used to be ignored with multicerts (eg: those providing ECDSA and RSA at the same time). This patch makes them work like other certs. Note: most of the changes in this patch are due to an extra level of indent, read it with "git show -b".
2016-05-13 05:14:06 -04:00
/* Do the above logic for each SAN */
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
MEDIUM: ssl: support SNI filters with multicerts SNI filters used to be ignored with multicerts (eg: those providing ECDSA and RSA at the same time). This patch makes them work like other certs. Note: most of the changes in this patch are due to an extra level of indent, read it with "git show -b".
2016-05-13 05:14:06 -04:00
names = X509_get_ext_d2i(certs_and_keys[n].cert, NID_subject_alt_name, NULL, NULL);
if (names) {
for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
if (name->type == GEN_DNS) {
if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
/* Important line is here */
ssl_sock_populate_sni_keytypes_hplr(str, &sni_keytypes_map, n);
OPENSSL_free(str);
str = NULL;
}
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
}
}
}
}
#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
}
/* If no files found, return error */
if (eb_is_empty(&sni_keytypes_map)) {
memprintf(err, "%sunable to load SSL certificate file '%s' file does not exist.\n",
err && *err ? *err : "", path);
rv = 1;
goto end;
}
/* We now have a map of CN/SAN to keytypes that are loaded in
* Iterate through the map to create the SSL_CTX's (if needed)
* and add each CTX to the SNI tree
*
* Some math here:
CLEANUP: fix typos in the ssl_sock subsystem Fix some typos found in the code comments of the ssl_sock subsystem.
2018-11-15 12:07:59 -05:00
* There are 2^n - 1 possible combinations, each unique
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
* combination is denoted by the key in the map. Each key
* has a value between 1 and 2^n - 1. Conveniently, the array
* of SSL_CTX* is sized 2^n. So, we can simply use the i'th
* entry in the array to correspond to the unique combo (key)
* associated with i. This unique key combo (i) will be associated
* with combos[i-1]
*/
node = ebmb_first(&sni_keytypes_map);
while (node) {
SSL_CTX *cur_ctx;
BUG/MEDIUM: ssl: Store certificate filename in a variable Before this change, trash is being used to create certificate filename to read in care Mutli-Cert are in used. But then ssl_sock_load_ocsp() modify trash leading to potential wrong information given in later error message. This also blocks any further use of certificate filename for other usage, like ongoing patch to support Certificate Transparency handling in Multi-Cert bundle.
2016-11-13 11:37:13 -05:00
char cur_file[MAXPATHLEN+1];
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
const struct pkey_info kinfo = { .sig = TLSEXT_signature_anonymous, .bits = 0 };
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
str = (char *)container_of(node, struct sni_keytype, name)->name.key;
i = container_of(node, struct sni_keytype, name)->keytypes;
cur_ctx = key_combos[i-1].ctx;
if (cur_ctx == NULL) {
/* need to create SSL_CTX */
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
cur_ctx = SSL_CTX_new(SSLv23_server_method());
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
if (cur_ctx == NULL) {
memprintf(err, "%sunable to allocate SSL context.\n",
err && *err ? *err : "");
rv = 1;
goto end;
}
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
/* Load all required certs/keys/chains/OCSPs info into SSL_CTX */
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
if (i & (1<<n)) {
/* Key combo contains ckch[n] */
BUG/MEDIUM: ssl: Store certificate filename in a variable Before this change, trash is being used to create certificate filename to read in care Mutli-Cert are in used. But then ssl_sock_load_ocsp() modify trash leading to potential wrong information given in later error message. This also blocks any further use of certificate filename for other usage, like ongoing patch to support Certificate Transparency handling in Multi-Cert bundle.
2016-11-13 11:37:13 -05:00
snprintf(cur_file, MAXPATHLEN+1, "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
if (ssl_sock_put_ckch_into_ctx(cur_file, &certs_and_keys[n], cur_ctx, err) != 0) {
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
SSL_CTX_free(cur_ctx);
rv = 1;
goto end;
}
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
/* Load OCSP Info into context */
BUG/MEDIUM: ssl: Store certificate filename in a variable Before this change, trash is being used to create certificate filename to read in care Mutli-Cert are in used. But then ssl_sock_load_ocsp() modify trash leading to potential wrong information given in later error message. This also blocks any further use of certificate filename for other usage, like ongoing patch to support Certificate Transparency handling in Multi-Cert bundle.
2016-11-13 11:37:13 -05:00
if (ssl_sock_load_ocsp(cur_ctx, cur_file) < 0) {
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
if (err)
memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
BUG/MINOR: ssl: Print correct filename when error occurs reading OCSP When Multi-Cert bundle are used, error is throwned regarding certificate filename without including certifcate type extension.
2016-11-13 11:37:14 -05:00
*err ? *err : "", cur_file);
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
SSL_CTX_free(cur_ctx);
rv = 1;
goto end;
}
MINOR: boringssl: basic support for OCSP Stapling Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with '.ocsp' extension. CLI update is not supported.
2017-05-22 08:58:00 -04:00
#elif (defined OPENSSL_IS_BORINGSSL)
ssl_sock_set_ocsp_response_from_file(cur_ctx, cur_file);
MEDIUM: ssl: Added support for Multi-Cert OCSP Stapling Enabled loading of OCSP staple responses (.ocsp files) when processing a bundled certificate with multiple keytypes.
2015-12-10 15:07:30 -05:00
#endif
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
}
}
/* Load DH params into the ctx to support DHE keys */
#ifndef OPENSSL_NO_DH
if (ssl_dh_ptr_index >= 0)
SSL_CTX_set_ex_data(cur_ctx, ssl_dh_ptr_index, NULL);
rv = ssl_sock_load_dh_params(cur_ctx, NULL);
if (rv < 0) {
if (err)
memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
*err ? *err : "", path);
rv = 1;
goto end;
}
#endif
/* Update key_combos */
key_combos[i-1].ctx = cur_ctx;
}
/* Update SNI Tree */
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
key_combos[i-1].order = ssl_sock_add_cert_sni(cur_ctx, bind_conf, ssl_conf,
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
kinfo, str, key_combos[i-1].order);
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
node = ebmb_next(node);
}
/* Mark a default context if none exists, using the ctx that has the most shared keys */
if (!bind_conf->default_ctx) {
for (i = SSL_SOCK_POSSIBLE_KT_COMBOS - 1; i >= 0; i--) {
if (key_combos[i].ctx) {
bind_conf->default_ctx = key_combos[i].ctx;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
bind_conf->default_ssl_conf = ssl_conf;
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
break;
}
}
}
end:
if (names)
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++)
ssl_sock_free_cert_key_and_chain_contents(&certs_and_keys[n]);
node = ebmb_first(&sni_keytypes_map);
while (node) {
next = ebmb_next(node);
ebmb_delete(node);
node = next;
}
return rv;
}
#else
/* This is a dummy, that just logs an error and returns error */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf,
char **sni_filter, int fcount, char **err)
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
{
memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
err && *err ? *err : "", path, strerror(errno));
return 1;
}
MINOR: ssl: Added cert_key_and_chain struct Added cert_key_and_chain struct to ssl. This struct will store the contents of a crt path (from the config file) into memory. This will allow us to use the data stored in memory instead of reading the file multiple times. This will be used to support a later commit to load multiple pkeys/certs into a single SSL_CTX
2015-12-01 15:16:07 -05:00
#endif /* #if OPENSSL_VERSION_NUMBER >= 0x1000200fL: Support for loading multiple certs into a single SSL_CTX */
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
/* Loads a certificate key and CA chain from a file. Returns 0 on error, -1 if
* an early error happens and the caller must call SSL_CTX_free() by itelf.
*/
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_sock_load_cert_chain_file(SSL_CTX *ctx, const char *file, struct bind_conf *s,
struct ssl_bind_conf *ssl_conf, char **sni_filter, int fcount)
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
{
BIO *in;
X509 *x = NULL, *ca;
MEDIUM: ssl: improve crt-list format to support negation Improve the crt-list file format to allow a rule to negate a certain SNI : <crtfile> [[!]<snifilter> ...] This can be useful when a domain supports a wildcard but you don't want to deliver the wildcard cert for certain specific domains.
2013-05-07 14:20:06 -04:00
int i, err;
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
int ret = -1;
int order = 0;
X509_NAME *xname;
char *str;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
pem_password_cb *passwd_cb;
void *passwd_cb_userdata;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
EVP_PKEY *pkey;
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
struct pkey_info kinfo = { .sig = TLSEXT_signature_anonymous, .bits = 0 };
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
STACK_OF(GENERAL_NAME) *names;
#endif
in = BIO_new(BIO_s_file());
if (in == NULL)
goto end;
if (BIO_read_filename(in, file) <= 0)
goto end;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
passwd_cb = SSL_CTX_get_default_passwd_cb(ctx);
passwd_cb_userdata = SSL_CTX_get_default_passwd_cb_userdata(ctx);
x = PEM_read_bio_X509_AUX(in, NULL, passwd_cb, passwd_cb_userdata);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
if (x == NULL)
goto end;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
pkey = X509_get_pubkey(x);
if (pkey) {
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
kinfo.bits = EVP_PKEY_bits(pkey);
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
switch(EVP_PKEY_base_id(pkey)) {
case EVP_PKEY_RSA:
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
kinfo.sig = TLSEXT_signature_rsa;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
break;
case EVP_PKEY_EC:
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
kinfo.sig = TLSEXT_signature_ecdsa;
break;
case EVP_PKEY_DSA:
kinfo.sig = TLSEXT_signature_dsa;
MEDIUM: boringssl: support native multi-cert selection without bundling This patch used boringssl's callback to analyse CLientHello before any handshake to extract key signature capabilities. Certificat with better signature (ECDSA before RSA) is choosed transparenty, if client can support it. RSA and ECDSA certificates can be declare in a row (without order). This makes it possible to set different ssl and filter parameter with crt-list.
2017-02-20 10:11:50 -05:00
break;
}
EVP_PKEY_free(pkey);
}
BUG/MEDIUM: Fix crt-list file parsing error: filtered name was ignored. Also add support for multiple filtered names on same certificate (per line).
2013-04-22 07:05:23 -04:00
if (fcount) {
while (fcount--)
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
order = ssl_sock_add_cert_sni(ctx, s, ssl_conf, kinfo, sni_filter[fcount], order);
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
}
else {
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
names = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
if (names) {
for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
if (name->type == GEN_DNS) {
if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
order = ssl_sock_add_cert_sni(ctx, s, ssl_conf, kinfo, str, order);
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
OPENSSL_free(str);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
}
}
}
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
}
#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
xname = X509_get_subject_name(x);
i = -1;
while ((i = X509_NAME_get_index_by_NID(xname, NID_commonName, i)) != -1) {
X509_NAME_ENTRY *entry = X509_NAME_get_entry(xname, i);
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
ASN1_STRING *value;
value = X509_NAME_ENTRY_get_data(entry);
if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
MINOR: ssl: extract full pkey info in load_certificate Private key information is used in switchctx to implement native multicert selection (ecdsa/rsa/anonymous). This patch extract and store full pkey information: dsa type and pkey size in bits. This can be used for switchctx or to report pkey informations in ppv2 and log.
2017-10-27 12:43:29 -04:00
order = ssl_sock_add_cert_sni(ctx, s, ssl_conf, kinfo, str, order);
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
OPENSSL_free(str);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
}
}
}
ret = 0; /* the caller must not free the SSL_CTX argument anymore */
if (!SSL_CTX_use_certificate(ctx, x))
goto end;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
#ifdef SSL_CTX_clear_extra_chain_certs
SSL_CTX_clear_extra_chain_certs(ctx);
#else
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
if (ctx->extra_certs != NULL) {
sk_X509_pop_free(ctx->extra_certs, X509_free);
ctx->extra_certs = NULL;
}
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
#endif
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
while ((ca = PEM_read_bio_X509(in, NULL, passwd_cb, passwd_cb_userdata))) {
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
X509_free(ca);
goto end;
}
}
err = ERR_get_error();
if (!err || (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
/* we successfully reached the last cert in the file */
ret = 1;
}
ERR_clear_error();
end:
if (x)
X509_free(x);
if (in)
BIO_free(in);
return ret;
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf,
char **sni_filter, int fcount, char **err)
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
{
int ret;
SSL_CTX *ctx;
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
ctx = SSL_CTX_new(SSLv23_server_method());
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
if (!ctx) {
MINOR: standard: make memprintf() support a NULL destination Doing so removes many checks that were systematically made because the callees don't know if the caller passed a valid pointer.
2012-09-20 13:43:14 -04:00
memprintf(err, "%sunable to allocate SSL context for cert '%s'.\n",
err && *err ? *err : "", path);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
return 1;
}
if (SSL_CTX_use_PrivateKey_file(ctx, path, SSL_FILETYPE_PEM) <= 0) {
MINOR: standard: make memprintf() support a NULL destination Doing so removes many checks that were systematically made because the callees don't know if the caller passed a valid pointer.
2012-09-20 13:43:14 -04:00
memprintf(err, "%sunable to load SSL private key from PEM file '%s'.\n",
err && *err ? *err : "", path);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
SSL_CTX_free(ctx);
return 1;
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
ret = ssl_sock_load_cert_chain_file(ctx, path, bind_conf, ssl_conf, sni_filter, fcount);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
if (ret <= 0) {
MINOR: standard: make memprintf() support a NULL destination Doing so removes many checks that were systematically made because the callees don't know if the caller passed a valid pointer.
2012-09-20 13:43:14 -04:00
memprintf(err, "%sunable to load SSL certificate from PEM file '%s'.\n",
err && *err ? *err : "", path);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
if (ret < 0) /* serious error, must do that ourselves */
SSL_CTX_free(ctx);
return 1;
}
MINOR: ssl: checks the consistency of a private key with the corresponding certificate
2012-10-26 07:35:33 -04:00
if (SSL_CTX_check_private_key(ctx) <= 0) {
memprintf(err, "%sinconsistencies between private key and certificate loaded from PEM file '%s'.\n",
err && *err ? *err : "", path);
return 1;
}
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
/* we must not free the SSL_CTX anymore below, since it's already in
* the tree, so it will be discovered and cleaned in time.
*/
MINOR: ssl: try to load Diffie-Hellman parameters from cert file Feature is disabled if openssl compiled with OPENSSL_NO_DH.
2012-09-20 10:19:02 -04:00
#ifndef OPENSSL_NO_DH
BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten Herv Commowick reported that the logic used to avoid complaining about ssl-default-dh-param not being set when static DH params are present in the certificate file was clearly wrong when more than one sni_ctx is used. This patch stores whether static DH params are being used for each SSL_CTX individually, and does not overwrite the value of tune.ssl.default-dh-param.
2015-05-28 10:23:00 -04:00
/* store a NULL pointer to indicate we have not yet loaded
a custom DH param file */
if (ssl_dh_ptr_index >= 0) {
SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
}
MINOR: ssl: try to load Diffie-Hellman parameters from cert file Feature is disabled if openssl compiled with OPENSSL_NO_DH.
2012-09-20 10:19:02 -04:00
ret = ssl_sock_load_dh_params(ctx, path);
if (ret < 0) {
if (err)
memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
*err ? *err : "", path);
return 1;
}
#endif
BUILD: ssl: use OPENSSL_NO_OCSP to detect OCSP support Since commit 656c5fa7e859 ("BUILD: ssl: disable OCSP when using boringssl) the OCSP code is bypassed when OPENSSL_IS_BORINGSSL is defined. The correct thing to do here is to use OPENSSL_NO_OCSP instead, which is defined for this exact purpose in openssl/opensslfeatures.h. This makes haproxy forward compatible if boringssl ever introduces full OCSP support with the additional benefit that it links fine against a OCSP-disabled openssl. Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
2014-12-09 10:32:51 -05:00
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
ret = ssl_sock_load_ocsp(ctx, path);
if (ret < 0) {
if (err)
memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
*err ? *err : "", path);
return 1;
}
MINOR: boringssl: basic support for OCSP Stapling Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with '.ocsp' extension. CLI update is not supported.
2017-05-22 08:58:00 -04:00
#elif (defined OPENSSL_IS_BORINGSSL)
ssl_sock_set_ocsp_response_from_file(ctx, path);
MEDIUM: ssl: basic OCSP stapling support. The support is all based on static responses. This doesn't add any request / response logic to HAProxy, but allows a way to update information through the socket interface. Currently certificates specified using "crt" or "crt-list" on "bind" lines are loaded as PEM files. For each PEM file, haproxy checks for the presence of file at the same path suffixed by ".ocsp". If such file is found, support for the TLS Certificate Status Request extension (also known as "OCSP stapling") is automatically enabled. The content of this file is optional. If not empty, it must contain a valid OCSP Response in DER format. In order to be valid an OCSP Response must comply with the following rules: it has to indicate a good status, it has to be a single response for the certificate of the PEM file, and it has to be valid at the moment of addition. If these rules are not respected the OCSP Response is ignored and a warning is emitted. In order to identify which certificate an OCSP Response applies to, the issuer's certificate is necessary. If the issuer's certificate is not found in the PEM file, it will be loaded from a file at the same path as the PEM file suffixed by ".issuer" if it exists otherwise it will fail with an error. It is possible to update an OCSP Response from the unix socket using: set ssl ocsp-response <response> This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The <response> must be passed as a base64 encoded string of the DER encoded response from the OCSP server. Example: openssl ocsp -issuer issuer.pem -cert server.pem \ -host ocsp.issuer.com:80 -respout resp.der echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat This feature is automatically enabled on openssl 0.9.8h and above. This work was performed jointly by Dirkjan Bussink of GitHub and Emeric Brun of HAProxy Technologies.
2014-06-16 12:36:30 -04:00
#endif
BUILD: check for libressl to be able to build against it [wt: might be worth backporting it to 1.6]
2015-11-06 14:02:41 -05:00
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
if (sctl_ex_index >= 0) {
ret = ssl_sock_load_sctl(ctx, path);
if (ret < 0) {
if (err)
memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
*err ? *err : "", path);
return 1;
}
}
#endif
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
if (bind_conf->default_ctx) {
MINOR: standard: make memprintf() support a NULL destination Doing so removes many checks that were systematically made because the callees don't know if the caller passed a valid pointer.
2012-09-20 13:43:14 -04:00
memprintf(err, "%sthis version of openssl cannot load multiple SSL certificates.\n",
err && *err ? *err : "");
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
return 1;
}
#endif
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
if (!bind_conf->default_ctx) {
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
bind_conf->default_ctx = ctx;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
bind_conf->default_ssl_conf = ssl_conf;
}
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
return 0;
}
MEDIUM: ssl: remote the proxy argument from most functions Most of the SSL functions used to have a proxy argument which was mostly used to be able to emit clean errors using Alert(). First, many of them were converted to memprintf() and don't require this pointer anymore. Second, the rare which still need it also have either a bind_conf argument or a server argument, both of which carry a pointer to the relevant proxy. So let's now get rid of it, it needlessly complicates the API and certain functions already have many arguments.
2016-12-22 11:08:28 -05:00
int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
{
MINOR: ssl: load certificates in alphabetical order As reported by Raphal Enrici, certificates loaded from a directory are loaded in a non predictive order. If no certificate was first loaded from a file, it can result in different behaviours when haproxy is used in cluster. We can also imagine other cases which weren't met yet. Instead of using readdir(), we can use scandir() and sort files alphabetically. This will ensure a predictive behaviour. This patch should also be backported to 1.5.
2015-01-24 18:16:08 -05:00
struct dirent **de_list;
int i, n;
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
DIR *dir;
struct stat buf;
BUILD: ssl: NAME_MAX is not portable, use MAXPATHLEN instead At least Solaris doesn't know about NAME_MAX, so let's use the more portable MAXPATHLEN instead. This issue was reported by Benjamin Polidore.
2012-12-06 05:36:59 -05:00
char *end;
char fp[MAXPATHLEN+1];
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
int cfgerr = 0;
MEDIUM: ssl: Added multi cert support for loading crt directories Loading of multiple certs into shared contexts is now supported if a user specifies a directory instead of a cert file.
2015-12-09 13:35:14 -05:00
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
int is_bundle;
int j;
#endif
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
if (stat(path, &buf) == 0) {
dir = opendir(path);
if (!dir)
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
return ssl_sock_load_cert_file(path, bind_conf, NULL, NULL, 0, err);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
/* strip trailing slashes, including first one */
for (end = path + strlen(path) - 1; end >= path && *end == '/'; end--)
*end = 0;
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
n = scandir(path, &de_list, 0, alphasort);
if (n < 0) {
memprintf(err, "%sunable to scan directory '%s' : %s.\n",
err && *err ? *err : "", path, strerror(errno));
cfgerr++;
}
else {
for (i = 0; i < n; i++) {
struct dirent *de = de_list[i];
end = strrchr(de->d_name, '.');
if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl")))
goto ignore_entry;
snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);
if (stat(fp, &buf) != 0) {
memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
err && *err ? *err : "", fp, strerror(errno));
cfgerr++;
goto ignore_entry;
}
if (!S_ISREG(buf.st_mode))
goto ignore_entry;
MEDIUM: ssl: Added multi cert support for loading crt directories Loading of multiple certs into shared contexts is now supported if a user specifies a directory instead of a cert file.
2015-12-09 13:35:14 -05:00
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
is_bundle = 0;
/* Check if current entry in directory is part of a multi-cert bundle */
if (end) {
for (j = 0; j < SSL_SOCK_NUM_KEYTYPES; j++) {
if (!strcmp(end + 1, SSL_SOCK_KEYTYPE_NAMES[j])) {
is_bundle = 1;
break;
}
}
if (is_bundle) {
char dp[MAXPATHLEN+1] = {0}; /* this will be the filename w/o the keytype */
int dp_len;
dp_len = end - de->d_name;
snprintf(dp, dp_len + 1, "%s", de->d_name);
/* increment i and free de until we get to a non-bundle cert
* Note here that we look at de_list[i + 1] before freeing de
* this is important since ignore_entry will free de
*/
while (i + 1 < n && !strncmp(de_list[i + 1]->d_name, dp, dp_len)) {
free(de);
i++;
de = de_list[i];
}
snprintf(fp, sizeof(fp), "%s/%s", path, dp);
BUG/MEDIUM: ssl: fix missing error loading a keytype cert from a bundle. If there was an issue loading a keytype's part of a bundle, the bundle was implicitly ignored without errors. This patch should be backported in 1.8 (and perhaps 1.7)
2018-08-16 09:11:12 -04:00
cfgerr += ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err);
MEDIUM: ssl: Added multi cert support for loading crt directories Loading of multiple certs into shared contexts is now supported if a user specifies a directory instead of a cert file.
2015-12-09 13:35:14 -05:00
/* Successfully processed the bundle */
goto ignore_entry;
}
}
#endif
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
cfgerr += ssl_sock_load_cert_file(fp, bind_conf, NULL, NULL, 0, err);
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
ignore_entry:
free(de);
MINOR: ssl: load certificates in alphabetical order As reported by Raphal Enrici, certificates loaded from a directory are loaded in a non predictive order. If no certificate was first loaded from a file, it can result in different behaviours when haproxy is used in cluster. We can also imagine other cases which weren't met yet. Instead of using readdir(), we can use scandir() and sort files alphabetically. This will ensure a predictive behaviour. This patch should also be backported to 1.5.
2015-01-24 18:16:08 -05:00
}
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
free(de_list);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
}
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
closedir(dir);
return cfgerr;
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
}
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
cfgerr = ssl_sock_load_multi_cert(path, bind_conf, NULL, NULL, 0, err);
MEDIUM: ssl: Added support for creating SSL_CTX with multiple certs Added ability for users to specify multiple certificates that all relate a single server. Users do this by specifying certificate "cert_name.pem" but having "cert_name.pem.rsa", "cert_name.pem.dsa" and/or "cert_name.pem.ecdsa" in the directory. HAProxy will now intelligently search for those 3 files and try combine them into as few SSL_CTX's as possible based on CN/SAN. This will allow HAProxy to support multiple ciphersuite key algorithms off a single SSL_CTX. This change integrates into the existing architecture of SNI lookup and multiple SNI's can point to the same SSL_CTX, which can support multiple key_types.
2015-12-02 13:01:29 -05:00
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
return cfgerr;
}
BUG/MEDIUM: ssl: openssl 0.9.8 doesn't open /dev/random before chroot Openssl needs to access /dev/urandom to initialize its internal random number generator. It does so when it needs a random for the first time, which fails if it is a handshake performed after the chroot(), causing all SSL incoming connections to fail. This fix consists in calling RAND_bytes() to produce a random before the chroot, which will in turn open /dev/urandom before it's too late, and avoid the issue. If the random generator fails to work while processing the config, haproxy now fails with an error instead of causing SSL connections to fail at runtime.
2013-01-24 08:15:43 -05:00
/* Make sure openssl opens /dev/urandom before the chroot. The work is only
* done once. Zero is returned if the operation fails. No error is returned
* if the random is said as not implemented, because we expect that openssl
* will use another method once needed.
*/
static int ssl_initialize_random()
{
unsigned char random;
static int random_initialized = 0;
if (!random_initialized && RAND_bytes(&random, 1) != 0)
random_initialized = 1;
return random_initialized;
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
/* release ssl bind conf */
void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf)
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
{
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
if (conf) {
BUILD: ssl: Fix build with OpenSSL without NPN capability OpenSSL can be built without NEXTPROTONEG support by passing -no-npn to the configure script. This sets the OPENSSL_NO_NEXTPROTONEG flag in opensslconf.h Since NEXTPROTONEG is now considered deprecated, it is superseeded by ALPN (Application Layer Protocol Next), HAProxy should allow building withough NPN support.
2018-02-15 07:34:58 -05:00
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
free(conf->npn_str);
conf->npn_str = NULL;
#endif
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
free(conf->alpn_str);
conf->alpn_str = NULL;
#endif
free(conf->ca_file);
conf->ca_file = NULL;
free(conf->crl_file);
conf->crl_file = NULL;
free(conf->ciphers);
conf->ciphers = NULL;
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
free(conf->ciphersuites);
conf->ciphersuites = NULL;
#endif
MINOR: ssl: add curve suite for ECDHE negotiation Add 'curves' parameter on 'bind' and for 'crt-list' to set curve suite. (ex: curves X25519:P-256)
2017-01-09 10:15:54 -05:00
free(conf->curves);
conf->curves = NULL;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
free(conf->ecdhe);
conf->ecdhe = NULL;
}
}
int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct proxy *curproxy, char **err)
{
char thisline[CRT_LINESIZE];
char path[MAXPATHLEN+1];
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
FILE *f;
MINOR: ssl: Added multi cert support for crt-list config keyword Added support for loading mutiple certs into shared contexts when they are specified in a crt-list Note that it's not practical to support SNI filters with multicerts, so any SNI filters that's provided to the crt-list is ignored if a multi-cert opertion is used.
2015-12-02 13:54:14 -05:00
struct stat buf;
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
int linenum = 0;
int cfgerr = 0;
BUG/MEDIUM: ssl: improve error processing and reporting in ssl_sock_load_cert_list_file() fe61656b added the ability to load a list of certificates from a file, but error control was incomplete and misleading, as some errors such as missing files were not reported, and errors reported with Alert() instead of memprintf() were inappropriate and mixed with upper errors. Also, the code really supports a single SNI filter right now, so let's correct it and the doc for that, leaving room for later change if needed.
2013-04-02 11:35:58 -04:00
if ((f = fopen(file, "r")) == NULL) {
memprintf(err, "cannot open file '%s' : %s", file, strerror(errno));
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
return 1;
BUG/MEDIUM: ssl: improve error processing and reporting in ssl_sock_load_cert_list_file() fe61656b added the ability to load a list of certificates from a file, but error control was incomplete and misleading, as some errors such as missing files were not reported, and errors reported with Alert() instead of memprintf() were inappropriate and mixed with upper errors. Also, the code really supports a single SNI filter right now, so let's correct it and the doc for that, leaving room for later change if needed.
2013-04-02 11:35:58 -04:00
}
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
while (fgets(thisline, sizeof(thisline), f) != NULL) {
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
int arg, newarg, cur_arg, i, ssl_b = 0, ssl_e = 0;
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
char *end;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
char *args[MAX_CRT_ARGS + 1];
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
char *line = thisline;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
char *crt_path;
struct ssl_bind_conf *ssl_conf = NULL;
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
linenum++;
end = line + strlen(line);
if (end-line == sizeof(thisline)-1 && *(end-1) != '\n') {
/* Check if we reached the limit and the last char is not \n.
* Watch out for the last line without the terminating '\n'!
*/
BUG/MEDIUM: ssl: improve error processing and reporting in ssl_sock_load_cert_list_file() fe61656b added the ability to load a list of certificates from a file, but error control was incomplete and misleading, as some errors such as missing files were not reported, and errors reported with Alert() instead of memprintf() were inappropriate and mixed with upper errors. Also, the code really supports a single SNI filter right now, so let's correct it and the doc for that, leaving room for later change if needed.
2013-04-02 11:35:58 -04:00
memprintf(err, "line %d too long in file '%s', limit is %d characters",
linenum, file, (int)sizeof(thisline)-1);
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
cfgerr = 1;
BUG/MEDIUM: ssl: improve error processing and reporting in ssl_sock_load_cert_list_file() fe61656b added the ability to load a list of certificates from a file, but error control was incomplete and misleading, as some errors such as missing files were not reported, and errors reported with Alert() instead of memprintf() were inappropriate and mixed with upper errors. Also, the code really supports a single SNI filter right now, so let's correct it and the doc for that, leaving room for later change if needed.
2013-04-02 11:35:58 -04:00
break;
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
}
arg = 0;
BUG/MEDIUM: Fix crt-list file parsing error: filtered name was ignored. Also add support for multiple filtered names on same certificate (per line).
2013-04-22 07:05:23 -04:00
newarg = 1;
while (*line) {
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
if (*line == '#' || *line == '\n' || *line == '\r') {
/* end of string, end of loop */
*line = 0;
break;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
} else if (isspace(*line)) {
BUG/MEDIUM: Fix crt-list file parsing error: filtered name was ignored. Also add support for multiple filtered names on same certificate (per line).
2013-04-22 07:05:23 -04:00
newarg = 1;
*line = 0;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
} else if (*line == '[') {
if (ssl_b) {
memprintf(err, "too many '[' on line %d in file '%s'.", linenum, file);
cfgerr = 1;
break;
}
if (!arg) {
memprintf(err, "file must start with a cert on line %d in file '%s'", linenum, file);
cfgerr = 1;
break;
}
ssl_b = arg;
newarg = 1;
*line = 0;
} else if (*line == ']') {
if (ssl_e) {
memprintf(err, "too many ']' on line %d in file '%s'.", linenum, file);
cfgerr = 1;
break;
}
if (!ssl_b) {
memprintf(err, "missing '[' in line %d in file '%s'.", linenum, file);
cfgerr = 1;
break;
}
ssl_e = arg;
newarg = 1;
*line = 0;
} else if (newarg) {
if (arg == MAX_CRT_ARGS) {
memprintf(err, "too many args on line %d in file '%s'.", linenum, file);
BUG/MEDIUM: Fix crt-list file parsing error: filtered name was ignored. Also add support for multiple filtered names on same certificate (per line).
2013-04-22 07:05:23 -04:00
cfgerr = 1;
break;
}
newarg = 0;
args[arg++] = line;
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
}
BUG/MEDIUM: Fix crt-list file parsing error: filtered name was ignored. Also add support for multiple filtered names on same certificate (per line).
2013-04-22 07:05:23 -04:00
line++;
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
}
MEDIUM: ssl: improve crt-list format to support negation Improve the crt-list file format to allow a rule to negate a certain SNI : <crtfile> [[!]<snifilter> ...] This can be useful when a domain supports a wildcard but you don't want to deliver the wildcard cert for certain specific domains.
2013-05-07 14:20:06 -04:00
if (cfgerr)
break;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
args[arg++] = line;
BUG/MEDIUM: ssl: improve error processing and reporting in ssl_sock_load_cert_list_file() fe61656b added the ability to load a list of certificates from a file, but error control was incomplete and misleading, as some errors such as missing files were not reported, and errors reported with Alert() instead of memprintf() were inappropriate and mixed with upper errors. Also, the code really supports a single SNI filter right now, so let's correct it and the doc for that, leaving room for later change if needed.
2013-04-02 11:35:58 -04:00
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
/* empty line */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
if (!*args[0])
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
continue;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
crt_path = args[0];
if (*crt_path != '/' && global_ssl.crt_base) {
if ((strlen(global_ssl.crt_base) + 1 + strlen(crt_path)) > MAXPATHLEN) {
memprintf(err, "'%s' : path too long on line %d in file '%s'",
crt_path, linenum, file);
cfgerr = 1;
break;
}
snprintf(path, sizeof(path), "%s/%s", global_ssl.crt_base, crt_path);
crt_path = path;
}
ssl_conf = calloc(1, sizeof *ssl_conf);
cur_arg = ssl_b ? ssl_b : 1;
while (cur_arg < ssl_e) {
newarg = 0;
for (i = 0; ssl_bind_kws[i].kw != NULL; i++) {
if (strcmp(ssl_bind_kws[i].kw, args[cur_arg]) == 0) {
newarg = 1;
cfgerr = ssl_bind_kws[i].parse(args, cur_arg, curproxy, ssl_conf, err);
if (cur_arg + 1 + ssl_bind_kws[i].skip > ssl_e) {
memprintf(err, "ssl args out of '[]' for %s on line %d in file '%s'",
args[cur_arg], linenum, file);
cfgerr = 1;
}
cur_arg += 1 + ssl_bind_kws[i].skip;
break;
}
}
if (!cfgerr && !newarg) {
memprintf(err, "unknown ssl keyword %s on line %d in file '%s'.",
args[cur_arg], linenum, file);
cfgerr = 1;
break;
}
}
if (cfgerr) {
ssl_sock_free_ssl_conf(ssl_conf);
free(ssl_conf);
ssl_conf = NULL;
break;
}
if (stat(crt_path, &buf) == 0) {
cfgerr = ssl_sock_load_cert_file(crt_path, bind_conf, ssl_conf,
&args[cur_arg], arg - cur_arg - 1, err);
MINOR: ssl: Added multi cert support for crt-list config keyword Added support for loading mutiple certs into shared contexts when they are specified in a crt-list Note that it's not practical to support SNI filters with multicerts, so any SNI filters that's provided to the crt-list is ignored if a multi-cert opertion is used.
2015-12-02 13:54:14 -05:00
} else {
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
cfgerr = ssl_sock_load_multi_cert(crt_path, bind_conf, ssl_conf,
&args[cur_arg], arg - cur_arg - 1, err);
MINOR: ssl: Added multi cert support for crt-list config keyword Added support for loading mutiple certs into shared contexts when they are specified in a crt-list Note that it's not practical to support SNI filters with multicerts, so any SNI filters that's provided to the crt-list is ignored if a multi-cert opertion is used.
2015-12-02 13:54:14 -05:00
}
BUG/MEDIUM: ssl: improve error processing and reporting in ssl_sock_load_cert_list_file() fe61656b added the ability to load a list of certificates from a file, but error control was incomplete and misleading, as some errors such as missing files were not reported, and errors reported with Alert() instead of memprintf() were inappropriate and mixed with upper errors. Also, the code really supports a single SNI filter right now, so let's correct it and the doc for that, leaving room for later change if needed.
2013-04-02 11:35:58 -04:00
if (cfgerr) {
memprintf(err, "error processing line %d in file '%s' : %s", linenum, file, *err);
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
break;
BUG/MEDIUM: ssl: improve error processing and reporting in ssl_sock_load_cert_list_file() fe61656b added the ability to load a list of certificates from a file, but error control was incomplete and misleading, as some errors such as missing files were not reported, and errors reported with Alert() instead of memprintf() were inappropriate and mixed with upper errors. Also, the code really supports a single SNI filter right now, so let's correct it and the doc for that, leaving room for later change if needed.
2013-04-02 11:35:58 -04:00
}
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
}
fclose(f);
return cfgerr;
}
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
/* Create an initial CTX used to start the SSL connection before switchctx */
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
static int
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
ssl_sock_initial_ctx(struct bind_conf *bind_conf)
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
{
MINOR: ssl: removes SSL_CTX_set_ssl_version call and cleanup CTX creation. BoringSSL doesn't support SSL_CTX_set_ssl_version. To remove this call, the CTX creation is cleanup to clarify what is happening. SSL_CTX_new is used to match the original behavior, in order: force-<method> according the method version then the default method with no-<method> options. OPENSSL_NO_SSL3 error message is now in force-sslv3 parsing (as force-tls*). For CTX creation in bind environement, all CTX set related to the initial ctx are aggregate to ssl_sock_new_ctx function for clarity. Tests with crt-list have shown that server_method, options and mode are linked to the initial CTX (default_ctx): all ssl-options are link to each bind line and must be removed from crt-list.
2017-03-03 06:21:32 -05:00
SSL_CTX *ctx = NULL;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
long options =
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
SSL_OP_ALL | /* all known workarounds for bugs */
SSL_OP_NO_SSLv2 |
SSL_OP_NO_COMPRESSION |
MINOR: ssl: try to load Diffie-Hellman parameters from cert file Feature is disabled if openssl compiled with OPENSSL_NO_DH.
2012-09-20 10:19:02 -04:00
SSL_OP_SINGLE_DH_USE |
MINOR: ssl: add elliptic curve Diffie-Hellman support for ssl key generation Add 'ecdhe' on 'bind' statement: to set named curve used to generate ECDHE keys (ex: ecdhe secp521r1)
2012-09-20 11:10:03 -04:00
SSL_OP_SINGLE_ECDH_USE |
MINOR: ssl: remove prefer-server-ciphers statement and set it as the default on ssl listeners.
2012-10-04 12:44:19 -04:00
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
MINOR: ssl: set SSL_OP_PRIORITIZE_CHACHA Sets OpenSSL 1.1.1's SSL_OP_PRIORITIZE_CHACHA unconditionally, as per [1]: When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize ChaCha20-Poly1305 ciphers to the top of the server cipher list if a ChaCha20-Poly1305 cipher is at the top of the client cipher list. This helps those clients (e.g. mobile) use ChaCha20-Poly1305 if that cipher is anywhere in the server cipher list; but still allows other clients to use AES and other ciphers. Requires SSL_OP_CIPHER_SERVER_PREFERENCE. [1] https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_clear_options.html
2018-05-18 11:55:57 -04:00
SSL_OP_PRIORITIZE_CHACHA |
MINOR: ssl: remove prefer-server-ciphers statement and set it as the default on ssl listeners.
2012-10-04 12:44:19 -04:00
SSL_OP_CIPHER_SERVER_PREFERENCE;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
long mode =
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
MEDIUM: ssl: add support for smaller SSL records There's a very common openssl patch on the net meant to significantly reduce openssl's memory usage. This patch has been provided for many versions now, and it makes sense to add support for it given that it is very simple. It only requires to add an extra SSL_MODE flag. Just like for other flags, if the flag is unknown, it's unset. About 44kB of memory may be saved per SSL session with the patch.
2014-11-13 08:06:52 -05:00
SSL_MODE_RELEASE_BUFFERS |
SSL_MODE_SMALL_BUFFERS;
MINOR: ssl: remove duplicate ssl_methods in struct bind_conf Patch "MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list" introduce ssl_methods in struct ssl_bind_conf. struct bind_conf have now ssl_methods and ssl_conf.ssl_methods (unused). It's error-prone. This patch remove the duplicate structure to avoid any confusion.
2017-08-09 12:26:20 -04:00
struct tls_version_filter *conf_ssl_methods = &bind_conf->ssl_conf.ssl_methods;
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
int i, min, max, hole;
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
int flags = MC_SSL_O_ALL;
int cfgerr = 0;
MINOR: ssl: removes SSL_CTX_set_ssl_version call and cleanup CTX creation. BoringSSL doesn't support SSL_CTX_set_ssl_version. To remove this call, the CTX creation is cleanup to clarify what is happening. SSL_CTX_new is used to match the original behavior, in order: force-<method> according the method version then the default method with no-<method> options. OPENSSL_NO_SSL3 error message is now in force-sslv3 parsing (as force-tls*). For CTX creation in bind environement, all CTX set related to the initial ctx are aggregate to ssl_sock_new_ctx function for clarity. Tests with crt-list have shown that server_method, options and mode are linked to the initial CTX (default_ctx): all ssl-options are link to each bind line and must be removed from crt-list.
2017-03-03 06:21:32 -05:00
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
ctx = SSL_CTX_new(SSLv23_server_method());
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
bind_conf->initial_ctx = ctx;
if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("Proxy '%s': no-sslv3/no-tlsv1x are ignored for bind '%s' at [%s:%d]. "
"Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.\n",
bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line);
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
else
flags = conf_ssl_methods->flags;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
MEDIUM: ssl: disable SSLv3 per default for bind For security, disable SSLv3 on bind line must be the default configuration. SSLv3 can be enabled with "ssl-min-ver SSLv3".
2017-05-15 09:53:41 -04:00
min = conf_ssl_methods->min;
max = conf_ssl_methods->max;
/* start with TLSv10 to remove SSLv3 per default */
if (!min && (!max || max >= CONF_TLSV10))
min = CONF_TLSV10;
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
/* Real min and max should be determinate with configuration and openssl's capabilities */
MEDIUM: ssl: disable SSLv3 per default for bind For security, disable SSLv3 on bind line must be the default configuration. SSLv3 can be enabled with "ssl-min-ver SSLv3".
2017-05-15 09:53:41 -04:00
if (min)
flags |= (methodVersions[min].flag - 1);
if (max)
flags |= ~((methodVersions[max].flag << 1) - 1);
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
/* find min, max and holes */
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
min = max = CONF_TLSV_NONE;
hole = 0;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
/* version is in openssl && version not disable in configuration */
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
if (methodVersions[i].option && !(flags & methodVersions[i].flag)) {
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
if (min) {
if (hole) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("Proxy '%s': SSL/TLS versions range not contiguous for bind '%s' at [%s:%d]. "
"Hole find for %s. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.\n",
bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line,
methodVersions[hole].name);
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
hole = 0;
}
max = i;
}
else {
min = max = i;
}
}
else {
if (min)
hole = i;
}
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
if (!min) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': all SSL/TLS versions are disabled for bind '%s' at [%s:%d].\n",
bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line);
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
cfgerr += 1;
}
MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list SSL/TLS version can be changed per certificat if and only if openssl lib support earlier callback on handshake and, of course, is implemented in haproxy. It's ok for BoringSSL. For Openssl, version 1.1.1 have such callback and could support it.
2017-05-18 06:46:50 -04:00
/* save real min/max in bind_conf */
conf_ssl_methods->min = min;
conf_ssl_methods->max = max;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
MINOR: ssl: build with recent BoringSSL library BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility. Fix BoringSSL call and openssl-compat.h/#define occordingly. This will not break openssl/libressl compat.
2017-10-02 11:12:06 -04:00
#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
/* Keep force-xxx implementation as it is in older haproxy. It's a
CLEANUP: fix typos in the ssl_sock subsystem Fix some typos found in the code comments of the ssl_sock subsystem.
2018-11-15 12:07:59 -05:00
precautionary measure to avoid any surprise with older openssl version. */
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
if (min == max)
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
methodVersions[min].ctx_set_version(ctx, SET_SERVER);
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
else
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
if (flags & methodVersions[i].flag)
options |= methodVersions[i].option;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
#else /* openssl >= 1.1.0 */
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
/* set the max_version is required to cap TLS version or activate new TLS (v1.3) */
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
methodVersions[min].ctx_set_version(ctx, SET_MIN);
methodVersions[max].ctx_set_version(ctx, SET_MAX);
MINOR: ssl: removes SSL_CTX_set_ssl_version call and cleanup CTX creation. BoringSSL doesn't support SSL_CTX_set_ssl_version. To remove this call, the CTX creation is cleanup to clarify what is happening. SSL_CTX_new is used to match the original behavior, in order: force-<method> according the method version then the default method with no-<method> options. OPENSSL_NO_SSL3 error message is now in force-sslv3 parsing (as force-tls*). For CTX creation in bind environement, all CTX set related to the initial ctx are aggregate to ssl_sock_new_ctx function for clarity. Tests with crt-list have shown that server_method, options and mode are linked to the initial CTX (default_ctx): all ssl-options are link to each bind line and must be removed from crt-list.
2017-03-03 06:21:32 -05:00
#endif
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
options |= SSL_OP_NO_TICKET;
if (bind_conf->ssl_options & BC_SSL_O_PREF_CLIE_CIPH)
options &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages In OpenSSL 1.1.1 TLS 1.3 KeyUpdate messages will trigger the callback that is used to verify renegotiation is disabled. This means that these KeyUpdate messages fail. In OpenSSL 1.1.1 a better mechanism is available with the SSL_OP_NO_RENEGOTIATION flag that disables any TLS 1.2 and earlier negotiation. So if this SSL_OP_NO_RENEGOTIATION flag is available, instead of having a manual check, trust OpenSSL and disable the check. This means that TLS 1.3 KeyUpdate messages will work properly. Reported-By: Adam Langley <agl@imperialviolet.org>
2019-01-21 12:35:03 -05:00
#ifdef SSL_OP_NO_RENEGOTIATION
options |= SSL_OP_NO_RENEGOTIATION;
#endif
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
SSL_CTX_set_options(ctx, options);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
if (global_ssl.async)
mode |= SSL_MODE_ASYNC;
#endif
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
SSL_CTX_set_mode(ctx, mode);
MINOR: ssl: removes SSL_CTX_set_ssl_version call and cleanup CTX creation. BoringSSL doesn't support SSL_CTX_set_ssl_version. To remove this call, the CTX creation is cleanup to clarify what is happening. SSL_CTX_new is used to match the original behavior, in order: force-<method> according the method version then the default method with no-<method> options. OPENSSL_NO_SSL3 error message is now in force-sslv3 parsing (as force-tls*). For CTX creation in bind environement, all CTX set related to the initial ctx are aggregate to ssl_sock_new_ctx function for clarity. Tests with crt-list have shown that server_method, options and mode are linked to the initial CTX (default_ctx): all ssl-options are link to each bind line and must be removed from crt-list.
2017-03-03 06:21:32 -05:00
if (global_ssl.life_time)
SSL_CTX_set_timeout(ctx, global_ssl.life_time);
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
#ifdef OPENSSL_IS_BORINGSSL
SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT. When using early data, disable the OpenSSL anti-replay protection, and set the max amount of early data we're ready to accept, based on the size of buffers, or early data won't work with the released OpenSSL 1.1.1. This should be backported to 1.8.
2019-01-02 12:46:41 -05:00
if (bind_conf->ssl_conf.early_data) {
SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
}
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback. Native multi certificate and SSL/TLS method per certificate is now supported by Openssl >= 1.1.1.
2017-08-16 05:33:17 -04:00
SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
#else
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk);
#endif
MINOR: ssl: generated certificate is missing in switchctx early callback Openssl 1.1.1 supports switchctx early callback and generated certificate. Generated certificate calls must be available in switchctx early callback.
2017-08-14 05:01:25 -04:00
SSL_CTX_set_tlsext_servername_arg(ctx, bind_conf);
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
#endif
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
return cfgerr;
MINOR: ssl: removes SSL_CTX_set_ssl_version call and cleanup CTX creation. BoringSSL doesn't support SSL_CTX_set_ssl_version. To remove this call, the CTX creation is cleanup to clarify what is happening. SSL_CTX_new is used to match the original behavior, in order: force-<method> according the method version then the default method with no-<method> options. OPENSSL_NO_SSL3 error message is now in force-sslv3 parsing (as force-tls*). For CTX creation in bind environement, all CTX set related to the initial ctx are aggregate to ssl_sock_new_ctx function for clarity. Tests with crt-list have shown that server_method, options and mode are linked to the initial CTX (default_ctx): all ssl-options are link to each bind line and must be removed from crt-list.
2017-03-03 06:21:32 -05:00
}
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
static inline void sh_ssl_sess_free_blocks(struct shared_block *first, struct shared_block *block)
{
if (first == block) {
struct sh_ssl_sess_hdr *sh_ssl_sess = (struct sh_ssl_sess_hdr *)first->data;
if (first->len > 0)
sh_ssl_sess_tree_delete(sh_ssl_sess);
}
}
/* return first block from sh_ssl_sess */
static inline struct shared_block *sh_ssl_sess_first_block(struct sh_ssl_sess_hdr *sh_ssl_sess)
{
return (struct shared_block *)((unsigned char *)sh_ssl_sess - ((struct shared_block *)NULL)->data);
}
/* store a session into the cache
* s_id : session id padded with zero to SSL_MAX_SSL_SESSION_ID_LENGTH
* data: asn1 encoded session
* data_len: asn1 encoded session length
* Returns 1 id session was stored (else 0)
*/
static int sh_ssl_sess_store(unsigned char *s_id, unsigned char *data, int data_len)
{
struct shared_block *first;
struct sh_ssl_sess_hdr *sh_ssl_sess, *oldsh_ssl_sess;
MINOR: shctx: Shared objects block by block allocation. This patch makes shctx capable of storing objects in several parts, each parts being made of several blocks. There is no more need to walk through until reaching the end of a row to append new blocks. A new pointer to a struct shared_block member, named last_reserved, has been added to struct shared_block so that to memorize the last block which was reserved by shctx_row_reserve_hot(). Same thing about "last_append" pointer which is used to memorize the last block used by shctx_row_data_append() to store the data.
2018-10-22 11:55:57 -04:00
first = shctx_row_reserve_hot(ssl_shctx, NULL, data_len + sizeof(struct sh_ssl_sess_hdr));
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
if (!first) {
/* Could not retrieve enough free blocks to store that session */
return 0;
}
/* STORE the key in the first elem */
sh_ssl_sess = (struct sh_ssl_sess_hdr *)first->data;
memcpy(sh_ssl_sess->key_data, s_id, SSL_MAX_SSL_SESSION_ID_LENGTH);
first->len = sizeof(struct sh_ssl_sess_hdr);
/* it returns the already existing node
or current node if none, never returns null */
oldsh_ssl_sess = sh_ssl_sess_tree_insert(sh_ssl_sess);
if (oldsh_ssl_sess != sh_ssl_sess) {
/* NOTE: Row couldn't be in use because we lock read & write function */
/* release the reserved row */
shctx_row_dec_hot(ssl_shctx, first);
/* replace the previous session already in the tree */
sh_ssl_sess = oldsh_ssl_sess;
/* ignore the previous session data, only use the header */
first = sh_ssl_sess_first_block(sh_ssl_sess);
shctx_row_inc_hot(ssl_shctx, first);
first->len = sizeof(struct sh_ssl_sess_hdr);
}
MINOR: shctx: Shared objects block by block allocation. This patch makes shctx capable of storing objects in several parts, each parts being made of several blocks. There is no more need to walk through until reaching the end of a row to append new blocks. A new pointer to a struct shared_block member, named last_reserved, has been added to struct shared_block so that to memorize the last block which was reserved by shctx_row_reserve_hot(). Same thing about "last_append" pointer which is used to memorize the last block used by shctx_row_data_append() to store the data.
2018-10-22 11:55:57 -04:00
if (shctx_row_data_append(ssl_shctx, first, NULL, data, data_len) < 0) {
BUG/MEDIUM: ssl: cache doesn't release shctx blocks Since the rework of the shctx with the hot list system, the ssl cache was putting session inside the hot list, without removing them. Once all block were used, they were all locked in the hot list, which was forbiding to reuse them for new sessions. Bug introduced by 4f45bb9 ("MEDIUM: shctx: separate ssl and shctx") Thanks to Jeffrey J. Persch for reporting this bug. Must be backported to 1.8.
2018-01-03 13:15:51 -05:00
shctx_row_dec_hot(ssl_shctx, first);
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
return 0;
BUG/MEDIUM: ssl: cache doesn't release shctx blocks Since the rework of the shctx with the hot list system, the ssl cache was putting session inside the hot list, without removing them. Once all block were used, they were all locked in the hot list, which was forbiding to reuse them for new sessions. Bug introduced by 4f45bb9 ("MEDIUM: shctx: separate ssl and shctx") Thanks to Jeffrey J. Persch for reporting this bug. Must be backported to 1.8.
2018-01-03 13:15:51 -05:00
}
shctx_row_dec_hot(ssl_shctx, first);
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
return 1;
}
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
MINOR: ssl: Handle session resumption with TLS 1.3 With TLS 1.3, session aren't established until after the main handshake has completed. So we can't just rely on calling SSL_get1_session(). Instead, we now register a callback for the "new session" event. This should work for previous versions of TLS as well.
2017-11-03 08:43:35 -04:00
/* SSL callback used when a new session is created while connecting to a server */
static int ssl_sess_new_srv_cb(SSL *ssl, SSL_SESSION *sess)
{
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
struct connection *conn = SSL_get_ex_data(ssl, ssl_app_data_index);
MINOR: SSL: Store the ASN1 representation of client sessions. Instead of storing the SSL_SESSION pointer directly in the struct server, store the ASN1 representation, otherwise, session resumption is broken with TLS 1.3, when multiple outgoing connections want to use the same session.
2017-11-16 11:42:52 -05:00
struct server *s;
MINOR: ssl: Handle session resumption with TLS 1.3 With TLS 1.3, session aren't established until after the main handshake has completed. So we can't just rely on calling SSL_get1_session(). Instead, we now register a callback for the "new session" event. This should work for previous versions of TLS as well.
2017-11-03 08:43:35 -04:00
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
s = __objt_server(conn->target);
MINOR: ssl: Handle session resumption with TLS 1.3 With TLS 1.3, session aren't established until after the main handshake has completed. So we can't just rely on calling SSL_get1_session(). Instead, we now register a callback for the "new session" event. This should work for previous versions of TLS as well.
2017-11-03 08:43:35 -04:00
MINOR: SSL: Store the ASN1 representation of client sessions. Instead of storing the SSL_SESSION pointer directly in the struct server, store the ASN1 representation, otherwise, session resumption is broken with TLS 1.3, when multiple outgoing connections want to use the same session.
2017-11-16 11:42:52 -05:00
if (!(s->ssl_ctx.options & SRV_SSL_O_NO_REUSE)) {
int len;
unsigned char *ptr;
MINOR: ssl: Handle session resumption with TLS 1.3 With TLS 1.3, session aren't established until after the main handshake has completed. So we can't just rely on calling SSL_get1_session(). Instead, we now register a callback for the "new session" event. This should work for previous versions of TLS as well.
2017-11-03 08:43:35 -04:00
MINOR: SSL: Store the ASN1 representation of client sessions. Instead of storing the SSL_SESSION pointer directly in the struct server, store the ASN1 representation, otherwise, session resumption is broken with TLS 1.3, when multiple outgoing connections want to use the same session.
2017-11-16 11:42:52 -05:00
len = i2d_SSL_SESSION(sess, NULL);
if (s->ssl_ctx.reused_sess[tid].ptr && s->ssl_ctx.reused_sess[tid].allocated_size >= len) {
ptr = s->ssl_ctx.reused_sess[tid].ptr;
} else {
free(s->ssl_ctx.reused_sess[tid].ptr);
ptr = s->ssl_ctx.reused_sess[tid].ptr = malloc(len);
s->ssl_ctx.reused_sess[tid].allocated_size = len;
}
if (s->ssl_ctx.reused_sess[tid].ptr) {
s->ssl_ctx.reused_sess[tid].size = i2d_SSL_SESSION(sess,
&ptr);
}
} else {
free(s->ssl_ctx.reused_sess[tid].ptr);
s->ssl_ctx.reused_sess[tid].ptr = NULL;
}
return 0;
MINOR: ssl: Handle session resumption with TLS 1.3 With TLS 1.3, session aren't established until after the main handshake has completed. So we can't just rely on calling SSL_get1_session(). Instead, we now register a callback for the "new session" event. This should work for previous versions of TLS as well.
2017-11-03 08:43:35 -04:00
}
MINOR: SSL: Store the ASN1 representation of client sessions. Instead of storing the SSL_SESSION pointer directly in the struct server, store the ASN1 representation, otherwise, session resumption is broken with TLS 1.3, when multiple outgoing connections want to use the same session.
2017-11-16 11:42:52 -05:00
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
/* SSL callback used on new session creation */
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
int sh_ssl_sess_new_cb(SSL *ssl, SSL_SESSION *sess)
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
{
unsigned char encsess[SHSESS_MAX_DATA_LEN]; /* encoded session */
unsigned char encid[SSL_MAX_SSL_SESSION_ID_LENGTH]; /* encoded id */
unsigned char *p;
int data_len;
unsigned int sid_length, sid_ctx_length;
const unsigned char *sid_data;
const unsigned char *sid_ctx_data;
/* Session id is already stored in to key and session id is known
* so we dont store it to keep size.
*/
sid_data = SSL_SESSION_get_id(sess, &sid_length);
sid_ctx_data = SSL_SESSION_get0_id_context(sess, &sid_ctx_length);
SSL_SESSION_set1_id(sess, sid_data, 0);
SSL_SESSION_set1_id_context(sess, sid_ctx_data, 0);
/* check if buffer is large enough for the ASN1 encoded session */
data_len = i2d_SSL_SESSION(sess, NULL);
if (data_len > SHSESS_MAX_DATA_LEN)
goto err;
p = encsess;
/* process ASN1 session encoding before the lock */
i2d_SSL_SESSION(sess, &p);
memcpy(encid, sid_data, sid_length);
if (sid_length < SSL_MAX_SSL_SESSION_ID_LENGTH)
memset(encid + sid_length, 0, SSL_MAX_SSL_SESSION_ID_LENGTH-sid_length);
MINOR: shctx: rename lock functions Rename lock functions to shctx_lock() and shctx_unlock() to be coherent with the new API.
2017-10-30 18:44:40 -04:00
shctx_lock(ssl_shctx);
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
/* store to cache */
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
sh_ssl_sess_store(encid, encsess, data_len);
MINOR: shctx: rename lock functions Rename lock functions to shctx_lock() and shctx_unlock() to be coherent with the new API.
2017-10-30 18:44:40 -04:00
shctx_unlock(ssl_shctx);
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
err:
/* reset original length values */
SSL_SESSION_set1_id(sess, sid_data, sid_length);
SSL_SESSION_set1_id_context(sess, sid_ctx_data, sid_ctx_length);
return 0; /* do not increment session reference count */
}
/* SSL callback used on lookup an existing session cause none found in internal cache */
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
SSL_SESSION *sh_ssl_sess_get_cb(SSL *ssl, __OPENSSL_110_CONST__ unsigned char *key, int key_len, int *do_copy)
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
{
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
struct sh_ssl_sess_hdr *sh_ssl_sess;
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
unsigned char data[SHSESS_MAX_DATA_LEN], *p;
unsigned char tmpkey[SSL_MAX_SSL_SESSION_ID_LENGTH];
SSL_SESSION *sess;
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
struct shared_block *first;
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
global.shctx_lookups++;
/* allow the session to be freed automatically by openssl */
*do_copy = 0;
/* tree key is zeros padded sessionid */
if (key_len < SSL_MAX_SSL_SESSION_ID_LENGTH) {
memcpy(tmpkey, key, key_len);
memset(tmpkey + key_len, 0, SSL_MAX_SSL_SESSION_ID_LENGTH - key_len);
key = tmpkey;
}
/* lock cache */
MINOR: shctx: rename lock functions Rename lock functions to shctx_lock() and shctx_unlock() to be coherent with the new API.
2017-10-30 18:44:40 -04:00
shctx_lock(ssl_shctx);
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
/* lookup for session */
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
sh_ssl_sess = sh_ssl_sess_tree_lookup(key);
if (!sh_ssl_sess) {
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
/* no session found: unlock cache and exit */
MINOR: shctx: rename lock functions Rename lock functions to shctx_lock() and shctx_unlock() to be coherent with the new API.
2017-10-30 18:44:40 -04:00
shctx_unlock(ssl_shctx);
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
global.shctx_misses++;
return NULL;
}
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
/* sh_ssl_sess (shared_block->data) is at the end of shared_block */
first = sh_ssl_sess_first_block(sh_ssl_sess);
shctx_row_data_get(ssl_shctx, first, data, sizeof(struct sh_ssl_sess_hdr), first->len-sizeof(struct sh_ssl_sess_hdr));
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
MINOR: shctx: rename lock functions Rename lock functions to shctx_lock() and shctx_unlock() to be coherent with the new API.
2017-10-30 18:44:40 -04:00
shctx_unlock(ssl_shctx);
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
/* decode ASN1 session */
p = data;
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
sess = d2i_SSL_SESSION(NULL, (const unsigned char **)&p, first->len-sizeof(struct sh_ssl_sess_hdr));
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
/* Reset session id and session id contenxt */
if (sess) {
SSL_SESSION_set1_id(sess, key, key_len);
SSL_SESSION_set1_id_context(sess, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME));
}
return sess;
}
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
/* SSL callback used to signal session is no more used in internal cache */
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
void sh_ssl_sess_remove_cb(SSL_CTX *ctx, SSL_SESSION *sess)
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
{
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
struct sh_ssl_sess_hdr *sh_ssl_sess;
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
unsigned char tmpkey[SSL_MAX_SSL_SESSION_ID_LENGTH];
unsigned int sid_length;
const unsigned char *sid_data;
(void)ctx;
sid_data = SSL_SESSION_get_id(sess, &sid_length);
/* tree key is zeros padded sessionid */
if (sid_length < SSL_MAX_SSL_SESSION_ID_LENGTH) {
memcpy(tmpkey, sid_data, sid_length);
memset(tmpkey+sid_length, 0, SSL_MAX_SSL_SESSION_ID_LENGTH - sid_length);
sid_data = tmpkey;
}
MINOR: shctx: rename lock functions Rename lock functions to shctx_lock() and shctx_unlock() to be coherent with the new API.
2017-10-30 18:44:40 -04:00
shctx_lock(ssl_shctx);
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
/* lookup for session */
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
sh_ssl_sess = sh_ssl_sess_tree_lookup(sid_data);
if (sh_ssl_sess) {
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
/* free session */
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
sh_ssl_sess_tree_delete(sh_ssl_sess);
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
}
/* unlock cache */
MINOR: shctx: rename lock functions Rename lock functions to shctx_lock() and shctx_unlock() to be coherent with the new API.
2017-10-30 18:44:40 -04:00
shctx_unlock(ssl_shctx);
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
}
/* Set session cache mode to server and disable openssl internal cache.
* Set shared cache callbacks on an ssl context.
* Shared context MUST be firstly initialized */
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
void ssl_set_shctx(SSL_CTX *ctx)
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
{
SSL_CTX_set_session_id_context(ctx, (const unsigned char *)SHCTX_APPNAME, strlen(SHCTX_APPNAME));
if (!ssl_shctx) {
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
return;
}
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER |
SSL_SESS_CACHE_NO_INTERNAL |
SSL_SESS_CACHE_NO_AUTO_CLEAR);
/* Set callbacks */
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
SSL_CTX_sess_set_new_cb(ctx, sh_ssl_sess_new_cb);
SSL_CTX_sess_set_get_cb(ctx, sh_ssl_sess_get_cb);
SSL_CTX_sess_set_remove_cb(ctx, sh_ssl_sess_remove_cb);
REORG: shctx: move ssl functions to ssl_sock.c Move the ssl callback functions of the ssl shared session cache to ssl_sock.c. The shctx functions still needs to be separated of the ssl tree and data.
2017-10-30 14:36:36 -04:00
}
MINOR: ssl: removes SSL_CTX_set_ssl_version call and cleanup CTX creation. BoringSSL doesn't support SSL_CTX_set_ssl_version. To remove this call, the CTX creation is cleanup to clarify what is happening. SSL_CTX_new is used to match the original behavior, in order: force-<method> according the method version then the default method with no-<method> options. OPENSSL_NO_SSL3 error message is now in force-sslv3 parsing (as force-tls*). For CTX creation in bind environement, all CTX set related to the initial ctx are aggregate to ssl_sock_new_ctx function for clarity. Tests with crt-list have shown that server_method, options and mode are linked to the initial CTX (default_ctx): all ssl-options are link to each bind line and must be removed from crt-list.
2017-03-03 06:21:32 -05:00
int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf, SSL_CTX *ctx)
{
struct proxy *curproxy = bind_conf->frontend;
int cfgerr = 0;
int verify = SSL_VERIFY_NONE;
BUILD: ssl: silence a warning when building without NPN nor ALPN support When building with a library not offering any of these, ssl_conf_cur is not used. Can be backported to 1.8.
2018-01-04 12:55:19 -05:00
struct ssl_bind_conf __maybe_unused *ssl_conf_cur;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
const char *conf_ciphers;
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
const char *conf_ciphersuites;
#endif
MINOR: ssl: add curve suite for ECDHE negotiation Add 'curves' parameter on 'bind' and for 'crt-list' to set curve suite. (ex: curves X25519:P-256)
2017-01-09 10:15:54 -05:00
const char *conf_curves = NULL;
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list SSL/TLS version can be changed per certificat if and only if openssl lib support earlier callback on handshake and, of course, is implemented in haproxy. It's ok for BoringSSL. For Openssl, version 1.1.1 have such callback and could support it.
2017-05-18 06:46:50 -04:00
if (ssl_conf) {
struct tls_version_filter *conf_ssl_methods = &ssl_conf->ssl_methods;
int i, min, max;
int flags = MC_SSL_O_ALL;
/* Real min and max should be determinate with configuration and openssl's capabilities */
MINOR: ssl: remove duplicate ssl_methods in struct bind_conf Patch "MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list" introduce ssl_methods in struct ssl_bind_conf. struct bind_conf have now ssl_methods and ssl_conf.ssl_methods (unused). It's error-prone. This patch remove the duplicate structure to avoid any confusion.
2017-08-09 12:26:20 -04:00
min = conf_ssl_methods->min ? conf_ssl_methods->min : bind_conf->ssl_conf.ssl_methods.min;
max = conf_ssl_methods->max ? conf_ssl_methods->max : bind_conf->ssl_conf.ssl_methods.max;
MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list SSL/TLS version can be changed per certificat if and only if openssl lib support earlier callback on handshake and, of course, is implemented in haproxy. It's ok for BoringSSL. For Openssl, version 1.1.1 have such callback and could support it.
2017-05-18 06:46:50 -04:00
if (min)
flags |= (methodVersions[min].flag - 1);
if (max)
flags |= ~((methodVersions[max].flag << 1) - 1);
min = max = CONF_TLSV_NONE;
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
if (methodVersions[i].option && !(flags & methodVersions[i].flag)) {
if (min)
max = i;
else
min = max = i;
}
/* save real min/max */
conf_ssl_methods->min = min;
conf_ssl_methods->max = max;
if (!min) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': all SSL/TLS versions are disabled for bind '%s' at [%s:%d].\n",
bind_conf->frontend->id, bind_conf->arg, bind_conf->file, bind_conf->line);
MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list SSL/TLS version can be changed per certificat if and only if openssl lib support earlier callback on handshake and, of course, is implemented in haproxy. It's ok for BoringSSL. For Openssl, version 1.1.1 have such callback and could support it.
2017-05-18 06:46:50 -04:00
cfgerr += 1;
}
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
switch ((ssl_conf && ssl_conf->verify) ? ssl_conf->verify : bind_conf->ssl_conf.verify) {
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
case SSL_SOCK_VERIFY_NONE:
verify = SSL_VERIFY_NONE;
break;
case SSL_SOCK_VERIFY_OPTIONAL:
verify = SSL_VERIFY_PEER;
break;
case SSL_SOCK_VERIFY_REQUIRED:
verify = SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
break;
}
SSL_CTX_set_verify(ctx, verify, ssl_sock_bind_verifycbk);
if (verify & SSL_VERIFY_PEER) {
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
char *ca_file = (ssl_conf && ssl_conf->ca_file) ? ssl_conf->ca_file : bind_conf->ssl_conf.ca_file;
char *crl_file = (ssl_conf && ssl_conf->crl_file) ? ssl_conf->crl_file : bind_conf->ssl_conf.crl_file;
if (ca_file) {
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
/* load CAfile to verify */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
if (!SSL_CTX_load_verify_locations(ctx, ca_file, NULL)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to load CA file '%s' for bind '%s' at [%s:%d].\n",
curproxy->id, ca_file, bind_conf->arg, bind_conf->file, bind_conf->line);
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
cfgerr++;
}
MINOR: ssl: add "no-ca-names" parameter for bind This option prevent to send CA names in server hello message when ca-file is used. This parameter is also available in "crt-list".
2017-07-28 09:01:05 -04:00
if (!((ssl_conf && ssl_conf->no_ca_names) || bind_conf->ssl_conf.no_ca_names)) {
/* set CA names for client cert request, function returns void */
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(ca_file));
}
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
}
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
else {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': verify is enabled but no CA file specified for bind '%s' at [%s:%d].\n",
curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
cfgerr++;
}
BUG/MINOR: build: Fix compilation issue on openssl 0.9.6 due to missing CRL feature.
2012-10-02 13:25:50 -04:00
#ifdef X509_V_FLAG_CRL_CHECK
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
if (crl_file) {
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
if (!store || !X509_STORE_load_locations(store, crl_file, NULL)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to configure CRL file '%s' for bind '%s' at [%s:%d].\n",
curproxy->id, crl_file, bind_conf->arg, bind_conf->file, bind_conf->line);
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
cfgerr++;
}
BUG/MINOR: ssl: Fix CRL check was not enabled when crlfile was specified.
2012-10-02 09:20:55 -04:00
else {
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
}
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
}
BUG/MINOR: build: Fix compilation issue on openssl 0.9.6 due to missing CRL feature.
2012-10-02 13:25:50 -04:00
#endif
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
ERR_clear_error();
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
}
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
MINOR: Add TLS ticket keys reference and use it in the listener struct Within the listener struct we need to use a reference to the TLS ticket keys which binds the actual keys with the filename. This will make it possible to update the keys through the socket Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:00 -04:00
if(bind_conf->keys_ref) {
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to set callback for TLS ticket validation for bind '%s' at [%s:%d].\n",
curproxy->id, bind_conf->arg, bind_conf->file, bind_conf->line);
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
cfgerr++;
}
}
#endif
MEDIUM: shctx: separate ssl and shctx This patch reorganize the shctx API in a generic storage API, separating the shared SSL session handling from its core. The shctx API only handles the generic data part, it does not know what kind of data you use with it. A shared_context is a storage structure allocated in a shared memory, allowing its usage in a multithread or a multiprocess context. The structure use 2 linked list, one containing the available blocks, and another for the hot locked blocks. At initialization the available list is filled with <maxblocks> blocks of size <blocksize>. An <extra> space is initialized outside the list in case you need some specific storage. +-----------------------+--------+--------+--------+--------+---- | struct shared_context | extra | block1 | block2 | block3 | ... +-----------------------+--------+--------+--------+--------+---- <-------- maxblocks ---------> * blocksize The API allows to store content on several linked blocks. For example, if you allocated blocks of 16 bytes, and you want to store an object of 60 bytes, the object will be allocated in a row of 4 blocks. The API was made for LRU usage, each time you get an object, it pushes the object at the end of the list. When it needs more space, it discards The functions name have been renamed in a more logical way, the part regarding shctx have been prefixed by shctx_ and the functions for the shared ssl session cache have been prefixed by sh_ssl_sess_.
2017-10-30 15:08:51 -04:00
ssl_set_shctx(ctx);
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
conf_ciphers = (ssl_conf && ssl_conf->ciphers) ? ssl_conf->ciphers : bind_conf->ssl_conf.ciphers;
if (conf_ciphers &&
!SSL_CTX_set_cipher_list(ctx, conf_ciphers)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to set SSL cipher list to '%s' for bind '%s' at [%s:%d].\n",
curproxy->id, conf_ciphers, bind_conf->arg, bind_conf->file, bind_conf->line);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
cfgerr++;
}
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites;
if (conf_ciphersuites &&
!SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) {
ha_alert("Proxy '%s': unable to set TLS 1.3 cipher suites to '%s' for bind '%s' at [%s:%d].\n",
curproxy->id, conf_ciphersuites, bind_conf->arg, bind_conf->file, bind_conf->line);
cfgerr++;
}
#endif
BUILD: ssl: fix build with -DOPENSSL_NO_DH
2017-03-03 11:04:14 -05:00
#ifndef OPENSSL_NO_DH
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
/* If tune.ssl.default-dh-param has not been set,
neither has ssl-default-dh-file and no static DH
params were in the certificate file. */
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if (global_ssl.default_dh_param == 0 &&
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
global_dh == NULL &&
BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten Herv Commowick reported that the logic used to avoid complaining about ssl-default-dh-param not being set when static DH params are present in the certificate file was clearly wrong when more than one sni_ctx is used. This patch stores whether static DH params are being used for each SSL_CTX individually, and does not overwrite the value of tune.ssl.default-dh-param.
2015-05-28 10:23:00 -04:00
(ssl_dh_ptr_index == -1 ||
SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {
BUILD: ssl: fix build with -DOPENSSL_NO_DH
2017-03-03 11:04:14 -05:00
STACK_OF(SSL_CIPHER) * ciphers = NULL;
const SSL_CIPHER * cipher = NULL;
char cipher_description[128];
/* The description of ciphers using an Ephemeral Diffie Hellman key exchange
contains " Kx=DH " or " Kx=DH(". Beware of " Kx=DH/",
which is not ephemeral DH. */
const char dhe_description[] = " Kx=DH ";
const char dhe_export_description[] = " Kx=DH(";
int idx = 0;
int dhe_found = 0;
SSL *ssl = NULL;
MINOR: ssl: don't use boringssl's cipher_list Google's boringssl has a different cipher_list, we cannot use it as in OpenSSL. This is due to the "Equal preference cipher groups" feature: https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb^!/ also see: https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html cipher_list is used in haproxy since commit f46cd6e4ec3a ("MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits") to check if DHE ciphers are used. So, if boringssl is used, the patch just assumes that there is some DHE cipher enabled. This will lead to false positives, but thats better than compiler warnings and crashes. This may be replaced one day by properly implementing the the new style cipher_list, in the meantime this workaround allows to build and use boringssl. Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
2014-08-17 18:56:33 -04:00
MINOR: ssl: use SSL_get_ciphers() instead of directly accessing the cipher list.
2014-10-10 11:04:26 -04:00
ssl = SSL_new(ctx);
if (ssl) {
ciphers = SSL_get_ciphers(ssl);
if (ciphers) {
for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) {
cipher = sk_SSL_CIPHER_value(ciphers, idx);
if (SSL_CIPHER_description(cipher, cipher_description, sizeof (cipher_description)) == cipher_description) {
if (strstr(cipher_description, dhe_description) != NULL ||
strstr(cipher_description, dhe_export_description) != NULL) {
dhe_found = 1;
break;
}
MEDIUM: ssl: fix detection of ephemeral diffie-hellman key exchange by using the cipher description. In OpenSSL, the name of a cipher using ephemeral diffie-hellman for key exchange can start with EDH, but also DHE, EXP-EDH or EXP1024-DHE. We work around this issue by using the cipher's description instead of the cipher's name. Hopefully the description is less likely to change in the future.
2014-06-12 12:20:11 -04:00
}
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
}
MINOR: ssl: use SSL_get_ciphers() instead of directly accessing the cipher list.
2014-10-10 11:04:26 -04:00
SSL_free(ssl);
ssl = NULL;
MINOR: ssl: don't use boringssl's cipher_list Google's boringssl has a different cipher_list, we cannot use it as in OpenSSL. This is due to the "Equal preference cipher groups" feature: https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb^!/ also see: https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html cipher_list is used in haproxy since commit f46cd6e4ec3a ("MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits") to check if DHE ciphers are used. So, if boringssl is used, the patch just assumes that there is some DHE cipher enabled. This will lead to false positives, but thats better than compiler warnings and crashes. This may be replaced one day by properly implementing the the new style cipher_list, in the meantime this workaround allows to build and use boringssl. Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
2014-08-17 18:56:33 -04:00
}
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
MINOR: ssl: don't use boringssl's cipher_list Google's boringssl has a different cipher_list, we cannot use it as in OpenSSL. This is due to the "Equal preference cipher groups" feature: https://boringssl.googlesource.com/boringssl/+/858a88daf27975f67d9f63e18f95645be2886bfb^!/ also see: https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html cipher_list is used in haproxy since commit f46cd6e4ec3a ("MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits") to check if DHE ciphers are used. So, if boringssl is used, the patch just assumes that there is some DHE cipher enabled. This will lead to false positives, but thats better than compiler warnings and crashes. This may be replaced one day by properly implementing the the new style cipher_list, in the meantime this workaround allows to build and use boringssl. Signed-off-by: Lukas Tribus <luky-37@hotmail.com>
2014-08-17 18:56:33 -04:00
if (dhe_found) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.\n");
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
global_ssl.default_dh_param = 1024;
MEDIUM: ssl: Add the option to use standardized DH parameters >= 1024 bits When no static DH parameters are specified, this patch makes haproxy use standardized (rfc 2409 / rfc 3526) DH parameters with prime lenghts of 1024, 2048, 4096 or 8192 bits for DHE key exchange. The size of the temporary/ephemeral DH key is computed as the minimum of the RSA/DSA server key size and the value of a new option named tune.ssl.default-dh-param.
2014-06-12 08:58:40 -04:00
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if (global_ssl.default_dh_param >= 1024) {
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
if (local_dh_1024 == NULL) {
local_dh_1024 = ssl_get_dh_1024();
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if (global_ssl.default_dh_param >= 2048) {
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
if (local_dh_2048 == NULL) {
local_dh_2048 = ssl_get_dh_2048();
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if (global_ssl.default_dh_param >= 4096) {
BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange OpenSSL does not free the DH * value returned by the callback specified with SSL_CTX_set_tmp_dh_callback(), leading to a memory leak for SSL/TLS connections using Diffie Hellman Ephemeral key exchange. This patch fixes the leak by allocating the DH * structs holding the DH parameters once, at configuration time. Note: this fix must be backported to 1.5.
2014-07-15 05:36:40 -04:00
if (local_dh_4096 == NULL) {
local_dh_4096 = ssl_get_dh_4096();
}
}
}
}
#endif /* OPENSSL_NO_DH */
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
BUILD: ssl: SSL_CTX_set_msg_callback() needs openssl >= 0.9.7 1.5-dev24 introduced SSL_CTX_set_msg_callback(), which came with OpenSSL 0.9.7. A build attempt with an older one failed and we're still compatible with 0.9.6 in 1.5.
2014-05-08 16:45:11 -04:00
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
BUILD: ssl: SSL_CTX_set_msg_callback() needs openssl >= 0.9.7 1.5-dev24 introduced SSL_CTX_set_msg_callback(), which came with OpenSSL 0.9.7. A build attempt with an older one failed and we're still compatible with 0.9.6 in 1.5.
2014-05-08 16:45:11 -04:00
#endif
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
BUILD: ssl: Fix build with OpenSSL without NPN capability OpenSSL can be built without NEXTPROTONEG support by passing -no-npn to the configure script. This sets the OPENSSL_NO_NEXTPROTONEG flag in opensslconf.h Since NEXTPROTONEG is now considered deprecated, it is superseeded by ALPN (Application Layer Protocol Next), HAProxy should allow building withough NPN support.
2018-02-15 07:34:58 -05:00
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
ssl_conf_cur = NULL;
if (ssl_conf && ssl_conf->npn_str)
ssl_conf_cur = ssl_conf;
else if (bind_conf->ssl_conf.npn_str)
ssl_conf_cur = &bind_conf->ssl_conf;
if (ssl_conf_cur)
SSL_CTX_set_next_protos_advertised_cb(ctx, ssl_sock_advertise_npn_protos, ssl_conf_cur);
MEDIUM: ssl: add support for the "npn" bind keyword The ssl_npn match could not work by itself because clients do not use the NPN extension unless the server advertises the protocols it supports. Thanks to Simone Bordet for the explanations on how to get it right.
2012-10-18 12:57:14 -04:00
#endif
MEDIUM: ssl: Use ALPN support as it will be available in OpenSSL 1.0.2 The current ALPN support is based on custom OpenSSL patches. These are however not the same as what has landed on OpenSSL: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691 This patch change the code so it supports ALPN as it will be part of OpenSSL.
2014-02-13 06:29:42 -05:00
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
ssl_conf_cur = NULL;
if (ssl_conf && ssl_conf->alpn_str)
ssl_conf_cur = ssl_conf;
else if (bind_conf->ssl_conf.alpn_str)
ssl_conf_cur = &bind_conf->ssl_conf;
if (ssl_conf_cur)
SSL_CTX_set_alpn_select_cb(ctx, ssl_sock_advertise_alpn_protos, ssl_conf_cur);
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
#endif
MINOR: ssl: add curve suite for ECDHE negotiation Add 'curves' parameter on 'bind' and for 'crt-list' to set curve suite. (ex: curves X25519:P-256)
2017-01-09 10:15:54 -05:00
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
conf_curves = (ssl_conf && ssl_conf->curves) ? ssl_conf->curves : bind_conf->ssl_conf.curves;
if (conf_curves) {
if (!SSL_CTX_set1_curves_list(ctx, conf_curves)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to set SSL curves list to '%s' for bind '%s' at [%s:%d].\n",
curproxy->id, conf_curves, bind_conf->arg, bind_conf->file, bind_conf->line);
MINOR: ssl: add curve suite for ECDHE negotiation Add 'curves' parameter on 'bind' and for 'crt-list' to set curve suite. (ex: curves X25519:P-256)
2017-01-09 10:15:54 -05:00
cfgerr++;
}
BUILD: ssl: simplify SSL_CTX_set_ecdh_auto compatibility SSL_CTX_set_ecdh_auto is declared (when present) with #define. A simple #ifdef avoid to list all cases of ssllibs. It's a placebo in new ssllibs. It's ok with openssl 1.0.1, 1.0.2, 1.1.0, libressl and boringssl. Thanks to Piotr Kubaj for postponing and testing with libressl.
2017-03-20 06:11:49 -04:00
#if defined(SSL_CTX_set_ecdh_auto)
(void)SSL_CTX_set_ecdh_auto(ctx, 1);
#endif
MINOR: ssl: add curve suite for ECDHE negotiation Add 'curves' parameter on 'bind' and for 'crt-list' to set curve suite. (ex: curves X25519:P-256)
2017-01-09 10:15:54 -05:00
}
#endif
MINOR: ssl: add elliptic curve Diffie-Hellman support for ssl key generation Add 'ecdhe' on 'bind' statement: to set named curve used to generate ECDHE keys (ex: ecdhe secp521r1)
2012-09-20 11:10:03 -04:00
#if defined(SSL_CTX_set_tmp_ecdh) && !defined(OPENSSL_NO_ECDH)
MINOR: ssl: add curve suite for ECDHE negotiation Add 'curves' parameter on 'bind' and for 'crt-list' to set curve suite. (ex: curves X25519:P-256)
2017-01-09 10:15:54 -05:00
if (!conf_curves) {
MINOR: ssl: add elliptic curve Diffie-Hellman support for ssl key generation Add 'ecdhe' on 'bind' statement: to set named curve used to generate ECDHE keys (ex: ecdhe secp521r1)
2012-09-20 11:10:03 -04:00
int i;
EC_KEY *ecdh;
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
const char *ecdhe = (ssl_conf && ssl_conf->ecdhe) ? ssl_conf->ecdhe :
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
(bind_conf->ssl_conf.ecdhe ? bind_conf->ssl_conf.ecdhe :
NULL);
if (ecdhe == NULL) {
SSL_CTX_set_dh_auto(ctx, 1);
return cfgerr;
}
#else
const char *ecdhe = (ssl_conf && ssl_conf->ecdhe) ? ssl_conf->ecdhe :
(bind_conf->ssl_conf.ecdhe ? bind_conf->ssl_conf.ecdhe :
ECDHE_DEFAULT_CURVE);
#endif
MINOR: ssl: add elliptic curve Diffie-Hellman support for ssl key generation Add 'ecdhe' on 'bind' statement: to set named curve used to generate ECDHE keys (ex: ecdhe secp521r1)
2012-09-20 11:10:03 -04:00
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
i = OBJ_sn2nid(ecdhe);
MINOR: ssl: add elliptic curve Diffie-Hellman support for ssl key generation Add 'ecdhe' on 'bind' statement: to set named curve used to generate ECDHE keys (ex: ecdhe secp521r1)
2012-09-20 11:10:03 -04:00
if (!i || ((ecdh = EC_KEY_new_by_curve_name(i)) == NULL)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': unable to set elliptic named curve to '%s' for bind '%s' at [%s:%d].\n",
curproxy->id, ecdhe, bind_conf->arg, bind_conf->file, bind_conf->line);
MINOR: ssl: add elliptic curve Diffie-Hellman support for ssl key generation Add 'ecdhe' on 'bind' statement: to set named curve used to generate ECDHE keys (ex: ecdhe secp521r1)
2012-09-20 11:10:03 -04:00
cfgerr++;
}
else {
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
}
}
#endif
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
return cfgerr;
}
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
static int ssl_sock_srv_hostcheck(const char *pattern, const char *hostname)
{
const char *pattern_wildcard, *pattern_left_label_end, *hostname_left_label_end;
size_t prefixlen, suffixlen;
/* Trivial case */
if (strcmp(pattern, hostname) == 0)
return 1;
/* The rest of this logic is based on RFC 6125, section 6.4.3
* (http://tools.ietf.org/html/rfc6125#section-6.4.3) */
MINOR: ssl: optimization of verifyhost on wildcard certificates. Optimizes verifyhost on wildcard certificates avoiding travel several times the same string.
2013-10-08 05:27:28 -04:00
pattern_wildcard = NULL;
pattern_left_label_end = pattern;
while (*pattern_left_label_end != '.') {
switch (*pattern_left_label_end) {
case 0:
/* End of label not found */
return 0;
case '*':
/* If there is more than one wildcards */
if (pattern_wildcard)
return 0;
pattern_wildcard = pattern_left_label_end;
break;
}
pattern_left_label_end++;
}
/* If it's not trivial and there is no wildcard, it can't
* match */
if (!pattern_wildcard)
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
return 0;
/* Make sure all labels match except the leftmost */
hostname_left_label_end = strchr(hostname, '.');
if (!hostname_left_label_end
|| strcmp(pattern_left_label_end, hostname_left_label_end) != 0)
return 0;
/* Make sure the leftmost label of the hostname is long enough
* that the wildcard can match */
BUG/MINOR: ssl: verifyhost does not match empty strings on wildcard. RFC6125 does not specify if wildcard matches empty strings but classical browsers implementations does. After the fix foo*bar.exemple.om matches foobar.exemple.com.
2013-10-08 05:39:35 -04:00
if (hostname_left_label_end - hostname < (pattern_left_label_end - pattern) - 1)
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
return 0;
/* Finally compare the string on either side of the
* wildcard */
prefixlen = pattern_wildcard - pattern;
suffixlen = pattern_left_label_end - (pattern_wildcard + 1);
MINOR: ssl: optimization of verifyhost on wildcard certificates. Optimizes verifyhost on wildcard certificates avoiding travel several times the same string.
2013-10-08 05:27:28 -04:00
if ((prefixlen && (memcmp(pattern, hostname, prefixlen) != 0))
|| (suffixlen && (memcmp(pattern_wildcard + 1, hostname_left_label_end - suffixlen, suffixlen) != 0)))
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
return 0;
return 1;
}
static int ssl_sock_srv_verifycbk(int ok, X509_STORE_CTX *ctx)
{
SSL *ssl;
struct connection *conn;
MINOR: ssl: compare server certificate names to the SNI on outgoing connections When support for passing SNI to the server was added in 1.6-dev3, there was no way to validate that the certificate presented by the server would really match the name requested in the SNI, which is quite a problem as it allows other (valid) certificates to be presented instead (when hitting the wrong server or due to a man in the middle). This patch adds the missing check against the value passed in the SNI. The "verifyhost" value keeps precedence if set. If no SNI is used and no verifyhost directive is specified, then the certificate name is not checked (this is unchanged). In order to extract the SNI value, it was necessary to make use of SSL_SESSION_get0_hostname(), which appeared in openssl 1.1.0. This is a trivial function which returns the value of s->tlsext_hostname, so it was provided in the compat layer for older versions. After some refinements from Emmanuel, it now builds with openssl 1.0.2, openssl 1.1.0 and boringssl. A test file was provided to ease testing all cases. After some careful observation period it may make sense to backport this to 1.7 and 1.6 as some users rightfully consider this limitation as a bug. Cc: Emmanuel Hocdet <manu@gandi.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
2017-07-05 12:23:03 -04:00
const char *servername;
MINOR: ssl: add a new error codes for wrong server certificates If a server presents an unexpected certificate to haproxy, that is, a certificate that doesn't match the expected name as configured in verifyhost or as requested using SNI, we want to store that precious information. Fortunately we have access to the connection in the verification callback so it's possible to store an error code there. For this purpose we use CO_ER_SSL_MISMATCH_SNI (for when the cert name didn't match the one requested using SNI) and CO_ER_SSL_MISMATCH for when it doesn't match verifyhost.
2017-07-26 14:09:56 -04:00
const char *sni;
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
int depth;
X509 *cert;
STACK_OF(GENERAL_NAME) *alt_names;
int i;
X509_NAME *cert_subject;
char *str;
if (ok == 0)
return ok;
ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
conn = SSL_get_ex_data(ssl, ssl_app_data_index);
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
BUG/MINOR: ssl: make use of the name in SNI before verifyhost Commit 2ab8867 ("MINOR: ssl: compare server certificate names to the SNI on outgoing connections") introduced the ability to check server cert names against the name provided with in the SNI, but verifyhost was kept as a way to force the name to check against. This was a mistake, because : - if an SNI is used, any static hostname in verifyhost will be wrong ; worse, if it matches and doesn't match the SNI, the server presented the wrong certificate ; - there's no way to have a default name to check against for health checks anymore because the point above mandates the removal of the verifyhost directive This patch reverses the ordering of the check : whenever SNI is used, the name provided always has precedence (ie the server must always present a certificate that matches the requested name). And if no SNI is provided, then verifyhost is used, and will be configured to match the server's default certificate name. This will work both when SNI is not used and for health checks. If the commit 2ab8867 is backported in 1.7 and/or 1.6, this one must be backported too.
2017-07-28 05:38:41 -04:00
/* We're checking if the provided hostnames match the desired one. The
* desired hostname comes from the SNI we presented if any, or if not
* provided then it may have been explicitly stated using a "verifyhost"
* directive. If neither is set, we don't care about the name so the
* verification is OK.
MINOR: ssl: compare server certificate names to the SNI on outgoing connections When support for passing SNI to the server was added in 1.6-dev3, there was no way to validate that the certificate presented by the server would really match the name requested in the SNI, which is quite a problem as it allows other (valid) certificates to be presented instead (when hitting the wrong server or due to a man in the middle). This patch adds the missing check against the value passed in the SNI. The "verifyhost" value keeps precedence if set. If no SNI is used and no verifyhost directive is specified, then the certificate name is not checked (this is unchanged). In order to extract the SNI value, it was necessary to make use of SSL_SESSION_get0_hostname(), which appeared in openssl 1.1.0. This is a trivial function which returns the value of s->tlsext_hostname, so it was provided in the compat layer for older versions. After some refinements from Emmanuel, it now builds with openssl 1.0.2, openssl 1.1.0 and boringssl. A test file was provided to ease testing all cases. After some careful observation period it may make sense to backport this to 1.7 and 1.6 as some users rightfully consider this limitation as a bug. Cc: Emmanuel Hocdet <manu@gandi.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
2017-07-05 12:23:03 -04:00
*/
BUG/MINOR: ssl: make use of the name in SNI before verifyhost Commit 2ab8867 ("MINOR: ssl: compare server certificate names to the SNI on outgoing connections") introduced the ability to check server cert names against the name provided with in the SNI, but verifyhost was kept as a way to force the name to check against. This was a mistake, because : - if an SNI is used, any static hostname in verifyhost will be wrong ; worse, if it matches and doesn't match the SNI, the server presented the wrong certificate ; - there's no way to have a default name to check against for health checks anymore because the point above mandates the removal of the verifyhost directive This patch reverses the ordering of the check : whenever SNI is used, the name provided always has precedence (ie the server must always present a certificate that matches the requested name). And if no SNI is provided, then verifyhost is used, and will be configured to match the server's default certificate name. This will work both when SNI is not used and for health checks. If the commit 2ab8867 is backported in 1.7 and/or 1.6, this one must be backported too.
2017-07-28 05:38:41 -04:00
servername = SSL_get_servername(conn->xprt_ctx, TLSEXT_NAMETYPE_host_name);
MINOR: ssl: add a new error codes for wrong server certificates If a server presents an unexpected certificate to haproxy, that is, a certificate that doesn't match the expected name as configured in verifyhost or as requested using SNI, we want to store that precious information. Fortunately we have access to the connection in the verification callback so it's possible to store an error code there. For this purpose we use CO_ER_SSL_MISMATCH_SNI (for when the cert name didn't match the one requested using SNI) and CO_ER_SSL_MISMATCH for when it doesn't match verifyhost.
2017-07-26 14:09:56 -04:00
sni = servername;
MINOR: ssl: compare server certificate names to the SNI on outgoing connections When support for passing SNI to the server was added in 1.6-dev3, there was no way to validate that the certificate presented by the server would really match the name requested in the SNI, which is quite a problem as it allows other (valid) certificates to be presented instead (when hitting the wrong server or due to a man in the middle). This patch adds the missing check against the value passed in the SNI. The "verifyhost" value keeps precedence if set. If no SNI is used and no verifyhost directive is specified, then the certificate name is not checked (this is unchanged). In order to extract the SNI value, it was necessary to make use of SSL_SESSION_get0_hostname(), which appeared in openssl 1.1.0. This is a trivial function which returns the value of s->tlsext_hostname, so it was provided in the compat layer for older versions. After some refinements from Emmanuel, it now builds with openssl 1.0.2, openssl 1.1.0 and boringssl. A test file was provided to ease testing all cases. After some careful observation period it may make sense to backport this to 1.7 and 1.6 as some users rightfully consider this limitation as a bug. Cc: Emmanuel Hocdet <manu@gandi.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
2017-07-05 12:23:03 -04:00
if (!servername) {
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
servername = __objt_server(conn->target)->ssl_ctx.verify_host;
MINOR: ssl: compare server certificate names to the SNI on outgoing connections When support for passing SNI to the server was added in 1.6-dev3, there was no way to validate that the certificate presented by the server would really match the name requested in the SNI, which is quite a problem as it allows other (valid) certificates to be presented instead (when hitting the wrong server or due to a man in the middle). This patch adds the missing check against the value passed in the SNI. The "verifyhost" value keeps precedence if set. If no SNI is used and no verifyhost directive is specified, then the certificate name is not checked (this is unchanged). In order to extract the SNI value, it was necessary to make use of SSL_SESSION_get0_hostname(), which appeared in openssl 1.1.0. This is a trivial function which returns the value of s->tlsext_hostname, so it was provided in the compat layer for older versions. After some refinements from Emmanuel, it now builds with openssl 1.0.2, openssl 1.1.0 and boringssl. A test file was provided to ease testing all cases. After some careful observation period it may make sense to backport this to 1.7 and 1.6 as some users rightfully consider this limitation as a bug. Cc: Emmanuel Hocdet <manu@gandi.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
2017-07-05 12:23:03 -04:00
if (!servername)
return ok;
}
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
/* We only need to verify the CN on the actual server cert,
* not the indirect CAs */
depth = X509_STORE_CTX_get_error_depth(ctx);
if (depth != 0)
return ok;
/* At this point, the cert is *not* OK unless we can find a
* hostname match */
ok = 0;
cert = X509_STORE_CTX_get_current_cert(ctx);
/* It seems like this might happen if verify peer isn't set */
if (!cert)
return ok;
alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (alt_names) {
for (i = 0; !ok && i < sk_GENERAL_NAME_num(alt_names); i++) {
GENERAL_NAME *name = sk_GENERAL_NAME_value(alt_names, i);
if (name->type == GEN_DNS) {
BUILD: ssl: compilation issue with openssl v0.9.6. Failed to compile with openssl 0.9.6 since the 'verifyhost' feature.
2013-09-17 09:47:48 -04:00
#if OPENSSL_VERSION_NUMBER < 0x00907000L
if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.ia5) >= 0) {
#else
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
if (ASN1_STRING_to_UTF8((unsigned char **)&str, name->d.dNSName) >= 0) {
BUILD: ssl: compilation issue with openssl v0.9.6. Failed to compile with openssl 0.9.6 since the 'verifyhost' feature.
2013-09-17 09:47:48 -04:00
#endif
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
ok = ssl_sock_srv_hostcheck(str, servername);
OPENSSL_free(str);
}
}
}
BUG/MEDIUM: ssl: potential memory leak using verifyhost If server certificate presents dns aliases, a memory leak appears on health checks when 'verifyhost' statement is used.
2013-09-17 09:19:54 -04:00
sk_GENERAL_NAME_pop_free(alt_names, GENERAL_NAME_free);
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
}
cert_subject = X509_get_subject_name(cert);
i = -1;
while (!ok && (i = X509_NAME_get_index_by_NID(cert_subject, NID_commonName, i)) != -1) {
X509_NAME_ENTRY *entry = X509_NAME_get_entry(cert_subject, i);
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
ASN1_STRING *value;
value = X509_NAME_ENTRY_get_data(entry);
if (ASN1_STRING_to_UTF8((unsigned char **)&str, value) >= 0) {
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
ok = ssl_sock_srv_hostcheck(str, servername);
OPENSSL_free(str);
}
}
MINOR: ssl: add a new error codes for wrong server certificates If a server presents an unexpected certificate to haproxy, that is, a certificate that doesn't match the expected name as configured in verifyhost or as requested using SNI, we want to store that precious information. Fortunately we have access to the connection in the verification callback so it's possible to store an error code there. For this purpose we use CO_ER_SSL_MISMATCH_SNI (for when the cert name didn't match the one requested using SNI) and CO_ER_SSL_MISMATCH for when it doesn't match verifyhost.
2017-07-26 14:09:56 -04:00
/* report the mismatch and indicate if SNI was used or not */
if (!ok && !conn->err_code)
conn->err_code = sni ? CO_ER_SSL_MISMATCH_SNI : CO_ER_SSL_MISMATCH;
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
return ok;
}
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
/* prepare ssl context from servers options. Returns an error count */
MEDIUM: ssl: remote the proxy argument from most functions Most of the SSL functions used to have a proxy argument which was mostly used to be able to emit clean errors using Alert(). First, many of them were converted to memprintf() and don't require this pointer anymore. Second, the rare which still need it also have either a bind_conf argument or a server argument, both of which carry a pointer to the relevant proxy. So let's now get rid of it, it needlessly complicates the API and certain functions already have many arguments.
2016-12-22 11:08:28 -05:00
int ssl_sock_prepare_srv_ctx(struct server *srv)
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
{
MEDIUM: ssl: remote the proxy argument from most functions Most of the SSL functions used to have a proxy argument which was mostly used to be able to emit clean errors using Alert(). First, many of them were converted to memprintf() and don't require this pointer anymore. Second, the rare which still need it also have either a bind_conf argument or a server argument, both of which carry a pointer to the relevant proxy. So let's now get rid of it, it needlessly complicates the API and certain functions already have many arguments.
2016-12-22 11:08:28 -05:00
struct proxy *curproxy = srv->proxy;
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
int cfgerr = 0;
MINOR: ssl: SSL_CTX_set_options() and SSL_CTX_set_mode() take a long, not an int This is a minor fix, but the SSL_CTX_set_options() and SSL_CTX_set_mode() functions take a long, not an int parameter. As SSL_OP_ALL is now (since OpenSSL 1.0.0) defined as 0x80000BFFL, I think it is worth fixing.
2014-05-19 04:29:58 -04:00
long options =
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
SSL_OP_ALL | /* all known workarounds for bugs */
SSL_OP_NO_SSLv2 |
SSL_OP_NO_COMPRESSION;
MINOR: ssl: SSL_CTX_set_options() and SSL_CTX_set_mode() take a long, not an int This is a minor fix, but the SSL_CTX_set_options() and SSL_CTX_set_mode() functions take a long, not an int parameter. As SSL_OP_ALL is now (since OpenSSL 1.0.0) defined as 0x80000BFFL, I think it is worth fixing.
2014-05-19 04:29:58 -04:00
long mode =
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
MEDIUM: ssl: add support for smaller SSL records There's a very common openssl patch on the net meant to significantly reduce openssl's memory usage. This patch has been provided for many versions now, and it makes sense to add support for it given that it is very simple. It only requires to add an extra SSL_MODE flag. Just like for other flags, if the flag is unknown, it's unset. About 44kB of memory may be saved per SSL session with the patch.
2014-11-13 08:06:52 -05:00
SSL_MODE_RELEASE_BUFFERS |
SSL_MODE_SMALL_BUFFERS;
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
int verify = SSL_VERIFY_NONE;
MINOR: ssl: removes SSL_CTX_set_ssl_version call and cleanup CTX creation. BoringSSL doesn't support SSL_CTX_set_ssl_version. To remove this call, the CTX creation is cleanup to clarify what is happening. SSL_CTX_new is used to match the original behavior, in order: force-<method> according the method version then the default method with no-<method> options. OPENSSL_NO_SSL3 error message is now in force-sslv3 parsing (as force-tls*). For CTX creation in bind environement, all CTX set related to the initial ctx are aggregate to ssl_sock_new_ctx function for clarity. Tests with crt-list have shown that server_method, options and mode are linked to the initial CTX (default_ctx): all ssl-options are link to each bind line and must be removed from crt-list.
2017-03-03 06:21:32 -05:00
SSL_CTX *ctx = NULL;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
struct tls_version_filter *conf_ssl_methods = &srv->ssl_ctx.methods;
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
int i, min, max, hole;
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
int flags = MC_SSL_O_ALL;
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
BUG/MEDIUM: ssl: openssl 0.9.8 doesn't open /dev/random before chroot Openssl needs to access /dev/urandom to initialize its internal random number generator. It does so when it needs a random for the first time, which fails if it is a handshake performed after the chroot(), causing all SSL incoming connections to fail. This fix consists in calling RAND_bytes() to produce a random before the chroot, which will in turn open /dev/urandom before it's too late, and avoid the issue. If the random generator fails to work while processing the config, haproxy now fails with an error instead of causing SSL connections to fail at runtime.
2013-01-24 08:15:43 -05:00
/* Make sure openssl opens /dev/urandom before the chroot */
if (!ssl_initialize_random()) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("OpenSSL random data generator initialization failed.\n");
BUG/MEDIUM: ssl: openssl 0.9.8 doesn't open /dev/random before chroot Openssl needs to access /dev/urandom to initialize its internal random number generator. It does so when it needs a random for the first time, which fails if it is a handshake performed after the chroot(), causing all SSL incoming connections to fail. This fix consists in calling RAND_bytes() to produce a random before the chroot, which will in turn open /dev/urandom before it's too late, and avoid the issue. If the random generator fails to work while processing the config, haproxy now fails with an error instead of causing SSL connections to fail at runtime.
2013-01-24 08:15:43 -05:00
cfgerr++;
}
MINOR: global: always export some SSL-specific metrics We'll need to know the number of SSL connections, their use and their cost soon. In order to avoid getting tons of ifdefs everywhere, always export SSL information in the global section. We add two flags to know whether or not SSL is used in a frontend and in a backend.
2015-01-15 15:32:40 -05:00
/* Automatic memory computations need to know we use SSL there */
global.ssl_used_backend = 1;
/* Initiate SSL context for current server */
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
if (!srv->ssl_ctx.reused_sess) {
MINOR: SSL: Store the ASN1 representation of client sessions. Instead of storing the SSL_SESSION pointer directly in the struct server, store the ASN1 representation, otherwise, session resumption is broken with TLS 1.3, when multiple outgoing connections want to use the same session.
2017-11-16 11:42:52 -05:00
if ((srv->ssl_ctx.reused_sess = calloc(1, global.nbthread*sizeof(*srv->ssl_ctx.reused_sess))) == NULL) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s', server '%s' [%s:%d] out of memory.\n",
curproxy->id, srv->id,
srv->conf.file, srv->conf.line);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
cfgerr++;
return cfgerr;
}
}
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
if (srv->use_ssl)
srv->xprt = &ssl_sock;
if (srv->check.use_ssl)
BUG/MEDIUM: checks: fix conflicts between agent checks and ssl healthchecks Lasse Birnbaum Jensen reported an issue when agent checks are used at the same time as standard healthchecks when SSL is enabled on the server side. The symptom is that agent checks try to communicate in SSL while it should manage raw data. This happens because the transport layer is shared between all kind of checks. To fix the issue, the transport layer is now stored in each check type, allowing to use SSL healthchecks when required, while an agent check should always use the raw_sock implementation. The fix must be backported to 1.5.
2014-11-15 16:41:27 -05:00
srv->check.xprt = &ssl_sock;
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
ctx = SSL_CTX_new(SSLv23_client_method());
MINOR: ssl: removes SSL_CTX_set_ssl_version call and cleanup CTX creation. BoringSSL doesn't support SSL_CTX_set_ssl_version. To remove this call, the CTX creation is cleanup to clarify what is happening. SSL_CTX_new is used to match the original behavior, in order: force-<method> according the method version then the default method with no-<method> options. OPENSSL_NO_SSL3 error message is now in force-sslv3 parsing (as force-tls*). For CTX creation in bind environement, all CTX set related to the initial ctx are aggregate to ssl_sock_new_ctx function for clarity. Tests with crt-list have shown that server_method, options and mode are linked to the initial CTX (default_ctx): all ssl-options are link to each bind line and must be removed from crt-list.
2017-03-03 06:21:32 -05:00
if (!ctx) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("config : %s '%s', server '%s': unable to allocate ssl context.\n",
proxy_type_str(curproxy), curproxy->id,
srv->id);
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
cfgerr++;
return cfgerr;
}
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("config : %s '%s': no-sslv3/no-tlsv1x are ignored for server '%s'. "
"Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.\n",
proxy_type_str(curproxy), curproxy->id, srv->id);
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
else
flags = conf_ssl_methods->flags;
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
/* Real min and max should be determinate with configuration and openssl's capabilities */
if (conf_ssl_methods->min)
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
flags |= (methodVersions[conf_ssl_methods->min].flag - 1);
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
if (conf_ssl_methods->max)
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
flags |= ~((methodVersions[conf_ssl_methods->max].flag << 1) - 1);
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
/* find min, max and holes */
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
min = max = CONF_TLSV_NONE;
hole = 0;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
/* version is in openssl && version not disable in configuration */
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
if (methodVersions[i].option && !(flags & methodVersions[i].flag)) {
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
if (min) {
if (hole) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("config : %s '%s': SSL/TLS versions range not contiguous for server '%s'. "
"Hole find for %s. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.\n",
proxy_type_str(curproxy), curproxy->id, srv->id,
methodVersions[hole].name);
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
hole = 0;
}
max = i;
}
else {
min = max = i;
}
}
else {
if (min)
hole = i;
}
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
if (!min) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("config : %s '%s': all SSL/TLS versions are disabled for server '%s'.\n",
proxy_type_str(curproxy), curproxy->id, srv->id);
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
cfgerr += 1;
}
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
MINOR: ssl: build with recent BoringSSL library BoringSSL switch OPENSSL_VERSION_NUMBER to 1.1.0 for compatibility. Fix BoringSSL call and openssl-compat.h/#define occordingly. This will not break openssl/libressl compat.
2017-10-02 11:12:06 -04:00
#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
/* Keep force-xxx implementation as it is in older haproxy. It's a
CLEANUP: fix typos in the ssl_sock subsystem Fix some typos found in the code comments of the ssl_sock subsystem.
2018-11-15 12:07:59 -05:00
precautionary measure to avoid any surprise with older openssl version. */
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
if (min == max)
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
methodVersions[min].ctx_set_version(ctx, SET_CLIENT);
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
else
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
if (flags & methodVersions[i].flag)
options |= methodVersions[i].option;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
#else /* openssl >= 1.1.0 */
MEDIUM: ssl: calculate the real min/max TLS version and find holes Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. Find the real min/max versions (openssl capabilities and haproxy configuration) and generate warning with bad versions range. 'no-tlsxx' can generate 'holes': "The list of protocols available can be further limited using the SSL_OP_NO_X options of the SSL_CTX_set_options or SSL_set_options functions. Clients should avoid creating 'holes' in the set of protocols they support, when disabling a protocol, make sure that you also disable either all previous or all subsequent protocol versions. In clients, when a protocol version is disabled without disabling all previous protocol versions, the effect is to also disable all subsequent protocol versions." To not break compatibility, "holes" is authorized with warning, because openssl 1.1.0 and boringssl deal with it (keep the upper or lower range depending the case and version).
2017-03-30 13:25:07 -04:00
/* set the max_version is required to cap TLS version or activate new TLS (v1.3) */
MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table This patch cleanup the usage of set_version func with a more suitable name: ctx_set_version. It introduce ssl_set_version func (unused for the moment).
2017-05-18 06:33:19 -04:00
methodVersions[min].ctx_set_version(ctx, SET_MIN);
methodVersions[max].ctx_set_version(ctx, SET_MAX);
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
#endif
if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)
options |= SSL_OP_NO_TICKET;
MINOR: ssl: removes SSL_CTX_set_ssl_version call and cleanup CTX creation. BoringSSL doesn't support SSL_CTX_set_ssl_version. To remove this call, the CTX creation is cleanup to clarify what is happening. SSL_CTX_new is used to match the original behavior, in order: force-<method> according the method version then the default method with no-<method> options. OPENSSL_NO_SSL3 error message is now in force-sslv3 parsing (as force-tls*). For CTX creation in bind environement, all CTX set related to the initial ctx are aggregate to ssl_sock_new_ctx function for clarity. Tests with crt-list have shown that server_method, options and mode are linked to the initial CTX (default_ctx): all ssl-options are link to each bind line and must be removed from crt-list.
2017-03-03 06:21:32 -05:00
SSL_CTX_set_options(ctx, options);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
if (global_ssl.async)
mode |= SSL_MODE_ASYNC;
#endif
MINOR: ssl: removes SSL_CTX_set_ssl_version call and cleanup CTX creation. BoringSSL doesn't support SSL_CTX_set_ssl_version. To remove this call, the CTX creation is cleanup to clarify what is happening. SSL_CTX_new is used to match the original behavior, in order: force-<method> according the method version then the default method with no-<method> options. OPENSSL_NO_SSL3 error message is now in force-sslv3 parsing (as force-tls*). For CTX creation in bind environement, all CTX set related to the initial ctx are aggregate to ssl_sock_new_ctx function for clarity. Tests with crt-list have shown that server_method, options and mode are linked to the initial CTX (default_ctx): all ssl-options are link to each bind line and must be removed from crt-list.
2017-03-03 06:21:32 -05:00
SSL_CTX_set_mode(ctx, mode);
srv->ssl_ctx.ctx = ctx;
MINOR: ssl: add 'crt' statement on server. crt: client certificate to send
2012-10-26 06:58:00 -04:00
if (srv->ssl_ctx.client_crt) {
if (SSL_CTX_use_PrivateKey_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt, SSL_FILETYPE_PEM) <= 0) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("config : %s '%s', server '%s': unable to load SSL private key from PEM file '%s'.\n",
proxy_type_str(curproxy), curproxy->id,
srv->id, srv->ssl_ctx.client_crt);
MINOR: ssl: add 'crt' statement on server. crt: client certificate to send
2012-10-26 06:58:00 -04:00
cfgerr++;
}
else if (SSL_CTX_use_certificate_chain_file(srv->ssl_ctx.ctx, srv->ssl_ctx.client_crt) <= 0) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("config : %s '%s', server '%s': unable to load ssl certificate from PEM file '%s'.\n",
proxy_type_str(curproxy), curproxy->id,
srv->id, srv->ssl_ctx.client_crt);
MINOR: ssl: add 'crt' statement on server. crt: client certificate to send
2012-10-26 06:58:00 -04:00
cfgerr++;
}
else if (SSL_CTX_check_private_key(srv->ssl_ctx.ctx) <= 0) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("config : %s '%s', server '%s': inconsistencies between private key and certificate loaded from PEM file '%s'.\n",
proxy_type_str(curproxy), curproxy->id,
srv->id, srv->ssl_ctx.client_crt);
MINOR: ssl: add 'crt' statement on server. crt: client certificate to send
2012-10-26 06:58:00 -04:00
cfgerr++;
}
}
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
if (global.ssl_server_verify == SSL_SERVER_VERIFY_REQUIRED)
verify = SSL_VERIFY_PEER;
switch (srv->ssl_ctx.verify) {
case SSL_SOCK_VERIFY_NONE:
verify = SSL_VERIFY_NONE;
break;
case SSL_SOCK_VERIFY_REQUIRED:
verify = SSL_VERIFY_PEER;
break;
}
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
SSL_CTX_set_verify(srv->ssl_ctx.ctx,
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
verify,
MINOR: ssl: compare server certificate names to the SNI on outgoing connections When support for passing SNI to the server was added in 1.6-dev3, there was no way to validate that the certificate presented by the server would really match the name requested in the SNI, which is quite a problem as it allows other (valid) certificates to be presented instead (when hitting the wrong server or due to a man in the middle). This patch adds the missing check against the value passed in the SNI. The "verifyhost" value keeps precedence if set. If no SNI is used and no verifyhost directive is specified, then the certificate name is not checked (this is unchanged). In order to extract the SNI value, it was necessary to make use of SSL_SESSION_get0_hostname(), which appeared in openssl 1.1.0. This is a trivial function which returns the value of s->tlsext_hostname, so it was provided in the compat layer for older versions. After some refinements from Emmanuel, it now builds with openssl 1.0.2, openssl 1.1.0 and boringssl. A test file was provided to ease testing all cases. After some careful observation period it may make sense to backport this to 1.7 and 1.6 as some users rightfully consider this limitation as a bug. Cc: Emmanuel Hocdet <manu@gandi.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
2017-07-05 12:23:03 -04:00
(srv->ssl_ctx.verify_host || (verify & SSL_VERIFY_PEER)) ? ssl_sock_srv_verifycbk : NULL);
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
if (verify & SSL_VERIFY_PEER) {
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
if (srv->ssl_ctx.ca_file) {
/* load CAfile to verify */
if (!SSL_CTX_load_verify_locations(srv->ssl_ctx.ctx, srv->ssl_ctx.ca_file, NULL)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s', server '%s' [%s:%d] unable to load CA file '%s'.\n",
curproxy->id, srv->id,
srv->conf.file, srv->conf.line, srv->ssl_ctx.ca_file);
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
cfgerr++;
}
}
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
else {
if (global.ssl_server_verify == SSL_SERVER_VERIFY_REQUIRED)
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s', server '%s' [%s:%d] verify is enabled by default but no CA file specified. If you're running on a LAN where you're certain to trust the server's certificate, please set an explicit 'verify none' statement on the 'server' line, or use 'ssl-server-verify none' in the global section to disable server-side verifications by default.\n",
curproxy->id, srv->id,
srv->conf.file, srv->conf.line);
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
else
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s', server '%s' [%s:%d] verify is enabled but no CA file specified.\n",
curproxy->id, srv->id,
srv->conf.file, srv->conf.line);
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
cfgerr++;
}
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
#ifdef X509_V_FLAG_CRL_CHECK
if (srv->ssl_ctx.crl_file) {
X509_STORE *store = SSL_CTX_get_cert_store(srv->ssl_ctx.ctx);
if (!store || !X509_STORE_load_locations(store, srv->ssl_ctx.crl_file, NULL)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s', server '%s' [%s:%d] unable to configure CRL file '%s'.\n",
curproxy->id, srv->id,
srv->conf.file, srv->conf.line, srv->ssl_ctx.crl_file);
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
cfgerr++;
}
else {
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
}
}
#endif
}
MINOR: ssl: Handle session resumption with TLS 1.3 With TLS 1.3, session aren't established until after the main handshake has completed. So we can't just rely on calling SSL_get1_session(). Instead, we now register a callback for the "new session" event. This should work for previous versions of TLS as well.
2017-11-03 08:43:35 -04:00
SSL_CTX_set_session_cache_mode(srv->ssl_ctx.ctx, SSL_SESS_CACHE_CLIENT |
SSL_SESS_CACHE_NO_INTERNAL_STORE);
SSL_CTX_sess_set_new_cb(srv->ssl_ctx.ctx, ssl_sess_new_srv_cb);
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
if (srv->ssl_ctx.ciphers &&
!SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphers)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set SSL cipher list to '%s'.\n",
curproxy->id, srv->id,
srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphers);
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
cfgerr++;
}
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
if (srv->ssl_ctx.ciphersuites &&
!SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) {
ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n",
curproxy->id, srv->id,
srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphersuites);
cfgerr++;
}
#endif
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
if (srv->ssl_ctx.npn_str)
SSL_CTX_set_next_proto_select_cb(ctx, ssl_sock_srv_select_protos, srv);
#endif
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
if (srv->ssl_ctx.alpn_str)
SSL_CTX_set_alpn_protos(ctx, (unsigned char *)srv->ssl_ctx.alpn_str, srv->ssl_ctx.alpn_len);
#endif
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
MINOR: ssl: move ssl context init for servers from cfgparse.c to ssl_sock.c
2012-10-11 08:00:19 -04:00
return cfgerr;
}
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
/* Walks down the two trees in bind_conf and prepares all certs. The pointer may
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
* be NULL, in which case nothing is done. Returns the number of errors
* encountered.
*/
MEDIUM: ssl: remote the proxy argument from most functions Most of the SSL functions used to have a proxy argument which was mostly used to be able to emit clean errors using Alert(). First, many of them were converted to memprintf() and don't require this pointer anymore. Second, the rare which still need it also have either a bind_conf argument or a server argument, both of which carry a pointer to the relevant proxy. So let's now get rid of it, it needlessly complicates the API and certain functions already have many arguments.
2016-12-22 11:08:28 -05:00
int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf)
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
{
struct ebmb_node *node;
struct sni_ctx *sni;
int err = 0;
MINOR: global: always export some SSL-specific metrics We'll need to know the number of SSL connections, their use and their cost soon. In order to avoid getting tons of ifdefs everywhere, always export SSL information in the global section. We add two flags to know whether or not SSL is used in a frontend and in a backend.
2015-01-15 15:32:40 -05:00
/* Automatic memory computations need to know we use SSL there */
global.ssl_used_frontend = 1;
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
/* Make sure openssl opens /dev/urandom before the chroot */
if (!ssl_initialize_random()) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("OpenSSL random data generator initialization failed.\n");
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
err++;
}
/* Create initial_ctx used to start the ssl connection before do switchctx */
if (!bind_conf->initial_ctx) {
MEDIUM: ssl: ssl-min-ver and ssl-max-ver compatibility. In haproxy < 1.8, no-sslv3/no-tlsv1x are ignored when force-sslv3/force-tlsv1x is used (without warning). With this patch, no-sslv3/no-tlsv1x are ignored when ssl-min-ver or ssl-max-ver is used (with warning). When all SSL/TLS versions are disable: generate an error, not a warning. example: ssl-min-ver TLSV1.3 (or force-tlsv13) with a openssl <= 1.1.0.
2017-05-05 12:06:12 -04:00
err += ssl_sock_initial_ctx(bind_conf);
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
/* It should not be necessary to call this function, but it's
necessary first to check and move all initialisation related
to initial_ctx in ssl_sock_initial_ctx. */
err += ssl_sock_prepare_ctx(bind_conf, NULL, bind_conf->initial_ctx);
}
BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates Bug reported by John Leach: no-sslv3 does not work using some certificates. It appears that ssl ctx is not updated with configured options if the CommonName of the certificate's subject is not found. It applies only on the first cerificate of a configured bind line. There is no security impact, because only invalid nameless certficates are concerned. This fix must be backported to 1.5
2014-10-30 14:25:24 -04:00
if (bind_conf->default_ctx)
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ssl_conf, bind_conf->default_ctx);
BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates Bug reported by John Leach: no-sslv3 does not work using some certificates. It appears that ssl ctx is not updated with configured options if the CommonName of the certificate's subject is not found. It applies only on the first cerificate of a configured bind line. There is no security impact, because only invalid nameless certficates are concerned. This fix must be backported to 1.5
2014-10-30 14:25:24 -04:00
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
node = ebmb_first(&bind_conf->sni_ctx);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates Bug reported by John Leach: no-sslv3 does not work using some certificates. It appears that ssl ctx is not updated with configured options if the CommonName of the certificate's subject is not found. It applies only on the first cerificate of a configured bind line. There is no security impact, because only invalid nameless certficates are concerned. This fix must be backported to 1.5
2014-10-30 14:25:24 -04:00
if (!sni->order && sni->ctx != bind_conf->default_ctx)
/* only initialize the CTX on its first occurrence and
if it is not the default_ctx */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
err += ssl_sock_prepare_ctx(bind_conf, sni->conf, sni->ctx);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
node = ebmb_next(node);
}
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
node = ebmb_first(&bind_conf->sni_w_ctx);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates Bug reported by John Leach: no-sslv3 does not work using some certificates. It appears that ssl ctx is not updated with configured options if the CommonName of the certificate's subject is not found. It applies only on the first cerificate of a configured bind line. There is no security impact, because only invalid nameless certficates are concerned. This fix must be backported to 1.5
2014-10-30 14:25:24 -04:00
if (!sni->order && sni->ctx != bind_conf->default_ctx)
/* only initialize the CTX on its first occurrence and
if it is not the default_ctx */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
err += ssl_sock_prepare_ctx(bind_conf, sni->conf, sni->ctx);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
node = ebmb_next(node);
}
return err;
}
MEDIUM: ssl_sock: implement ssl_sock_prepare_bind_conf() Instead of hard-coding all SSL preparation in cfgparse.c, we now register this new function as the transport layer's prepare_bind_conf() and call it only when definied. This removes some non-obvious SSL-specific code from cfgparse.c as well as a #ifdef.
2016-12-21 17:38:39 -05:00
/* Prepares all the contexts for a bind_conf and allocates the shared SSL
* context if needed. Returns < 0 on error, 0 on success. The warnings and
* alerts are directly emitted since the rest of the stack does it below.
*/
int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
{
struct proxy *px = bind_conf->frontend;
int alloc_ctx;
int err;
if (!bind_conf->is_ssl) {
if (bind_conf->default_ctx) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("Proxy '%s': A certificate was specified but SSL was not enabled on bind '%s' at [%s:%d] (use 'ssl').\n",
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
MEDIUM: ssl_sock: implement ssl_sock_prepare_bind_conf() Instead of hard-coding all SSL preparation in cfgparse.c, we now register this new function as the transport layer's prepare_bind_conf() and call it only when definied. This removes some non-obvious SSL-specific code from cfgparse.c as well as a #ifdef.
2016-12-21 17:38:39 -05:00
}
return 0;
}
if (!bind_conf->default_ctx) {
MINOR: ssl: allow to start without certificate if strict-sni is set With strict-sni, ssl connection will fail if no certificate match. Have no certificate in bind line, fail on all ssl connections. It's ok with the behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is never used. When 'strict-sni' is set, default_ctx is never used. Allow to start without certificate only in this case. Use case is to start haproxy with ssl before customer start to use certificates. Typically with 'crt' on a empty directory and 'strict-sni' parameters.
2017-08-09 05:24:25 -04:00
if (bind_conf->strict_sni && !bind_conf->generate_certs) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d], ssl connections will fail (use 'crt').\n",
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
MINOR: ssl: allow to start without certificate if strict-sni is set With strict-sni, ssl connection will fail if no certificate match. Have no certificate in bind line, fail on all ssl connections. It's ok with the behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is never used. When 'strict-sni' is set, default_ctx is never used. Allow to start without certificate only in this case. Use case is to start haproxy with ssl before customer start to use certificates. Typically with 'crt' on a empty directory and 'strict-sni' parameters.
2017-08-09 05:24:25 -04:00
}
else {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
MINOR: ssl: allow to start without certificate if strict-sni is set With strict-sni, ssl connection will fail if no certificate match. Have no certificate in bind line, fail on all ssl connections. It's ok with the behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is never used. When 'strict-sni' is set, default_ctx is never used. Allow to start without certificate only in this case. Use case is to start haproxy with ssl before customer start to use certificates. Typically with 'crt' on a empty directory and 'strict-sni' parameters.
2017-08-09 05:24:25 -04:00
return -1;
}
MEDIUM: ssl_sock: implement ssl_sock_prepare_bind_conf() Instead of hard-coding all SSL preparation in cfgparse.c, we now register this new function as the transport layer's prepare_bind_conf() and call it only when definied. This removes some non-obvious SSL-specific code from cfgparse.c as well as a #ifdef.
2016-12-21 17:38:39 -05:00
}
BUG/MINOR: ssl: support tune.ssl.cachesize 0 again Since the split of the shctx and the ssl cache, we lost the ability to disable the cache with tune.ssl.cachesize 0. Worst than that, when using this configuration, haproxy segfaults during the configuration parsing. Must be backported to 1.8.
2017-12-04 12:46:39 -05:00
if (!ssl_shctx && global.tune.sslcachesize) {
BUG/MEDIUM: ssl: don't allocate shctx several time The shctx_init() function does not check anymore if the pointer is not NULL, this check must be done is the caller. The consequence was to allocate one shctx per ssl bind. Bug introduced by 4f45bb9 ("MEDIUM: shctx: separate ssl and shctx") Thanks to Maciej Zdeb for reporting this bug. Must be backported to 1.8.
2017-11-28 05:04:43 -05:00
alloc_ctx = shctx_init(&ssl_shctx, global.tune.sslcachesize,
MINOR: shctx: Add a maximum object size parameter. This patch adds a new parameter to shctx_init() function to be used to limit the size of each shared object, -1 value meaning "no limit".
2018-10-22 10:21:39 -04:00
sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE, -1,
BUG/MEDIUM: ssl: don't allocate shctx several time The shctx_init() function does not check anymore if the pointer is not NULL, this check must be done is the caller. The consequence was to allocate one shctx per ssl bind. Bug introduced by 4f45bb9 ("MEDIUM: shctx: separate ssl and shctx") Thanks to Maciej Zdeb for reporting this bug. Must be backported to 1.8.
2017-11-28 05:04:43 -05:00
sizeof(*sh_ssl_sess_tree),
((global.nbthread > 1) || (!global_ssl.private_cache && (global.nbproc > 1))) ? 1 : 0);
BUG/MINOR: ssl: Wrong usage of shctx_init(). With this patch we check that shctx_init() does not return 0. Must be backported to 1.8.
2018-10-25 14:22:46 -04:00
if (alloc_ctx <= 0) {
BUG/MEDIUM: ssl: don't allocate shctx several time The shctx_init() function does not check anymore if the pointer is not NULL, this check must be done is the caller. The consequence was to allocate one shctx per ssl bind. Bug introduced by 4f45bb9 ("MEDIUM: shctx: separate ssl and shctx") Thanks to Maciej Zdeb for reporting this bug. Must be backported to 1.8.
2017-11-28 05:04:43 -05:00
if (alloc_ctx == SHCTX_E_INIT_LOCK)
ha_alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n");
else
ha_alert("Unable to allocate SSL session cache.\n");
return -1;
}
/* free block callback */
ssl_shctx->free_block = sh_ssl_sess_free_blocks;
/* init the root tree within the extra space */
sh_ssl_sess_tree = (void *)ssl_shctx + sizeof(struct shared_context);
*sh_ssl_sess_tree = EB_ROOT_UNIQUE;
MEDIUM: ssl_sock: implement ssl_sock_prepare_bind_conf() Instead of hard-coding all SSL preparation in cfgparse.c, we now register this new function as the transport layer's prepare_bind_conf() and call it only when definied. This removes some non-obvious SSL-specific code from cfgparse.c as well as a #ifdef.
2016-12-21 17:38:39 -05:00
}
err = 0;
/* initialize all certificate contexts */
err += ssl_sock_prepare_all_ctx(bind_conf);
/* initialize CA variables if the certificates generation is enabled */
err += ssl_sock_load_ca(bind_conf);
return -err;
}
MINOR: ssl: Release Servers SSL context when HAProxy is shut down [wt: could be backported to 1.5 as well]
2015-07-29 07:02:40 -04:00
/* release ssl context allocated for servers. */
void ssl_sock_free_srv_ctx(struct server *srv)
{
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
if (srv->ssl_ctx.alpn_str)
free(srv->ssl_ctx.alpn_str);
#endif
BUILD/MINOR: ssl: fix build with non-alpn/non-npn libssl In commit c7566001 ("MINOR: server: Add "alpn" and "npn" keywords") and commit 201b9f4e ("MAJOR: connections: Defer mux creation for outgoing connection if alpn is set"), the build was broken on older OpenSSL releases. Move the #ifdef's around so that we build again with older OpenSSL releases (0.9.8 was tested).
2018-11-25 07:21:27 -05:00
#ifdef OPENSSL_NPN_NEGOTIATED
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
if (srv->ssl_ctx.npn_str)
free(srv->ssl_ctx.npn_str);
MINOR: ssl: free ctx when libssl doesn't support NPN The previous fix da95fd90 ("BUILD/MINOR: ssl: fix build with non-alpn/ non-npn libssl") does fix the build in old OpenSSL release, but I overlooked that the ctx is only freed when NPN is supported. Fix this by moving the #endif to the proper place (this was broken in c7566001 ("MINOR: server: Add "alpn" and "npn" keywords")).
2018-11-26 16:57:17 -05:00
#endif
MINOR: ssl: Release Servers SSL context when HAProxy is shut down [wt: could be backported to 1.5 as well]
2015-07-29 07:02:40 -04:00
if (srv->ssl_ctx.ctx)
SSL_CTX_free(srv->ssl_ctx.ctx);
}
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
/* Walks down the two trees in bind_conf and frees all the certs. The pointer may
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
* be NULL, in which case nothing is done. The default_ctx is nullified too.
*/
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
void ssl_sock_free_all_ctx(struct bind_conf *bind_conf)
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
{
struct ebmb_node *node, *back;
struct sni_ctx *sni;
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
node = ebmb_first(&bind_conf->sni_ctx);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
back = ebmb_next(node);
ebmb_delete(node);
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
if (!sni->order) { /* only free the CTX on its first occurrence */
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
SSL_CTX_free(sni->ctx);
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
ssl_sock_free_ssl_conf(sni->conf);
free(sni->conf);
sni->conf = NULL;
}
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
free(sni);
node = back;
}
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
node = ebmb_first(&bind_conf->sni_w_ctx);
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
back = ebmb_next(node);
ebmb_delete(node);
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
if (!sni->order) { /* only free the CTX on its first occurrence */
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
SSL_CTX_free(sni->ctx);
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
ssl_sock_free_ssl_conf(sni->conf);
free(sni->conf);
sni->conf = NULL;
}
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
free(sni);
node = back;
}
BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.
2017-03-06 09:34:44 -05:00
SSL_CTX_free(bind_conf->initial_ctx);
bind_conf->initial_ctx = NULL;
MEDIUM: config: replace ssl_conf by bind_conf Some settings need to be merged per-bind config line and are not necessarily SSL-specific. It becomes quite inconvenient to have this ssl_conf SSL-specific, so let's replace it with something more generic.
2012-09-13 11:54:29 -04:00
bind_conf->default_ctx = NULL;
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
bind_conf->default_ssl_conf = NULL;
MEDIUM: ssl: add support for SNI and wildcard certificates A side effect of this change is that the "ssl" keyword on "bind" lines is now just a boolean and that "crt" is needed to designate certificate files or directories. Note that much refcounting was needed to have the free() work correctly due to the number of cert aliases which can make a context be shared by multiple names.
2012-09-07 11:30:07 -04:00
}
MINOR: ssl_sock: implement ssl_sock_destroy_bind_conf() Instead of hard-coding all SSL destruction in cfgparse.c and haproxy.c, we now register this new function as the transport layer's destroy_bind_conf() and call it only when defined. This removes some non-obvious SSL-specific code and #ifdefs from cfgparse.c and haproxy.c
2016-12-22 11:30:54 -05:00
/* Destroys all the contexts for a bind_conf. This is used during deinit(). */
void ssl_sock_destroy_bind_conf(struct bind_conf *bind_conf)
{
ssl_sock_free_ca(bind_conf);
ssl_sock_free_all_ctx(bind_conf);
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
ssl_sock_free_ssl_conf(&bind_conf->ssl_conf);
MINOR: ssl_sock: implement ssl_sock_destroy_bind_conf() Instead of hard-coding all SSL destruction in cfgparse.c and haproxy.c, we now register this new function as the transport layer's destroy_bind_conf() and call it only when defined. This removes some non-obvious SSL-specific code and #ifdefs from cfgparse.c and haproxy.c
2016-12-22 11:30:54 -05:00
free(bind_conf->ca_sign_file);
free(bind_conf->ca_sign_pass);
BUG/MINOR: ssl: properly ref-count the tls_keys entries Commit 200b0fa ("MEDIUM: Add support for updating TLS ticket keys via socket") introduced support for updating TLS ticket keys from the CLI, but missed a small corner case : if multiple bind lines reference the same tls_keys file, the same reference is used (as expected), but during the clean shutdown, it will lead to a double free when destroying the bind_conf contexts since none of the lines knows if others still use it. The impact is very low however, mostly a core and/or a message in the system's log upon old process termination. Let's introduce some basic refcounting to prevent this from happening, so that only the last bind_conf frees it. Thanks to Janusz Dziemidowicz and Thierry Fournier for both reporting the same issue with an easy reproducer. This fix needs to be backported from 1.6 to 1.8.
2018-07-17 04:05:32 -04:00
if (bind_conf->keys_ref && !--bind_conf->keys_ref->refcount) {
MINOR: ssl_sock: implement ssl_sock_destroy_bind_conf() Instead of hard-coding all SSL destruction in cfgparse.c and haproxy.c, we now register this new function as the transport layer's destroy_bind_conf() and call it only when defined. This removes some non-obvious SSL-specific code and #ifdefs from cfgparse.c and haproxy.c
2016-12-22 11:30:54 -05:00
free(bind_conf->keys_ref->filename);
free(bind_conf->keys_ref->tlskeys);
LIST_DEL(&bind_conf->keys_ref->list);
free(bind_conf->keys_ref);
}
bind_conf->keys_ref = NULL;
bind_conf->ca_sign_pass = NULL;
bind_conf->ca_sign_file = NULL;
}
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
/* Load CA cert file and private key used to generate certificates */
int
MEDIUM: ssl: remote the proxy argument from most functions Most of the SSL functions used to have a proxy argument which was mostly used to be able to emit clean errors using Alert(). First, many of them were converted to memprintf() and don't require this pointer anymore. Second, the rare which still need it also have either a bind_conf argument or a server argument, both of which carry a pointer to the relevant proxy. So let's now get rid of it, it needlessly complicates the API and certain functions already have many arguments.
2016-12-22 11:08:28 -05:00
ssl_sock_load_ca(struct bind_conf *bind_conf)
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
{
MEDIUM: ssl: remote the proxy argument from most functions Most of the SSL functions used to have a proxy argument which was mostly used to be able to emit clean errors using Alert(). First, many of them were converted to memprintf() and don't require this pointer anymore. Second, the rare which still need it also have either a bind_conf argument or a server argument, both of which carry a pointer to the relevant proxy. So let's now get rid of it, it needlessly complicates the API and certain functions already have many arguments.
2016-12-22 11:08:28 -05:00
struct proxy *px = bind_conf->frontend;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
FILE *fp;
X509 *cacert = NULL;
EVP_PKEY *capkey = NULL;
int err = 0;
MINOR: ssl: Remove useless checks on bind_conf or bind_conf->is_ssl bind_conf always exists at these steps and it is always for SSL listeners.
2017-09-15 03:52:49 -04:00
if (!bind_conf->generate_certs)
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
return err;
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
if (global_ssl.ctx_cache) {
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
ssl_ctx_lru_tree = lru64_new(global_ssl.ctx_cache);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
}
BUG/MINOR: ssl: fix management of the cache where forged certificates are stored First, the LRU cache must be initialized after the configuration parsing to correctly set its size. Next, the function 'ssl_sock_set_generated_cert' returns -1 when an error occurs (0 if success). In that case, the caller is responsible to free the memory allocated for the certificate. Finally, when a SSL certificate is generated by HAProxy but cannot be inserted in the cache, it must be freed when the SSL connection is closed. This happens when 'tune.ssl.ssl-ctx-cache-size' is set to 0.
2015-07-28 10:03:47 -04:00
ssl_ctx_lru_seed = (unsigned int)time(NULL);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
ssl_ctx_serial = now_ms;
BUILD: ssl: fix build error introduced by recent commit Commit d2cab92 ("BUG/MINOR: ssl: fix management of the cache where forged certificates are stored") removed some needed #ifdefs resulting in ssl not building on older openssl versions where SSL_CTRL_SET_TLSEXT_HOSTNAME is not defined : src/ssl_sock.c: In function 'ssl_sock_load_ca': src/ssl_sock.c:2504: error: 'ssl_ctx_lru_tree' undeclared (first use in this function) src/ssl_sock.c:2504: error: (Each undeclared identifier is reported only once src/ssl_sock.c:2504: error: for each function it appears in.) src/ssl_sock.c:2505: error: 'ssl_ctx_lru_seed' undeclared (first use in this function) src/ssl_sock.c: In function 'ssl_sock_close': src/ssl_sock.c:3095: error: 'ssl_ctx_lru_tree' undeclared (first use in this function) src/ssl_sock.c: In function '__ssl_sock_deinit': src/ssl_sock.c:5367: error: 'ssl_ctx_lru_tree' undeclared (first use in this function) make: *** [src/ssl_sock.o] Error 1 Reintroduce the ifdefs around the faulty areas.
2015-10-09 06:10:13 -04:00
#endif
BUG/MINOR: ssl: fix management of the cache where forged certificates are stored First, the LRU cache must be initialized after the configuration parsing to correctly set its size. Next, the function 'ssl_sock_set_generated_cert' returns -1 when an error occurs (0 if success). In that case, the caller is responsible to free the memory allocated for the certificate. Finally, when a SSL certificate is generated by HAProxy but cannot be inserted in the cache, it must be freed when the SSL connection is closed. This happens when 'tune.ssl.ssl-ctx-cache-size' is set to 0.
2015-07-28 10:03:47 -04:00
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
if (!bind_conf->ca_sign_file) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': cannot enable certificate generation, "
"no CA certificate File configured at [%s:%d].\n",
px->id, bind_conf->file, bind_conf->line);
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
goto load_error;
MINOR: ssl: Read the file used to generate certificates in any order the file specified by the SSL option 'ca-sign-file' can now contain the CA certificate used to dynamically generate certificates and its private key in any order.
2015-10-09 04:53:31 -04:00
}
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
/* read in the CA certificate */
if (!(fp = fopen(bind_conf->ca_sign_file, "r"))) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d].\n",
px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
goto load_error;
}
if (!(cacert = PEM_read_X509(fp, NULL, NULL, NULL))) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d].\n",
px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
MINOR: ssl: Read the file used to generate certificates in any order the file specified by the SSL option 'ca-sign-file' can now contain the CA certificate used to dynamically generate certificates and its private key in any order.
2015-10-09 04:53:31 -04:00
goto read_error;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
}
MINOR: ssl: Read the file used to generate certificates in any order the file specified by the SSL option 'ca-sign-file' can now contain the CA certificate used to dynamically generate certificates and its private key in any order.
2015-10-09 04:53:31 -04:00
rewind(fp);
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
if (!(capkey = PEM_read_PrivateKey(fp, NULL, NULL, bind_conf->ca_sign_pass))) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("Proxy '%s': Failed to read CA private key file '%s' at [%s:%d].\n",
px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
MINOR: ssl: Read the file used to generate certificates in any order the file specified by the SSL option 'ca-sign-file' can now contain the CA certificate used to dynamically generate certificates and its private key in any order.
2015-10-09 04:53:31 -04:00
goto read_error;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
}
MINOR: ssl: Read the file used to generate certificates in any order the file specified by the SSL option 'ca-sign-file' can now contain the CA certificate used to dynamically generate certificates and its private key in any order.
2015-10-09 04:53:31 -04:00
fclose (fp);
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
bind_conf->ca_sign_cert = cacert;
bind_conf->ca_sign_pkey = capkey;
return err;
MINOR: ssl: Read the file used to generate certificates in any order the file specified by the SSL option 'ca-sign-file' can now contain the CA certificate used to dynamically generate certificates and its private key in any order.
2015-10-09 04:53:31 -04:00
read_error:
fclose (fp);
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
if (capkey) EVP_PKEY_free(capkey);
if (cacert) X509_free(cacert);
MINOR: ssl: Read the file used to generate certificates in any order the file specified by the SSL option 'ca-sign-file' can now contain the CA certificate used to dynamically generate certificates and its private key in any order.
2015-10-09 04:53:31 -04:00
load_error:
bind_conf->generate_certs = 0;
err++;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
return err;
}
/* Release CA cert and private key used to generate certificated */
void
ssl_sock_free_ca(struct bind_conf *bind_conf)
{
if (bind_conf->ca_sign_pkey)
EVP_PKEY_free(bind_conf->ca_sign_pkey);
if (bind_conf->ca_sign_cert)
X509_free(bind_conf->ca_sign_cert);
BUG/MEDIUM: ssl: avoid double free when releasing bind_confs ssl_sock functions don't mark pointers as NULL after freeing them. So if a "bind" line specifies some SSL settings without the "ssl" keyword, they will get freed at the end of check_config_validity(), then freed a second time on exit. Simply mark the pointers as NULL to fix this. This fix needs to be backported to 1.7 and 1.6.
2016-12-22 11:57:46 -05:00
bind_conf->ca_sign_pkey = NULL;
bind_conf->ca_sign_cert = NULL;
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/*
* This function is called if SSL * context is not yet allocated. The function
* is designed to be called before any other data-layer operation and sets the
* handshake flag on the connection. It is safe to call it multiple times.
* It returns 0 on success and -1 in error case.
*/
static int ssl_sock_init(struct connection *conn)
{
/* already initialized */
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
if (conn->xprt_ctx)
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return 0;
CLEANUP: connection: use conn_ctrl_ready() instead of checking the flag It's easier and safer to rely on conn_ctrl_ready() everywhere than to check the flag itself. It will also simplify adding extra checks later if needed. Some useless controls for !ctrl have been removed, as the CTRL_READY flag itself guarantees ctrl is set.
2014-01-23 07:50:42 -05:00
if (!conn_ctrl_ready(conn))
MAJOR: connection: add two new flags to indicate readiness of control/transport Currently the control and transport layers of a connection are supposed to be initialized when their respective pointers are not NULL. This will not work anymore when we plan to reuse connections, because there is an asymmetry between the accept() side and the connect() side : - on accept() side, the fd is set first, then the ctrl layer then the transport layer ; upon error, they must be undone in the reverse order, then the FD must be closed. The FD must not be deleted if the control layer was not yet initialized ; - on the connect() side, the fd is set last and there is no reliable way to know if it has been initialized or not. In practice it's initialized to -1 first but this is hackish and supposes that local FDs only will be used forever. Also, there are even less solutions for keeping trace of the transport layer's state. Also it is possible to support delayed close() when something (eg: logs) tracks some information requiring the transport and/or control layers, making it even more difficult to clean them. So the proposed solution is to add two flags to the connection : - CO_FL_CTRL_READY is set when the control layer is initialized (fd_insert) and cleared after it's released (fd_delete). - CO_FL_XPRT_READY is set when the control layer is initialized (xprt->init) and cleared after it's released (xprt->close). The functions have been adapted to rely on this and not on the pointers anymore. conn_xprt_close() was unused and dangerous : it did not close the control layer (eg: the socket itself) but still marks the transport layer as closed, preventing any future call to conn_full_close() from finishing the job. The problem comes from conn_full_close() in fact. It needs to close the xprt and ctrl layers independantly. After that we're still having an issue : we don't know based on ->ctrl alone whether the fd was registered or not. For this we use the two new flags CO_FL_XPRT_READY and CO_FL_CTRL_READY. We now rely on this and not on conn->xprt nor conn->ctrl anymore to decide what remains to be done on the connection. In order not to miss some flag assignments, we introduce conn_ctrl_init() to initialize the control layer, register the fd using fd_insert() and set the flag, and conn_ctrl_close() which unregisters the fd and removes the flag, but only if the transport layer was closed. Similarly, at the transport layer, conn_xprt_init() calls ->init and sets the flag, while conn_xprt_close() checks the flag, calls ->close and clears the flag, regardless xprt_ctx or xprt_st. This also ensures that the ->init and the ->close functions are called only once each and in the correct order. Note that conn_xprt_close() does nothing if the transport layer is still tracked. conn_full_close() now simply calls conn_xprt_close() then conn_full_close() in turn, which do nothing if CO_FL_XPRT_TRACKED is set. In order to handle the error path, we also provide conn_force_close() which ignores CO_FL_XPRT_TRACKED and closes the transport and the control layers in turns. All relevant instances of fd_delete() have been replaced with conn_force_close(). Now we always know what state the connection is in and we can expect to split its initialization.
2013-10-21 10:30:56 -04:00
return 0;
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
if (global.maxsslconn && sslconns >= global.maxsslconn) {
conn->err_code = CO_ER_SSL_TOO_MANY;
MEDIUM: config: implement maxsslconn in the global section SSL connections take a huge amount of memory, and unfortunately openssl does not check malloc() returns and easily segfaults when too many connections are used. The only solution against this is to provide a global maxsslconn setting to reject SSL connections above the limit in order to avoid reaching unsafe limits.
2012-09-06 05:58:37 -04:00
return -1;
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
}
MEDIUM: config: implement maxsslconn in the global section SSL connections take a huge amount of memory, and unfortunately openssl does not check malloc() returns and easily segfaults when too many connections are used. The only solution against this is to provide a global maxsslconn setting to reject SSL connections above the limit in order to avoid reaching unsafe limits.
2012-09-06 05:58:37 -04:00
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* If it is in client mode initiate SSL session
in connect state otherwise accept state */
MAJOR: connection: replace struct target with a pointer to an enum Instead of storing a couple of (int, ptr) in the struct connection and the struct session, we use a different method : we only store a pointer to an integer which is stored inside the target object and which contains a unique type identifier. That way, the pointer allows us to retrieve the object type (by dereferencing it) and the object's address (by computing the displacement in the target structure). The NULL pointer always corresponds to OBJ_TYPE_NONE. This reduces the size of the connection and session structs. It also simplifies target assignment and compare. In order to improve the generated code, we try to put the obj_type element at the beginning of all the structs (listener, server, proxy, si_applet), so that the original and target pointers are always equal. A lot of code was touched by massive replaces, but the changes are not that important.
2012-11-11 18:42:33 -05:00
if (objt_server(conn->target)) {
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
int may_retry = 1;
retry_connect:
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* Alloc a new SSL session ctx */
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
conn->xprt_ctx = SSL_new(__objt_server(conn->target)->ssl_ctx.ctx);
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
if (!conn->xprt_ctx) {
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
if (may_retry--) {
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_gc(NULL);
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
goto retry_connect;
}
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
conn->err_code = CO_ER_SSL_NO_MEM;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return -1;
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* set fd on SSL session context */
REORG/MEDIUM: connection: introduce the notion of connection handle Till now connections used to rely exclusively on file descriptors. It was planned in the past that alternative solutions would be implemented, leading to member "union t" presenting sock.fd only for now. With QUIC, the connection will need to continue to exist but will not rely on a file descriptor but a connection ID. So this patch introduces a "connection handle" which is either a file descriptor or a connection ID, to replace the existing "union t". We've now removed the intermediate "struct sock" which was never used. There is no functional change at all, though the struct connection was inflated by 32 bits on 64-bit platforms due to alignment.
2017-08-24 08:31:19 -04:00
if (!SSL_set_fd(conn->xprt_ctx, conn->handle.fd)) {
BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. Some SSL context's init functions errors were not handled and can cause a segfault due to an incomplete SSL context initialization. This fix must be backported to 1.5.
2014-11-12 11:35:37 -05:00
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
if (may_retry--) {
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_gc(NULL);
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
goto retry_connect;
}
BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. Some SSL context's init functions errors were not handled and can cause a segfault due to an incomplete SSL context initialization. This fix must be backported to 1.5.
2014-11-12 11:35:37 -05:00
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
/* set connection pointer */
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
if (!SSL_set_ex_data(conn->xprt_ctx, ssl_app_data_index, conn)) {
BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. Some SSL context's init functions errors were not handled and can cause a segfault due to an incomplete SSL context initialization. This fix must be backported to 1.5.
2014-11-12 11:35:37 -05:00
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
if (may_retry--) {
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_gc(NULL);
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
goto retry_connect;
}
BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. Some SSL context's init functions errors were not handled and can cause a segfault due to an incomplete SSL context initialization. This fix must be backported to 1.5.
2014-11-12 11:35:37 -05:00
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
SSL_set_connect_state(conn->xprt_ctx);
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
if (__objt_server(conn->target)->ssl_ctx.reused_sess[tid].ptr) {
const unsigned char *ptr = __objt_server(conn->target)->ssl_ctx.reused_sess[tid].ptr;
SSL_SESSION *sess = d2i_SSL_SESSION(NULL, &ptr, __objt_server(conn->target)->ssl_ctx.reused_sess[tid].size);
if (sess && !SSL_set_session(conn->xprt_ctx, sess)) {
MINOR: SSL: Store the ASN1 representation of client sessions. Instead of storing the SSL_SESSION pointer directly in the struct server, store the ASN1 representation, otherwise, session resumption is broken with TLS 1.3, when multiple outgoing connections want to use the same session.
2017-11-16 11:42:52 -05:00
SSL_SESSION_free(sess);
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
free(__objt_server(conn->target)->ssl_ctx.reused_sess[tid].ptr);
__objt_server(conn->target)->ssl_ctx.reused_sess[tid].ptr = NULL;
MINOR: SSL: Store the ASN1 representation of client sessions. Instead of storing the SSL_SESSION pointer directly in the struct server, store the ASN1 representation, otherwise, session resumption is broken with TLS 1.3, when multiple outgoing connections want to use the same session.
2017-11-16 11:42:52 -05:00
} else if (sess) {
SSL_SESSION_free(sess);
BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. Some SSL context's init functions errors were not handled and can cause a segfault due to an incomplete SSL context initialization. This fix must be backported to 1.5.
2014-11-12 11:35:37 -05:00
}
}
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* leave init state and start handshake */
BUG: ssl: mark the connection as waiting for an SSL connection during the handshake The WAIT_L6_CONN was designed especially to ensure that the connection was not marked ready before the SSL layer was OK, but we forgot to set the flag, resulting in a rejected handshake when ssl was combined with accept-proxy because accept-proxy would validate the connection alone and the SSL handshake would then believe in a client-initiated reneg and kill it.
2012-09-04 02:03:39 -04:00
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
MEDIUM: config: implement maxsslconn in the global section SSL connections take a huge amount of memory, and unfortunately openssl does not check malloc() returns and easily segfaults when too many connections are used. The only solution against this is to provide a global maxsslconn setting to reject SSL connections above the limit in order to avoid reaching unsafe limits.
2012-09-06 05:58:37 -04:00
MEDIUM: ssl: Use the new _HA_ATOMIC_* macros. Use the new _HA_ATOMIC_* macros and add barriers where needed.
2019-03-08 12:54:43 -05:00
_HA_ATOMIC_ADD(&sslconns, 1);
_HA_ATOMIC_ADD(&totalsslconns, 1);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return 0;
}
MAJOR: connection: replace struct target with a pointer to an enum Instead of storing a couple of (int, ptr) in the struct connection and the struct session, we use a different method : we only store a pointer to an integer which is stored inside the target object and which contains a unique type identifier. That way, the pointer allows us to retrieve the object type (by dereferencing it) and the object's address (by computing the displacement in the target structure). The NULL pointer always corresponds to OBJ_TYPE_NONE. This reduces the size of the connection and session structs. It also simplifies target assignment and compare. In order to improve the generated code, we try to put the obj_type element at the beginning of all the structs (listener, server, proxy, si_applet), so that the original and target pointers are always equal. A lot of code was touched by massive replaces, but the changes are not that important.
2012-11-11 18:42:33 -05:00
else if (objt_listener(conn->target)) {
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
int may_retry = 1;
retry_accept:
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* Alloc a new SSL session ctx */
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
conn->xprt_ctx = SSL_new(__objt_listener(conn->target)->bind_conf->initial_ctx);
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
if (!conn->xprt_ctx) {
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
if (may_retry--) {
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_gc(NULL);
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
goto retry_accept;
}
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
conn->err_code = CO_ER_SSL_NO_MEM;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return -1;
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* set fd on SSL session context */
REORG/MEDIUM: connection: introduce the notion of connection handle Till now connections used to rely exclusively on file descriptors. It was planned in the past that alternative solutions would be implemented, leading to member "union t" presenting sock.fd only for now. With QUIC, the connection will need to continue to exist but will not rely on a file descriptor but a connection ID. So this patch introduces a "connection handle" which is either a file descriptor or a connection ID, to replace the existing "union t". We've now removed the intermediate "struct sock" which was never used. There is no functional change at all, though the struct connection was inflated by 32 bits on 64-bit platforms due to alignment.
2017-08-24 08:31:19 -04:00
if (!SSL_set_fd(conn->xprt_ctx, conn->handle.fd)) {
BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. Some SSL context's init functions errors were not handled and can cause a segfault due to an incomplete SSL context initialization. This fix must be backported to 1.5.
2014-11-12 11:35:37 -05:00
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
if (may_retry--) {
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_gc(NULL);
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
goto retry_accept;
}
BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. Some SSL context's init functions errors were not handled and can cause a segfault due to an incomplete SSL context initialization. This fix must be backported to 1.5.
2014-11-12 11:35:37 -05:00
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
/* set connection pointer */
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
if (!SSL_set_ex_data(conn->xprt_ctx, ssl_app_data_index, conn)) {
BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. Some SSL context's init functions errors were not handled and can cause a segfault due to an incomplete SSL context initialization. This fix must be backported to 1.5.
2014-11-12 11:35:37 -05:00
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
if (may_retry--) {
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_gc(NULL);
BUG/MEDIUM: ssl: force a full GC in case of memory shortage When memory becomes scarce and openssl refuses to allocate a new SSL session, it is worth freeing the pools and trying again instead of rejecting all incoming SSL connection. This can happen when some memory usage limits have been assigned to the haproxy process using -m or with ulimit -m/-v. This is mostly an enhancement of previous fix and is worth backporting to 1.5.
2014-11-13 07:48:58 -05:00
goto retry_accept;
}
BUG/MEDIUM: ssl: fix bad ssl context init can cause segfault in case of OOM. Some SSL context's init functions errors were not handled and can cause a segfault due to an incomplete SSL context initialization. This fix must be backported to 1.5.
2014-11-12 11:35:37 -05:00
conn->err_code = CO_ER_SSL_NO_MEM;
return -1;
}
SSL_set_accept_state(conn->xprt_ctx);
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* leave init state and start handshake */
BUG: ssl: mark the connection as waiting for an SSL connection during the handshake The WAIT_L6_CONN was designed especially to ensure that the connection was not marked ready before the SSL layer was OK, but we forgot to set the flag, resulting in a rejected handshake when ssl was combined with accept-proxy because accept-proxy would validate the connection alone and the SSL handshake would then believe in a client-initiated reneg and kill it.
2012-09-04 02:03:39 -04:00
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
MINOR: ssl: Handle early data with BoringSSL BoringSSL early data differ from OpenSSL 1.1.1 implementation. When early handshake is done, SSL_in_early_data report if SSL_read will be done on early data. CO_FL_EARLY_SSL_HS and CO_FL_EARLY_DATA can be adjust accordingly.
2017-11-23 06:40:07 -05:00
#if OPENSSL_VERSION_NUMBER >= 0x10101000L || defined(OPENSSL_IS_BORINGSSL)
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
conn->flags |= CO_FL_EARLY_SSL_HS;
#endif
MEDIUM: config: implement maxsslconn in the global section SSL connections take a huge amount of memory, and unfortunately openssl does not check malloc() returns and easily segfaults when too many connections are used. The only solution against this is to provide a global maxsslconn setting to reject SSL connections above the limit in order to avoid reaching unsafe limits.
2012-09-06 05:58:37 -04:00
MEDIUM: ssl: Use the new _HA_ATOMIC_* macros. Use the new _HA_ATOMIC_* macros and add barriers where needed.
2019-03-08 12:54:43 -05:00
_HA_ATOMIC_ADD(&sslconns, 1);
_HA_ATOMIC_ADD(&totalsslconns, 1);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return 0;
}
/* don't know how to handle such a target */
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
conn->err_code = CO_ER_SSL_NO_TARGET;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return -1;
}
/* This is the callback which is used when an SSL handshake is pending. It
* updates the FD status if it wants some polling before being called again.
* It returns 0 if it fails in a fatal way or needs to poll to go further,
* otherwise it returns non-zero and removes itself from the connection's
* flags (the bit is provided in <flag> by the caller).
*/
int ssl_sock_handshake(struct connection *conn, unsigned int flag)
{
int ret;
CLEANUP: connection: use conn_ctrl_ready() instead of checking the flag It's easier and safer to rely on conn_ctrl_ready() everywhere than to check the flag itself. It will also simplify adding extra checks later if needed. Some useless controls for !ctrl have been removed, as the CTRL_READY flag itself guarantees ctrl is set.
2014-01-23 07:50:42 -05:00
if (!conn_ctrl_ready(conn))
MAJOR: connection: add two new flags to indicate readiness of control/transport Currently the control and transport layers of a connection are supposed to be initialized when their respective pointers are not NULL. This will not work anymore when we plan to reuse connections, because there is an asymmetry between the accept() side and the connect() side : - on accept() side, the fd is set first, then the ctrl layer then the transport layer ; upon error, they must be undone in the reverse order, then the FD must be closed. The FD must not be deleted if the control layer was not yet initialized ; - on the connect() side, the fd is set last and there is no reliable way to know if it has been initialized or not. In practice it's initialized to -1 first but this is hackish and supposes that local FDs only will be used forever. Also, there are even less solutions for keeping trace of the transport layer's state. Also it is possible to support delayed close() when something (eg: logs) tracks some information requiring the transport and/or control layers, making it even more difficult to clean them. So the proposed solution is to add two flags to the connection : - CO_FL_CTRL_READY is set when the control layer is initialized (fd_insert) and cleared after it's released (fd_delete). - CO_FL_XPRT_READY is set when the control layer is initialized (xprt->init) and cleared after it's released (xprt->close). The functions have been adapted to rely on this and not on the pointers anymore. conn_xprt_close() was unused and dangerous : it did not close the control layer (eg: the socket itself) but still marks the transport layer as closed, preventing any future call to conn_full_close() from finishing the job. The problem comes from conn_full_close() in fact. It needs to close the xprt and ctrl layers independantly. After that we're still having an issue : we don't know based on ->ctrl alone whether the fd was registered or not. For this we use the two new flags CO_FL_XPRT_READY and CO_FL_CTRL_READY. We now rely on this and not on conn->xprt nor conn->ctrl anymore to decide what remains to be done on the connection. In order not to miss some flag assignments, we introduce conn_ctrl_init() to initialize the control layer, register the fd using fd_insert() and set the flag, and conn_ctrl_close() which unregisters the fd and removes the flag, but only if the transport layer was closed. Similarly, at the transport layer, conn_xprt_init() calls ->init and sets the flag, while conn_xprt_close() checks the flag, calls ->close and clears the flag, regardless xprt_ctx or xprt_st. This also ensures that the ->init and the ->close functions are called only once each and in the correct order. Note that conn_xprt_close() does nothing if the transport layer is still tracked. conn_full_close() now simply calls conn_xprt_close() then conn_full_close() in turn, which do nothing if CO_FL_XPRT_TRACKED is set. In order to handle the error path, we also provide conn_force_close() which ignores CO_FL_XPRT_TRACKED and closes the transport and the control layers in turns. All relevant instances of fd_delete() have been replaced with conn_force_close(). Now we always know what state the connection is in and we can expect to split its initialization.
2013-10-21 10:30:56 -04:00
return 0;
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
if (!conn->xprt_ctx)
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
goto out_error;
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
/*
* Check if we have early data. If we do, we have to read them
* before SSL_do_handshake() is called, And there's no way to
* detect early data, except to try to read them
*/
if (conn->flags & CO_FL_EARLY_SSL_HS) {
size_t read_data;
ret = SSL_read_early_data(conn->xprt_ctx, &conn->tmp_early_data,
1, &read_data);
if (ret == SSL_READ_EARLY_DATA_ERROR)
goto check_error;
if (ret == SSL_READ_EARLY_DATA_SUCCESS) {
conn->flags &= ~(CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN);
return 1;
} else
conn->flags &= ~CO_FL_EARLY_SSL_HS;
}
#endif
BUG/MEDIUM: ssl: Fix sometimes reneg fails if requested by server. SSL_do_handshake is not appropriate for reneg, it's only appropriate at the beginning of a connection. OpenSSL correctly handles renegs using the data functions, so we use SSL_peek() here to make its state machine progress if SSL_renegotiate_pending() says a reneg is pending.
2012-11-08 13:21:55 -05:00
/* If we use SSL_do_handshake to process a reneg initiated by
* the remote peer, it sometimes returns SSL_ERROR_SSL.
* Usually SSL_write and SSL_read are used and process implicitly
* the reneg handshake.
* Here we use SSL_peek as a workaround for reneg.
*/
if ((conn->flags & CO_FL_CONNECTED) && SSL_renegotiate_pending(conn->xprt_ctx)) {
char c;
ret = SSL_peek(conn->xprt_ctx, &c, 1);
if (ret <= 0) {
/* handshake may have not been completed, let's find why */
ret = SSL_get_error(conn->xprt_ctx, ret);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
BUG/MEDIUM: ssl: Fix sometimes reneg fails if requested by server. SSL_do_handshake is not appropriate for reneg, it's only appropriate at the beginning of a connection. OpenSSL correctly handles renegs using the data functions, so we use SSL_peek() here to make its state machine progress if SSL_renegotiate_pending() says a reneg is pending.
2012-11-08 13:21:55 -05:00
if (ret == SSL_ERROR_WANT_WRITE) {
/* SSL handshake needs to write, L4 connection may not be ready */
__conn_sock_stop_recv(conn);
MEDIUM: connection: remove conn_{data,sock}_poll_{recv,send} We simply remove these functions and replace their calls with the appropriate ones : - if we're in the data phase, we can simply report wait on the FD - if we're in the socket phase, we may also have to signal the desire to read/write on the socket because it might not be active yet.
2014-01-22 14:02:06 -05:00
__conn_sock_want_send(conn);
REORG/MEDIUM: connection: introduce the notion of connection handle Till now connections used to rely exclusively on file descriptors. It was planned in the past that alternative solutions would be implemented, leading to member "union t" presenting sock.fd only for now. With QUIC, the connection will need to continue to exist but will not rely on a file descriptor but a connection ID. So this patch introduces a "connection handle" which is either a file descriptor or a connection ID, to replace the existing "union t". We've now removed the intermediate "struct sock" which was never used. There is no functional change at all, though the struct connection was inflated by 32 bits on 64-bit platforms due to alignment.
2017-08-24 08:31:19 -04:00
fd_cant_send(conn->handle.fd);
BUG/MEDIUM: ssl: Fix sometimes reneg fails if requested by server. SSL_do_handshake is not appropriate for reneg, it's only appropriate at the beginning of a connection. OpenSSL correctly handles renegs using the data functions, so we use SSL_peek() here to make its state machine progress if SSL_renegotiate_pending() says a reneg is pending.
2012-11-08 13:21:55 -05:00
return 0;
}
else if (ret == SSL_ERROR_WANT_READ) {
/* handshake may have been completed but we have
* no more data to read.
*/
if (!SSL_renegotiate_pending(conn->xprt_ctx)) {
ret = 1;
goto reneg_ok;
}
/* SSL handshake needs to read, L4 connection is ready */
if (conn->flags & CO_FL_WAIT_L4_CONN)
conn->flags &= ~CO_FL_WAIT_L4_CONN;
__conn_sock_stop_send(conn);
MEDIUM: connection: remove conn_{data,sock}_poll_{recv,send} We simply remove these functions and replace their calls with the appropriate ones : - if we're in the data phase, we can simply report wait on the FD - if we're in the socket phase, we may also have to signal the desire to read/write on the socket because it might not be active yet.
2014-01-22 14:02:06 -05:00
__conn_sock_want_recv(conn);
REORG/MEDIUM: connection: introduce the notion of connection handle Till now connections used to rely exclusively on file descriptors. It was planned in the past that alternative solutions would be implemented, leading to member "union t" presenting sock.fd only for now. With QUIC, the connection will need to continue to exist but will not rely on a file descriptor but a connection ID. So this patch introduces a "connection handle" which is either a file descriptor or a connection ID, to replace the existing "union t". We've now removed the intermediate "struct sock" which was never used. There is no functional change at all, though the struct connection was inflated by 32 bits on 64-bit platforms due to alignment.
2017-08-24 08:31:19 -04:00
fd_cant_recv(conn->handle.fd);
BUG/MEDIUM: ssl: Fix sometimes reneg fails if requested by server. SSL_do_handshake is not appropriate for reneg, it's only appropriate at the beginning of a connection. OpenSSL correctly handles renegs using the data functions, so we use SSL_peek() here to make its state machine progress if SSL_renegotiate_pending() says a reneg is pending.
2012-11-08 13:21:55 -05:00
return 0;
}
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
else if (ret == SSL_ERROR_WANT_ASYNC) {
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
ssl_async_process_fds(conn, conn->xprt_ctx);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
return 0;
}
#endif
BUG/MEDIUM: ssl: Fix sometimes reneg fails if requested by server. SSL_do_handshake is not appropriate for reneg, it's only appropriate at the beginning of a connection. OpenSSL correctly handles renegs using the data functions, so we use SSL_peek() here to make its state machine progress if SSL_renegotiate_pending() says a reneg is pending.
2012-11-08 13:21:55 -05:00
else if (ret == SSL_ERROR_SYSCALL) {
/* if errno is null, then connection was successfully established */
if (!errno && conn->flags & CO_FL_WAIT_L4_CONN)
conn->flags &= ~CO_FL_WAIT_L4_CONN;
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
if (!conn->err_code) {
BUG/MINOR: ssl: empty connections reported as errors. Empty connection is reported as handshake error even if dont-log-null is specified. This bug affect is a regression du to: BUILD: ssl: fix to build (again) with boringssl New openssl 1.1.1 defines OPENSSL_NO_HEARTBEATS as boring ssl so the test was replaced by OPENSSL_IS_BORINGSSL This fix should be backported on 1.8
2018-08-16 05:36:40 -04:00
#ifdef OPENSSL_IS_BORINGSSL /* BoringSSL */
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
conn->err_code = CO_ER_SSL_HANDSHAKE;
#else
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
int empty_handshake;
BUILD/MEDIUM: Fixing the build using LibreSSL Fixing the build using LibreSSL as OpenSSL implementation. Currently, LibreSSL 2.4.4 provides the same API of OpenSSL 1.0.1x, but it redefine the OpenSSL version number as 2.0.x, breaking all checks with OpenSSL 1.1.x. The patch solves the issue checking the definition of the symbol LIBRESSL_VERSION_NUMBER when Openssl 1.1.x features are requested.
2016-12-12 04:56:56 -05:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER)
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
empty_handshake = state == TLS_ST_BEFORE;
#else
empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
#endif
if (empty_handshake) {
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
if (!errno) {
if (conn->xprt_st & SSL_SOCK_RECV_HEARTBEAT)
conn->err_code = CO_ER_SSL_HANDSHAKE_HB;
else
conn->err_code = CO_ER_SSL_EMPTY;
}
else {
if (conn->xprt_st & SSL_SOCK_RECV_HEARTBEAT)
conn->err_code = CO_ER_SSL_HANDSHAKE_HB;
else
conn->err_code = CO_ER_SSL_ABORT;
}
}
else {
if (conn->xprt_st & SSL_SOCK_RECV_HEARTBEAT)
conn->err_code = CO_ER_SSL_HANDSHAKE_HB;
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
else
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
conn->err_code = CO_ER_SSL_HANDSHAKE;
}
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#endif
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
}
BUG/MEDIUM: ssl: Fix sometimes reneg fails if requested by server. SSL_do_handshake is not appropriate for reneg, it's only appropriate at the beginning of a connection. OpenSSL correctly handles renegs using the data functions, so we use SSL_peek() here to make its state machine progress if SSL_renegotiate_pending() says a reneg is pending.
2012-11-08 13:21:55 -05:00
goto out_error;
}
else {
/* Fail on all other handshake errors */
/* Note: OpenSSL may leave unread bytes in the socket's
* buffer, causing an RST to be emitted upon close() on
* TCP sockets. We first try to drain possibly pending
* data to avoid this as much as possible.
*/
REORG: connection: move conn_drain() to connection.c and rename it It's now called conn_sock_drain() to make it clear that it only reads at the sock layer and not at the data layer. The function was too big to remain inlined and it's used at a few places where size counts.
2015-03-12 19:40:28 -04:00
conn_sock_drain(conn);
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
if (!conn->err_code)
MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack Using the previous callback, it's trivial to block the heartbeat attack, first we control the message length, then we emit an SSL error if it is out of bounds. A special log is emitted, indicating that a heartbleed attack was stopped so that they are not confused with other failures. That way, haproxy can protect itself even when running on an unpatched SSL stack. Tests performed with openssl-1.0.1c indicate a total success.
2014-04-25 14:02:39 -04:00
conn->err_code = (conn->xprt_st & SSL_SOCK_RECV_HEARTBEAT) ?
CO_ER_SSL_KILLED_HB : CO_ER_SSL_HANDSHAKE;
BUG/MEDIUM: ssl: Fix sometimes reneg fails if requested by server. SSL_do_handshake is not appropriate for reneg, it's only appropriate at the beginning of a connection. OpenSSL correctly handles renegs using the data functions, so we use SSL_peek() here to make its state machine progress if SSL_renegotiate_pending() says a reneg is pending.
2012-11-08 13:21:55 -05:00
goto out_error;
}
}
/* read some data: consider handshake completed */
goto reneg_ok;
}
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
ret = SSL_do_handshake(conn->xprt_ctx);
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
check_error:
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
if (ret != 1) {
/* handshake did not complete, let's find why */
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
ret = SSL_get_error(conn->xprt_ctx, ret);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
if (ret == SSL_ERROR_WANT_WRITE) {
/* SSL handshake needs to write, L4 connection may not be ready */
__conn_sock_stop_recv(conn);
MEDIUM: connection: remove conn_{data,sock}_poll_{recv,send} We simply remove these functions and replace their calls with the appropriate ones : - if we're in the data phase, we can simply report wait on the FD - if we're in the socket phase, we may also have to signal the desire to read/write on the socket because it might not be active yet.
2014-01-22 14:02:06 -05:00
__conn_sock_want_send(conn);
REORG/MEDIUM: connection: introduce the notion of connection handle Till now connections used to rely exclusively on file descriptors. It was planned in the past that alternative solutions would be implemented, leading to member "union t" presenting sock.fd only for now. With QUIC, the connection will need to continue to exist but will not rely on a file descriptor but a connection ID. So this patch introduces a "connection handle" which is either a file descriptor or a connection ID, to replace the existing "union t". We've now removed the intermediate "struct sock" which was never used. There is no functional change at all, though the struct connection was inflated by 32 bits on 64-bit platforms due to alignment.
2017-08-24 08:31:19 -04:00
fd_cant_send(conn->handle.fd);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return 0;
}
else if (ret == SSL_ERROR_WANT_READ) {
/* SSL handshake needs to read, L4 connection is ready */
if (conn->flags & CO_FL_WAIT_L4_CONN)
conn->flags &= ~CO_FL_WAIT_L4_CONN;
__conn_sock_stop_send(conn);
MEDIUM: connection: remove conn_{data,sock}_poll_{recv,send} We simply remove these functions and replace their calls with the appropriate ones : - if we're in the data phase, we can simply report wait on the FD - if we're in the socket phase, we may also have to signal the desire to read/write on the socket because it might not be active yet.
2014-01-22 14:02:06 -05:00
__conn_sock_want_recv(conn);
REORG/MEDIUM: connection: introduce the notion of connection handle Till now connections used to rely exclusively on file descriptors. It was planned in the past that alternative solutions would be implemented, leading to member "union t" presenting sock.fd only for now. With QUIC, the connection will need to continue to exist but will not rely on a file descriptor but a connection ID. So this patch introduces a "connection handle" which is either a file descriptor or a connection ID, to replace the existing "union t". We've now removed the intermediate "struct sock" which was never used. There is no functional change at all, though the struct connection was inflated by 32 bits on 64-bit platforms due to alignment.
2017-08-24 08:31:19 -04:00
fd_cant_recv(conn->handle.fd);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return 0;
}
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
else if (ret == SSL_ERROR_WANT_ASYNC) {
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
ssl_async_process_fds(conn, conn->xprt_ctx);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
return 0;
}
#endif
BUG/MINOR: ssl: report the L4 connection as established when possible If we get an SSL error during the handshake, we at least try to see if a syscall reported an error or not. In case of an error, it generally means that the connection failed. If there is no error, then the connection established successfully. The difference is important for health checks which report the precise cause to the logs and to the stats.
2012-09-28 14:22:13 -04:00
else if (ret == SSL_ERROR_SYSCALL) {
/* if errno is null, then connection was successfully established */
if (!errno && conn->flags & CO_FL_WAIT_L4_CONN)
conn->flags &= ~CO_FL_WAIT_L4_CONN;
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
if (!conn->err_code) {
BUG/MINOR: ssl: empty connections reported as errors. Empty connection is reported as handshake error even if dont-log-null is specified. This bug affect is a regression du to: BUILD: ssl: fix to build (again) with boringssl New openssl 1.1.1 defines OPENSSL_NO_HEARTBEATS as boring ssl so the test was replaced by OPENSSL_IS_BORINGSSL This fix should be backported on 1.8
2018-08-16 05:36:40 -04:00
#ifdef OPENSSL_IS_BORINGSSL /* BoringSSL */
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
conn->err_code = CO_ER_SSL_HANDSHAKE;
#else
int empty_handshake;
BUILD/MEDIUM: Fixing the build using LibreSSL Fixing the build using LibreSSL as OpenSSL implementation. Currently, LibreSSL 2.4.4 provides the same API of OpenSSL 1.0.1x, but it redefine the OpenSSL version number as 2.0.x, breaking all checks with OpenSSL 1.1.x. The patch solves the issue checking the definition of the symbol LIBRESSL_VERSION_NUMBER when Openssl 1.1.x features are requested.
2016-12-12 04:56:56 -05:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER)
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
empty_handshake = state == TLS_ST_BEFORE;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
#else
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
#endif
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
if (empty_handshake) {
if (!errno) {
if (conn->xprt_st & SSL_SOCK_RECV_HEARTBEAT)
conn->err_code = CO_ER_SSL_HANDSHAKE_HB;
else
conn->err_code = CO_ER_SSL_EMPTY;
}
else {
if (conn->xprt_st & SSL_SOCK_RECV_HEARTBEAT)
conn->err_code = CO_ER_SSL_HANDSHAKE_HB;
else
conn->err_code = CO_ER_SSL_ABORT;
}
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
}
else {
if (conn->xprt_st & SSL_SOCK_RECV_HEARTBEAT)
conn->err_code = CO_ER_SSL_HANDSHAKE_HB;
else
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
conn->err_code = CO_ER_SSL_HANDSHAKE;
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
}
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#endif
MEDIUM: ssl: explicitly log failed handshakes after a heartbeat Add a callback to receive the heartbeat notification. There, we add SSL_SOCK_RECV_HEARTBEAT flag on the ssl session if a heartbeat is seen. If a handshake fails, we log a different message to mention the fact that a heartbeat was seen. The test is only performed on the frontend side.
2014-04-25 13:05:36 -04:00
}
BUG/MINOR: ssl: report the L4 connection as established when possible If we get an SSL error during the handshake, we at least try to see if a syscall reported an error or not. In case of an error, it generally means that the connection failed. If there is no error, then the connection established successfully. The difference is important for health checks which report the precise cause to the logs and to the stats.
2012-09-28 14:22:13 -04:00
goto out_error;
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
else {
/* Fail on all other handshake errors */
MINOR: ssl: improve socket behaviour upon handshake abort. While checking haproxy's SSL stack with www.ssllabs.com, it appeared that immediately closing upon a failed handshake caused a TCP reset to be emitted. This is because OpenSSL does not consume pending data in the socket buffers. One side effect is that if the reset packet is lost, the client might not get it. So now when a handshake fails, we try to clean the socket buffers before closing, resulting in a clean FIN instead of an RST.
2012-10-19 14:52:18 -04:00
/* Note: OpenSSL may leave unread bytes in the socket's
* buffer, causing an RST to be emitted upon close() on
* TCP sockets. We first try to drain possibly pending
* data to avoid this as much as possible.
*/
REORG: connection: move conn_drain() to connection.c and rename it It's now called conn_sock_drain() to make it clear that it only reads at the sock layer and not at the data layer. The function was too big to remain inlined and it's used at a few places where size counts.
2015-03-12 19:40:28 -04:00
conn_sock_drain(conn);
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
if (!conn->err_code)
MEDIUM: ssl: implement a workaround for the OpenSSL heartbleed attack Using the previous callback, it's trivial to block the heartbeat attack, first we control the message length, then we emit an SSL error if it is out of bounds. A special log is emitted, indicating that a heartbleed attack was stopped so that they are not confused with other failures. That way, haproxy can protect itself even when running on an unpatched SSL stack. Tests performed with openssl-1.0.1c indicate a total success.
2014-04-25 14:02:39 -04:00
conn->err_code = (conn->xprt_st & SSL_SOCK_RECV_HEARTBEAT) ?
CO_ER_SSL_KILLED_HB : CO_ER_SSL_HANDSHAKE;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
goto out_error;
}
}
MINOR: ssl: Handle sending early data to server. This adds a new keyword on the "server" line, "allow-0rtt", if set, we'll try to send early data to the server, as long as the client sent early data, as in case the server rejects the early data, we no longer have them, and can't resend them, so the only option we have is to send back a 425, and we need to be sure the client knows how to interpret it correctly.
2017-11-03 11:27:47 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
else {
/*
* If the server refused the early data, we have to send a
* 425 to the client, as we no longer have the data to sent
* them again.
*/
if ((conn->flags & CO_FL_EARLY_DATA) && (objt_server(conn->target))) {
if (SSL_get_early_data_status(conn->xprt_ctx) == SSL_EARLY_DATA_REJECTED) {
conn->err_code = CO_ER_SSL_EARLY_FAILED;
goto out_error;
}
}
}
#endif
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
BUG/MEDIUM: ssl: Fix sometimes reneg fails if requested by server. SSL_do_handshake is not appropriate for reneg, it's only appropriate at the beginning of a connection. OpenSSL correctly handles renegs using the data functions, so we use SSL_peek() here to make its state machine progress if SSL_renegotiate_pending() says a reneg is pending.
2012-11-08 13:21:55 -05:00
reneg_ok:
BUG/MAJOR: ssl: buffer overflow using offloaded ciphering on async engine The Openssl's ASYNC API does'nt support moving buffers on SSL_read/write This patch disables the ASYNC mode dynamically when the handshake is left and re-enables it on reneg.
2017-06-06 08:35:14 -04:00
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
BUG/MAJOR: ssl: buffer overflow using offloaded ciphering on async engine The Openssl's ASYNC API does'nt support moving buffers on SSL_read/write This patch disables the ASYNC mode dynamically when the handshake is left and re-enables it on reneg.
2017-06-06 08:35:14 -04:00
/* ASYNC engine API doesn't support moving read/write
* buffers. So we disable ASYNC mode right after
* the handshake to avoid buffer oveflows.
*/
if (global_ssl.async)
SSL_clear_mode(conn->xprt_ctx, SSL_MODE_ASYNC);
#endif
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* Handshake succeeded */
MINOR: stats: report SSL key computations per second It's commonly needed to know how many SSL asymmetric keys are computed per second on either side (frontend or backend), and to know the SSL session reuse ratio. Now we compute these values and report them in "show info".
2014-05-28 06:28:58 -04:00
if (!SSL_session_reused(conn->xprt_ctx)) {
if (objt_server(conn->target)) {
update_freq_ctr(&global.ssl_be_keys_per_sec, 1);
if (global.ssl_be_keys_per_sec.curr_ctr > global.ssl_be_keys_max)
global.ssl_be_keys_max = global.ssl_be_keys_per_sec.curr_ctr;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
}
MINOR: stats: report SSL key computations per second It's commonly needed to know how many SSL asymmetric keys are computed per second on either side (frontend or backend), and to know the SSL session reuse ratio. Now we compute these values and report them in "show info".
2014-05-28 06:28:58 -04:00
else {
update_freq_ctr(&global.ssl_fe_keys_per_sec, 1);
if (global.ssl_fe_keys_per_sec.curr_ctr > global.ssl_fe_keys_max)
global.ssl_fe_keys_max = global.ssl_fe_keys_per_sec.curr_ctr;
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
}
MINOR: ssl: Handle early data with BoringSSL BoringSSL early data differ from OpenSSL 1.1.1 implementation. When early handshake is done, SSL_in_early_data report if SSL_read will be done on early data. CO_FL_EARLY_SSL_HS and CO_FL_EARLY_DATA can be adjust accordingly.
2017-11-23 06:40:07 -05:00
#ifdef OPENSSL_IS_BORINGSSL
if ((conn->flags & CO_FL_EARLY_SSL_HS) && !SSL_in_early_data(conn->xprt_ctx))
conn->flags &= ~CO_FL_EARLY_SSL_HS;
#endif
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* The connection is now established at both layers, it's time to leave */
conn->flags &= ~(flag | CO_FL_WAIT_L4_CONN | CO_FL_WAIT_L6_CONN);
return 1;
out_error:
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
/* Clear openssl global errors stack */
MINOR: ssl: add debug traces Add some debug trace when haproxy is configured in debug & verbose mode. This is useful for openssl tests. Typically, the error "SSL handshake failure" can be caused by a lot of protocol error. This patch details the encountered error. For exemple: OpenSSL error 0x1408a0c1: ssl3_get_client_hello: no shared cipher Note that my compilator (gcc-4.7) refuse to considers the function ssl_sock_dump_errors() as inline. The condition "if" ensure that the content of the function is not executed in normal case. It should be a pity to call a function just for testing its execution condition, so I use the macro "forceinline".
2016-10-10 05:59:50 -04:00
ssl_sock_dump_errors(conn);
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
ERR_clear_error();
BUG/MEDIUM: ssl: subsequent handshakes fail after server configuration changes On server's configuration change, if the previously used cipher is disabled, all subsequent connect attempts fail. Fix consists in freeing cached session on handshake failure.
2012-10-04 11:09:56 -04:00
/* free resumed session if exists */
BUILD: ssl_sock: remove build warnings on potential null-derefs When building with -Wnull-dereferences, gcc sees some cases where a pointer is dereferenced after a check may set it to null. While all of these are already guarded by either a preliminary test or the code's construction (eg: listeners code being called only on listeners), it cannot be blamed for not "seeing" this, so better use the unguarded calls everywhere this happens, particularly after checks. This is a step towards building with -Wextra.
2018-09-20 04:57:52 -04:00
if (objt_server(conn->target) && __objt_server(conn->target)->ssl_ctx.reused_sess[tid].ptr) {
free(__objt_server(conn->target)->ssl_ctx.reused_sess[tid].ptr);
__objt_server(conn->target)->ssl_ctx.reused_sess[tid].ptr = NULL;
BUG/MEDIUM: ssl: subsequent handshakes fail after server configuration changes On server's configuration change, if the previously used cipher is disabled, all subsequent connect attempts fail. Fix consists in freeing cached session on handshake failure.
2012-10-04 11:09:56 -04:00
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* Fail on all other handshake errors */
conn->flags |= CO_FL_ERROR;
MEDIUM: connection: add error reporting for the SSL Get a bit more info in the logs when client-side SSL handshakes fail.
2012-12-03 10:32:10 -05:00
if (!conn->err_code)
conn->err_code = CO_ER_SSL_HANDSHAKE;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return 0;
}
/* Receive up to <count> bytes from connection <conn>'s socket and store them
BUG/MAJOR: connection: fix mismatch between rcv_buf's API and usage Steve Ruiz reported some reproducible crashes with HTTP health checks on a certain page returning a huge length. The traces he provided clearly showed that the recv() call was performed twice for a total size exceeding the buffer's length. Cyril Bont tracked down the problem to be caused by the full buffer size being passed to rcv_buf() in event_srv_chk_r() instead of passing just the remaining amount of space. Indeed, this change happened during the connection rework in 1.5-dev13 with the following commit : f150317 MAJOR: checks: completely use the connection transport layer But one of the problems is also that the comments at the top of the rcv_buf() functions suggest that the caller only has to ensure the requested size doesn't overflow the buffer's size. Also, these functions already have to care about the buffer's size to handle wrapping free space when there are pending data in the buffer. So let's change the API instead to more closely match what could be expected from these functions : - the caller asks for the maximum amount of bytes it wants to read ; This means that only the caller is responsible for enforcing the reserve if it wants to (eg: checks don't). - the rcv_buf() functions fix their computations to always consider this size as a max, and always perform validity checks based on the buffer's free space. As a result, the code is simplified and reduced, and made more robust for callers which now just have to care about whether they want the buffer to be filled or not. Since the bug was introduced in 1.5-dev13, no backport to stable versions is needed.
2014-01-14 05:31:27 -05:00
* into buffer <buf>. Only one call to recv() is performed, unless the
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
* buffer wraps, in which case a second call may be performed. The connection's
* flags are updated with whatever special event is detected (error, read0,
* empty). The caller is responsible for taking care of those events and
* avoiding the call if inappropriate. The function does not call the
* connection's polling update function, so the caller is responsible for this.
*/
MINOR: connection: add a flags argument to rcv_buf() The mux and transport rcv_buf() now takes a "flags" argument, just like the snd_buf() one or like the equivalent syscall lower part. The upper layers will use this to pass some information such as indicating whether the buffer is free from outgoing data or if the lower layer may allocate the buffer itself.
2018-06-19 00:15:17 -04:00
static size_t ssl_sock_to_buf(struct connection *conn, struct buffer *buf, size_t count, int flags)
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
{
MEDIUM: connection: make xprt->rcv_buf() use size_t for the count Just like we have a size_t for xprt->snd_buf(), we adjust to use size_t for rcv_buf()'s count argument and return value. It also removes the ambiguity related to the possibility to see a negative value there.
2018-07-18 05:22:03 -04:00
ssize_t ret;
size_t try, done = 0;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
MINOR: ssl_sock: make use of CO_FL_WILL_UPDATE Now when ssl_sock_{to,from}_buf are called, if the connection doesn't feature CO_FL_WILL_UPDATE, they will first retrieve the updated flags using conn_refresh_polling_flags() before changing any flag, then call conn_cond_update_sock_polling() before leaving, to commit such changes.
2017-10-25 03:32:15 -04:00
conn_refresh_polling_flags(conn);
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
if (!conn->xprt_ctx)
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
goto out_error;
if (conn->flags & CO_FL_HANDSHAKE)
/* a handshake was requested */
return 0;
/* read the largest possible block. For this, we perform only one call
* to recv() unless the buffer wraps and we exactly fill the first hunk,
* in which case we accept to do it once again. A new attempt is made on
* EINTR too.
*/
BUG/MAJOR: ssl: fix breakage caused by recent fix abf08d9 Recent commit abf08d9 ("BUG/MAJOR: connection: fix mismatch between rcv_buf's API and usage") accidentely broke SSL by relying on an uninitialized value to enter the read loop. Many thanks to Cyril Bont and Steve Ruiz for reporting this issue.
2014-01-17 05:09:40 -05:00
while (count > 0) {
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
int need_out = 0;
MINOR: buffer: use b_orig() to replace most references to b->data This patch updates most users of b->data to use b_orig().
2018-06-15 11:21:00 -04:00
try = b_contig_space(buf);
if (!try)
break;
BUG/MAJOR: connection: fix mismatch between rcv_buf's API and usage Steve Ruiz reported some reproducible crashes with HTTP health checks on a certain page returning a huge length. The traces he provided clearly showed that the recv() call was performed twice for a total size exceeding the buffer's length. Cyril Bont tracked down the problem to be caused by the full buffer size being passed to rcv_buf() in event_srv_chk_r() instead of passing just the remaining amount of space. Indeed, this change happened during the connection rework in 1.5-dev13 with the following commit : f150317 MAJOR: checks: completely use the connection transport layer But one of the problems is also that the comments at the top of the rcv_buf() functions suggest that the caller only has to ensure the requested size doesn't overflow the buffer's size. Also, these functions already have to care about the buffer's size to handle wrapping free space when there are pending data in the buffer. So let's change the API instead to more closely match what could be expected from these functions : - the caller asks for the maximum amount of bytes it wants to read ; This means that only the caller is responsible for enforcing the reserve if it wants to (eg: checks don't). - the rcv_buf() functions fix their computations to always consider this size as a max, and always perform validity checks based on the buffer's free space. As a result, the code is simplified and reduced, and made more robust for callers which now just have to care about whether they want the buffer to be filled or not. Since the bug was introduced in 1.5-dev13, no backport to stable versions is needed.
2014-01-14 05:31:27 -05:00
if (try > count)
try = count;
MINOR: buffer: use b_orig() to replace most references to b->data This patch updates most users of b->data to use b_orig().
2018-06-15 11:21:00 -04:00
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
if (((conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA)) == CO_FL_EARLY_SSL_HS) &&
conn->tmp_early_data != -1) {
MINOR: buffer: remove bi_end() It was replaced by ci_tail() when the channel is known, or b_tail() in other cases.
2018-06-07 12:46:28 -04:00
*b_tail(buf) = conn->tmp_early_data;
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
done++;
try--;
count--;
MINOR: buffer: Use b_add()/bo_add() instead of accessing b->i/b->o. Use the newly available functions instead of using the buffer fields directly.
2018-06-28 12:17:23 -04:00
b_add(buf, 1);
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
conn->tmp_early_data = -1;
continue;
}
BUG/MAJOR: connection: fix mismatch between rcv_buf's API and usage Steve Ruiz reported some reproducible crashes with HTTP health checks on a certain page returning a huge length. The traces he provided clearly showed that the recv() call was performed twice for a total size exceeding the buffer's length. Cyril Bont tracked down the problem to be caused by the full buffer size being passed to rcv_buf() in event_srv_chk_r() instead of passing just the remaining amount of space. Indeed, this change happened during the connection rework in 1.5-dev13 with the following commit : f150317 MAJOR: checks: completely use the connection transport layer But one of the problems is also that the comments at the top of the rcv_buf() functions suggest that the caller only has to ensure the requested size doesn't overflow the buffer's size. Also, these functions already have to care about the buffer's size to handle wrapping free space when there are pending data in the buffer. So let's change the API instead to more closely match what could be expected from these functions : - the caller asks for the maximum amount of bytes it wants to read ; This means that only the caller is responsible for enforcing the reserve if it wants to (eg: checks don't). - the rcv_buf() functions fix their computations to always consider this size as a max, and always perform validity checks based on the buffer's free space. As a result, the code is simplified and reduced, and made more robust for callers which now just have to care about whether they want the buffer to be filled or not. Since the bug was introduced in 1.5-dev13, no backport to stable versions is needed.
2014-01-14 05:31:27 -05:00
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
if (conn->flags & CO_FL_EARLY_SSL_HS) {
size_t read_length;
ret = SSL_read_early_data(conn->xprt_ctx,
MINOR: buffer: remove bi_end() It was replaced by ci_tail() when the channel is known, or b_tail() in other cases.
2018-06-07 12:46:28 -04:00
b_tail(buf), try, &read_length);
MINOR: ssl: Handle sending early data to server. This adds a new keyword on the "server" line, "allow-0rtt", if set, we'll try to send early data to the server, as long as the client sent early data, as in case the server rejects the early data, we no longer have them, and can't resend them, so the only option we have is to send back a 425, and we need to be sure the client knows how to interpret it correctly.
2017-11-03 11:27:47 -04:00
if (ret == SSL_READ_EARLY_DATA_SUCCESS &&
read_length > 0)
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
conn->flags |= CO_FL_EARLY_DATA;
if (ret == SSL_READ_EARLY_DATA_SUCCESS ||
ret == SSL_READ_EARLY_DATA_FINISH) {
if (ret == SSL_READ_EARLY_DATA_FINISH) {
/*
* We're done reading the early data,
* let's make the handshake
*/
conn->flags &= ~CO_FL_EARLY_SSL_HS;
conn->flags |= CO_FL_SSL_WAIT_HS;
need_out = 1;
if (read_length == 0)
break;
}
ret = read_length;
}
} else
#endif
MINOR: buffer: remove bi_end() It was replaced by ci_tail() when the channel is known, or b_tail() in other cases.
2018-06-07 12:46:28 -04:00
ret = SSL_read(conn->xprt_ctx, b_tail(buf), try);
MINOR: ssl: Handle early data with BoringSSL BoringSSL early data differ from OpenSSL 1.1.1 implementation. When early handshake is done, SSL_in_early_data report if SSL_read will be done on early data. CO_FL_EARLY_SSL_HS and CO_FL_EARLY_DATA can be adjust accordingly.
2017-11-23 06:40:07 -05:00
#ifdef OPENSSL_IS_BORINGSSL
if (conn->flags & CO_FL_EARLY_SSL_HS) {
if (SSL_in_early_data(conn->xprt_ctx)) {
if (ret > 0)
conn->flags |= CO_FL_EARLY_DATA;
} else {
BUG/MINOR: ssl: CO_FL_EARLY_DATA removal is managed by stream Manage BoringSSL early_data as it is with openssl 1.1.1.
2017-11-27 10:14:40 -05:00
conn->flags &= ~(CO_FL_EARLY_SSL_HS);
MINOR: ssl: Handle early data with BoringSSL BoringSSL early data differ from OpenSSL 1.1.1 implementation. When early handshake is done, SSL_in_early_data report if SSL_read will be done on early data. CO_FL_EARLY_SSL_HS and CO_FL_EARLY_DATA can be adjust accordingly.
2017-11-23 06:40:07 -05:00
}
}
#endif
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
if (conn->flags & CO_FL_ERROR) {
/* CO_FL_ERROR may be set by ssl_sock_infocbk */
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
goto out_error;
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
if (ret > 0) {
MINOR: buffer: Use b_add()/bo_add() instead of accessing b->i/b->o. Use the newly available functions instead of using the buffer fields directly.
2018-06-28 12:17:23 -04:00
b_add(buf, ret);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
done += ret;
count -= ret;
}
else {
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
ret = SSL_get_error(conn->xprt_ctx, ret);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
if (ret == SSL_ERROR_WANT_WRITE) {
BUG/MEDIUM: ssl: review polling on reneg. SSL may return SSL_ERROR_WANT_WRITE or SSL_ERROR_WANT_READ when switching from data to handshake even if it does not need to poll first.
2012-11-08 11:56:20 -05:00
/* handshake is running, and it needs to enable write */
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
conn->flags |= CO_FL_SSL_WAIT_HS;
BUG/MEDIUM: ssl: review polling on reneg. SSL may return SSL_ERROR_WANT_WRITE or SSL_ERROR_WANT_READ when switching from data to handshake even if it does not need to poll first.
2012-11-08 11:56:20 -05:00
__conn_sock_want_send(conn);
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
BUG/MAJOR: ssl: buffer overflow using offloaded ciphering on async engine The Openssl's ASYNC API does'nt support moving buffers on SSL_read/write This patch disables the ASYNC mode dynamically when the handshake is left and re-enables it on reneg.
2017-06-06 08:35:14 -04:00
/* Async mode can be re-enabled, because we're leaving data state.*/
if (global_ssl.async)
SSL_set_mode(conn->xprt_ctx, SSL_MODE_ASYNC);
#endif
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
break;
}
else if (ret == SSL_ERROR_WANT_READ) {
BUG/MEDIUM: ssl: Fix some reneg cases not correctly handled. SSL may decide to switch to a handshake in the middle of a transfer due to a reneg. In this case we don't want to re-enable polling because data might have been left pending in the buffer. We just want to switch immediately to the handshake mode.
2012-11-08 12:02:56 -05:00
if (SSL_renegotiate_pending(conn->xprt_ctx)) {
/* handshake is running, and it may need to re-enable read */
conn->flags |= CO_FL_SSL_WAIT_HS;
__conn_sock_want_recv(conn);
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
BUG/MAJOR: ssl: buffer overflow using offloaded ciphering on async engine The Openssl's ASYNC API does'nt support moving buffers on SSL_read/write This patch disables the ASYNC mode dynamically when the handshake is left and re-enables it on reneg.
2017-06-06 08:35:14 -04:00
/* Async mode can be re-enabled, because we're leaving data state.*/
if (global_ssl.async)
SSL_set_mode(conn->xprt_ctx, SSL_MODE_ASYNC);
#endif
BUG/MEDIUM: ssl: Fix some reneg cases not correctly handled. SSL may decide to switch to a handshake in the middle of a transfer due to a reneg. In this case we don't want to re-enable polling because data might have been left pending in the buffer. We just want to switch immediately to the handshake mode.
2012-11-08 12:02:56 -05:00
break;
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* we need to poll for retry a read later */
REORG/MEDIUM: connection: introduce the notion of connection handle Till now connections used to rely exclusively on file descriptors. It was planned in the past that alternative solutions would be implemented, leading to member "union t" presenting sock.fd only for now. With QUIC, the connection will need to continue to exist but will not rely on a file descriptor but a connection ID. So this patch introduces a "connection handle" which is either a file descriptor or a connection ID, to replace the existing "union t". We've now removed the intermediate "struct sock" which was never used. There is no functional change at all, though the struct connection was inflated by 32 bits on 64-bit platforms due to alignment.
2017-08-24 08:31:19 -04:00
fd_cant_recv(conn->handle.fd);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
break;
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
} else if (ret == SSL_ERROR_ZERO_RETURN)
goto read0;
BUG/MEDIUM: ssl: Shutdown the connection for reading on SSL_ERROR_SYSCALL When SSL_read returns SSL_ERROR_SYSCALL and errno is unset or set to EAGAIN, the connection must be shut down for reading. Else, the connection loops infinitly, consuming all the CPU. The bug was introduced in the commit 7e2e50500 ("BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable."). This patch must be backported in 1.8 too.
2018-02-19 08:25:15 -05:00
/* For SSL_ERROR_SYSCALL, make sure to clear the error
* stack before shutting down the connection for
* reading. */
BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable. Bart Geesink reported some random errors appearing under the form of termination flags SD in the logs for connections involving SSL traffic to reach the servers. Tomek Gacek and Mateusz Malek finally narrowed down the problem to commit c2aae74 ("MEDIUM: ssl: Handle early data with OpenSSL 1.1.1"). It happens that the special case of SSL_ERROR_SYSCALL isn't handled anymore since this commit. SSL_read() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL, without meaning the connection is gone. Before flagging the connection as in error, check the errno value. This should be backported to 1.8.
2018-02-13 09:17:23 -05:00
if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN))
goto clear_ssl_error;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* otherwise it's a real error */
goto out_error;
}
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
if (need_out)
break;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
}
MINOR: ssl_sock: make use of CO_FL_WILL_UPDATE Now when ssl_sock_{to,from}_buf are called, if the connection doesn't feature CO_FL_WILL_UPDATE, they will first retrieve the updated flags using conn_refresh_polling_flags() before changing any flag, then call conn_cond_update_sock_polling() before leaving, to commit such changes.
2017-10-25 03:32:15 -04:00
leave:
conn_cond_update_sock_polling(conn);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return done;
BUG/MEDIUM: ssl: Shutdown the connection for reading on SSL_ERROR_SYSCALL When SSL_read returns SSL_ERROR_SYSCALL and errno is unset or set to EAGAIN, the connection must be shut down for reading. Else, the connection loops infinitly, consuming all the CPU. The bug was introduced in the commit 7e2e50500 ("BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable."). This patch must be backported in 1.8 too.
2018-02-19 08:25:15 -05:00
clear_ssl_error:
/* Clear openssl global errors stack */
ssl_sock_dump_errors(conn);
ERR_clear_error();
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
read0:
conn_sock_read0(conn);
MINOR: ssl_sock: make use of CO_FL_WILL_UPDATE Now when ssl_sock_{to,from}_buf are called, if the connection doesn't feature CO_FL_WILL_UPDATE, they will first retrieve the updated flags using conn_refresh_polling_flags() before changing any flag, then call conn_cond_update_sock_polling() before leaving, to commit such changes.
2017-10-25 03:32:15 -04:00
goto leave;
BUG/MEDIUM: ssl: Shutdown the connection for reading on SSL_ERROR_SYSCALL When SSL_read returns SSL_ERROR_SYSCALL and errno is unset or set to EAGAIN, the connection must be shut down for reading. Else, the connection loops infinitly, consuming all the CPU. The bug was introduced in the commit 7e2e50500 ("BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable."). This patch must be backported in 1.8 too.
2018-02-19 08:25:15 -05:00
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
out_error:
BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as unrecovarable. Bart Geesink reported some random errors appearing under the form of termination flags SD in the logs for connections involving SSL traffic to reach the servers. Tomek Gacek and Mateusz Malek finally narrowed down the problem to commit c2aae74 ("MEDIUM: ssl: Handle early data with OpenSSL 1.1.1"). It happens that the special case of SSL_ERROR_SYSCALL isn't handled anymore since this commit. SSL_read() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL, without meaning the connection is gone. Before flagging the connection as in error, check the errno value. This should be backported to 1.8.
2018-02-13 09:17:23 -05:00
conn->flags |= CO_FL_ERROR;
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
/* Clear openssl global errors stack */
MINOR: ssl: add debug traces Add some debug trace when haproxy is configured in debug & verbose mode. This is useful for openssl tests. Typically, the error "SSL handshake failure" can be caused by a lot of protocol error. This patch details the encountered error. For exemple: OpenSSL error 0x1408a0c1: ssl3_get_client_hello: no shared cipher Note that my compilator (gcc-4.7) refuse to considers the function ssl_sock_dump_errors() as inline. The condition "if" ensure that the content of the function is not executed in normal case. It should be a pity to call a function just for testing its execution condition, so I use the macro "forceinline".
2016-10-10 05:59:50 -04:00
ssl_sock_dump_errors(conn);
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
ERR_clear_error();
MINOR: ssl_sock: make use of CO_FL_WILL_UPDATE Now when ssl_sock_{to,from}_buf are called, if the connection doesn't feature CO_FL_WILL_UPDATE, they will first retrieve the updated flags using conn_refresh_polling_flags() before changing any flag, then call conn_cond_update_sock_polling() before leaving, to commit such changes.
2017-10-25 03:32:15 -04:00
goto leave;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
}
MEDIUM: connection: make xprt->snd_buf() take the byte count in argument This way the senders don't need to modify the buffer's metadata anymore nor to know about the output's split point. This way the functions can take a const buffer and it's clearer who's in charge of updating the buffer after a send. That's why the buffer realignment is now performed by the caller of the transport's snd_buf() functions. The return type was updated to return a size_t to comply with the count argument.
2018-06-14 12:31:46 -04:00
/* Send up to <count> pending bytes from buffer <buf> to connection <conn>'s
* socket. <flags> may contain some CO_SFL_* flags to hint the system about
* other pending data for example, but this flag is ignored at the moment.
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
* Only one call to send() is performed, unless the buffer wraps, in which case
* a second call may be performed. The connection's flags are updated with
* whatever special event is detected (error, empty). The caller is responsible
* for taking care of those events and avoiding the call if inappropriate. The
* function does not call the connection's polling update function, so the caller
MEDIUM: connection: make xprt->snd_buf() take the byte count in argument This way the senders don't need to modify the buffer's metadata anymore nor to know about the output's split point. This way the functions can take a const buffer and it's clearer who's in charge of updating the buffer after a send. That's why the buffer realignment is now performed by the caller of the transport's snd_buf() functions. The return type was updated to return a size_t to comply with the count argument.
2018-06-14 12:31:46 -04:00
* is responsible for this. The buffer's output is not adjusted, it's up to the
* caller to take care of this. It's up to the caller to update the buffer's
* contents based on the return value.
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
*/
MEDIUM: connection: make xprt->snd_buf() take the byte count in argument This way the senders don't need to modify the buffer's metadata anymore nor to know about the output's split point. This way the functions can take a const buffer and it's clearer who's in charge of updating the buffer after a send. That's why the buffer realignment is now performed by the caller of the transport's snd_buf() functions. The return type was updated to return a size_t to comply with the count argument.
2018-06-14 12:31:46 -04:00
static size_t ssl_sock_from_buf(struct connection *conn, const struct buffer *buf, size_t count, int flags)
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
{
MEDIUM: connection: make xprt->snd_buf() take the byte count in argument This way the senders don't need to modify the buffer's metadata anymore nor to know about the output's split point. This way the functions can take a const buffer and it's clearer who's in charge of updating the buffer after a send. That's why the buffer realignment is now performed by the caller of the transport's snd_buf() functions. The return type was updated to return a size_t to comply with the count argument.
2018-06-14 12:31:46 -04:00
ssize_t ret;
size_t try, done;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
done = 0;
MINOR: ssl_sock: make use of CO_FL_WILL_UPDATE Now when ssl_sock_{to,from}_buf are called, if the connection doesn't feature CO_FL_WILL_UPDATE, they will first retrieve the updated flags using conn_refresh_polling_flags() before changing any flag, then call conn_cond_update_sock_polling() before leaving, to commit such changes.
2017-10-25 03:32:15 -04:00
conn_refresh_polling_flags(conn);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
if (!conn->xprt_ctx)
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
goto out_error;
if (conn->flags & CO_FL_HANDSHAKE)
/* a handshake was requested */
return 0;
/* send the largest possible block. For this we perform only one call
* to send() unless the buffer wraps and we exactly fill the first hunk,
* in which case we accept to do it once again.
*/
MEDIUM: connection: make xprt->snd_buf() take the byte count in argument This way the senders don't need to modify the buffer's metadata anymore nor to know about the output's split point. This way the functions can take a const buffer and it's clearer who's in charge of updating the buffer after a send. That's why the buffer realignment is now performed by the caller of the transport's snd_buf() functions. The return type was updated to return a size_t to comply with the count argument.
2018-06-14 12:31:46 -04:00
while (count) {
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
size_t written_data;
#endif
MEDIUM: connection: make xprt->snd_buf() take the byte count in argument This way the senders don't need to modify the buffer's metadata anymore nor to know about the output's split point. This way the functions can take a const buffer and it's clearer who's in charge of updating the buffer after a send. That's why the buffer realignment is now performed by the caller of the transport's snd_buf() functions. The return type was updated to return a size_t to comply with the count argument.
2018-06-14 12:31:46 -04:00
try = b_contig_data(buf, done);
if (try > count)
try = count;
MINOR: ssl: add a global tunable for the max SSL/TLS record size Add new tunable "tune.ssl.maxrecord". Over SSL/TLS, the client can decipher the data only once it has received a full record. With large records, it means that clients might have to download up to 16kB of data before starting to process them. Limiting the record size can improve page load times on browsers located over high latency or low bandwidth networks. It is suggested to find optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled), keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and 2859 gave good results during tests. Use "strace -e trace=write" to find the best value. This trick was first suggested by Mike Belshe : http://www.belshe.com/2010/12/17/performance-and-the-tls-record-size/ Then requested again by Ilya Grigorik who provides some hints here : http://ofps.oreilly.com/titles/9781449344764/_transport_layer_security_tls.html#ch04_00000101
2013-02-21 01:46:09 -05:00
OPTIM: ssl: implement dynamic record size adjustment By having the stream interface pass the CF_STREAMER flag to the snd_buf() primitive, we're able to tell the send layer whether we're sending large chunks or small ones. We use this information in SSL to adjust the max record dynamically. This results in small chunks respecting tune.ssl.maxrecord at the beginning of a transfer or for small transfers, with an automatic switch to full records if the exchanges last long. This allows the receiver to parse HTML contents on the fly without having to retrieve 16kB of data, which is even more important with small initcwnd since the receiver does not need to wait for round trips to start fetching new objects. However, sending large files still produces large chunks. For example, with tune.ssl.maxrecord = 2859, we see 5 write(2885) sent in two segments each and 6 write(16421). This idea was first proposed on the haproxy mailing list by Ilya Grigorik.
2014-02-01 20:00:24 -05:00
if (!(flags & CO_SFL_STREAMER) &&
BUG/MEDIUM: ssl: always send a full buffer after EAGAIN Igor Chan reported a very interesting bug which was triggered by the recent dynamic size change in SSL. The OpenSSL API refuses to send less data than any failed previous attempt. So what's happening is that if an SSL_write() in streaming mode sends 5kB of data and the openssl layer cannot send them all, it returns SSL_ERROR_WANT_WRITE, which haproxy reacts to by enabling polling on the file descriptor. In the mean time, haproxy may detect that the buffer was almost full and will disable streaming mode. Upon write notification, it will try to send again, but less data this time (limited to tune.ssl_max_record). OpenSSL disagrees with this and returns a generic error SSL_ERROR_SSL. The solution which was found consists in adding a flag to the SSL context to remind that we must not shrink writes after a failed attempt. Thus, if EAGAIN is encountered, the next send() will not be limited in order to retry the same size as before.
2014-02-17 09:43:01 -05:00
!(conn->xprt_st & SSL_SOCK_SEND_UNLIMITED) &&
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
global_ssl.max_record && try > global_ssl.max_record) {
try = global_ssl.max_record;
BUG/MEDIUM: ssl: always send a full buffer after EAGAIN Igor Chan reported a very interesting bug which was triggered by the recent dynamic size change in SSL. The OpenSSL API refuses to send less data than any failed previous attempt. So what's happening is that if an SSL_write() in streaming mode sends 5kB of data and the openssl layer cannot send them all, it returns SSL_ERROR_WANT_WRITE, which haproxy reacts to by enabling polling on the file descriptor. In the mean time, haproxy may detect that the buffer was almost full and will disable streaming mode. Upon write notification, it will try to send again, but less data this time (limited to tune.ssl_max_record). OpenSSL disagrees with this and returns a generic error SSL_ERROR_SSL. The solution which was found consists in adding a flag to the SSL context to remind that we must not shrink writes after a failed attempt. Thus, if EAGAIN is encountered, the next send() will not be limited in order to retry the same size as before.
2014-02-17 09:43:01 -05:00
}
else {
/* we need to keep the information about the fact that
* we're not limiting the upcoming send(), because if it
* fails, we'll have to retry with at least as many data.
*/
conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
}
MINOR: ssl: add a global tunable for the max SSL/TLS record size Add new tunable "tune.ssl.maxrecord". Over SSL/TLS, the client can decipher the data only once it has received a full record. With large records, it means that clients might have to download up to 16kB of data before starting to process them. Limiting the record size can improve page load times on browsers located over high latency or low bandwidth networks. It is suggested to find optimal values which fit into 1 or 2 TCP segments (generally 1448 bytes over Ethernet with TCP timestamps enabled, or 1460 when timestamps are disabled), keeping in mind that SSL/TLS add some overhead. Typical values of 1419 and 2859 gave good results during tests. Use "strace -e trace=write" to find the best value. This trick was first suggested by Mike Belshe : http://www.belshe.com/2010/12/17/performance-and-the-tls-record-size/ Then requested again by Ilya Grigorik who provides some hints here : http://ofps.oreilly.com/titles/9781449344764/_transport_layer_security_tls.html#ch04_00000101
2013-02-21 01:46:09 -05:00
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
if (!SSL_is_init_finished(conn->xprt_ctx)) {
unsigned int max_early;
MINOR: ssl: Handle sending early data to server. This adds a new keyword on the "server" line, "allow-0rtt", if set, we'll try to send early data to the server, as long as the client sent early data, as in case the server rejects the early data, we no longer have them, and can't resend them, so the only option we have is to send back a 425, and we need to be sure the client knows how to interpret it correctly.
2017-11-03 11:27:47 -04:00
if (objt_listener(conn->target))
max_early = SSL_get_max_early_data(conn->xprt_ctx);
else {
if (SSL_get0_session(conn->xprt_ctx))
max_early = SSL_SESSION_get_max_early_data(SSL_get0_session(conn->xprt_ctx));
else
max_early = 0;
}
MINOR: ssl: Handle reading early data after writing better. It can happen that we want to read early data, write some, and then continue reading them. To do so, we can't reuse tmp_early_data to store the amount of data sent, so introduce a new member. If we read early data, then ssl_sock_to_buf() is now the only responsible for getting back to the handshake, to make sure we don't miss any early data.
2017-11-23 12:21:29 -05:00
if (try + conn->sent_early_data > max_early) {
try -= (try + conn->sent_early_data) - max_early;
MINOR: ssl: Handle sending early data to server. This adds a new keyword on the "server" line, "allow-0rtt", if set, we'll try to send early data to the server, as long as the client sent early data, as in case the server rejects the early data, we no longer have them, and can't resend them, so the only option we have is to send back a 425, and we need to be sure the client knows how to interpret it correctly.
2017-11-03 11:27:47 -04:00
if (try <= 0) {
MINOR: ssl: Handle reading early data after writing better. It can happen that we want to read early data, write some, and then continue reading them. To do so, we can't reuse tmp_early_data to store the amount of data sent, so introduce a new member. If we read early data, then ssl_sock_to_buf() is now the only responsible for getting back to the handshake, to make sure we don't miss any early data.
2017-11-23 12:21:29 -05:00
if (!(conn->flags & CO_FL_EARLY_SSL_HS))
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
break;
MINOR: ssl: Handle sending early data to server. This adds a new keyword on the "server" line, "allow-0rtt", if set, we'll try to send early data to the server, as long as the client sent early data, as in case the server rejects the early data, we no longer have them, and can't resend them, so the only option we have is to send back a 425, and we need to be sure the client knows how to interpret it correctly.
2017-11-03 11:27:47 -04:00
}
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
}
MEDIUM: connection: make xprt->snd_buf() take the byte count in argument This way the senders don't need to modify the buffer's metadata anymore nor to know about the output's split point. This way the functions can take a const buffer and it's clearer who's in charge of updating the buffer after a send. That's why the buffer realignment is now performed by the caller of the transport's snd_buf() functions. The return type was updated to return a size_t to comply with the count argument.
2018-06-14 12:31:46 -04:00
ret = SSL_write_early_data(conn->xprt_ctx, b_peek(buf, done), try, &written_data);
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
if (ret == 1) {
ret = written_data;
MINOR: ssl: Handle reading early data after writing better. It can happen that we want to read early data, write some, and then continue reading them. To do so, we can't reuse tmp_early_data to store the amount of data sent, so introduce a new member. If we read early data, then ssl_sock_to_buf() is now the only responsible for getting back to the handshake, to make sure we don't miss any early data.
2017-11-23 12:21:29 -05:00
conn->sent_early_data += ret;
MINOR: ssl: Handle sending early data to server. This adds a new keyword on the "server" line, "allow-0rtt", if set, we'll try to send early data to the server, as long as the client sent early data, as in case the server rejects the early data, we no longer have them, and can't resend them, so the only option we have is to send back a 425, and we need to be sure the client knows how to interpret it correctly.
2017-11-03 11:27:47 -04:00
if (objt_server(conn->target)) {
conn->flags &= ~CO_FL_EARLY_SSL_HS;
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN | CO_FL_EARLY_DATA;
}
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
}
} else
#endif
MEDIUM: connection: make xprt->snd_buf() take the byte count in argument This way the senders don't need to modify the buffer's metadata anymore nor to know about the output's split point. This way the functions can take a const buffer and it's clearer who's in charge of updating the buffer after a send. That's why the buffer realignment is now performed by the caller of the transport's snd_buf() functions. The return type was updated to return a size_t to comply with the count argument.
2018-06-14 12:31:46 -04:00
ret = SSL_write(conn->xprt_ctx, b_peek(buf, done), try);
BUG/MEDIUM: ssl: always send a full buffer after EAGAIN Igor Chan reported a very interesting bug which was triggered by the recent dynamic size change in SSL. The OpenSSL API refuses to send less data than any failed previous attempt. So what's happening is that if an SSL_write() in streaming mode sends 5kB of data and the openssl layer cannot send them all, it returns SSL_ERROR_WANT_WRITE, which haproxy reacts to by enabling polling on the file descriptor. In the mean time, haproxy may detect that the buffer was almost full and will disable streaming mode. Upon write notification, it will try to send again, but less data this time (limited to tune.ssl_max_record). OpenSSL disagrees with this and returns a generic error SSL_ERROR_SSL. The solution which was found consists in adding a flag to the SSL context to remind that we must not shrink writes after a failed attempt. Thus, if EAGAIN is encountered, the next send() will not be limited in order to retry the same size as before.
2014-02-17 09:43:01 -05:00
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
if (conn->flags & CO_FL_ERROR) {
/* CO_FL_ERROR may be set by ssl_sock_infocbk */
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
goto out_error;
MEDIUM: ssl: protect against client-initiated renegociation CVE-2009-3555 suggests that client-initiated renegociation should be prevented in the middle of data. The workaround here consists in having the SSL layer notify our callback about a handshake occurring, which in turn causes the connection to be marked in the error state if it was already considered established (which means if a previous handshake was completed). The result is that the connection with the client is immediately aborted and any pending data are dropped.
2012-09-03 14:36:47 -04:00
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
if (ret > 0) {
BUG/MEDIUM: connections: Add the CO_FL_CONNECTED flag if a send succeeded. If a send succeeded, add the CO_FL_CONNECTED flag, the send may have been called by the upper layers before we even realized we were connected, and we may even read the response before we get the information, and si_cs_recv() has to know if we were connected or not. This should be backported to 1.9.
2019-01-17 13:09:11 -05:00
/* A send succeeded, so we can consier ourself connected */
conn->flags |= CO_FL_CONNECTED;
BUG/MEDIUM: ssl: always send a full buffer after EAGAIN Igor Chan reported a very interesting bug which was triggered by the recent dynamic size change in SSL. The OpenSSL API refuses to send less data than any failed previous attempt. So what's happening is that if an SSL_write() in streaming mode sends 5kB of data and the openssl layer cannot send them all, it returns SSL_ERROR_WANT_WRITE, which haproxy reacts to by enabling polling on the file descriptor. In the mean time, haproxy may detect that the buffer was almost full and will disable streaming mode. Upon write notification, it will try to send again, but less data this time (limited to tune.ssl_max_record). OpenSSL disagrees with this and returns a generic error SSL_ERROR_SSL. The solution which was found consists in adding a flag to the SSL context to remind that we must not shrink writes after a failed attempt. Thus, if EAGAIN is encountered, the next send() will not be limited in order to retry the same size as before.
2014-02-17 09:43:01 -05:00
conn->xprt_st &= ~SSL_SOCK_SEND_UNLIMITED;
MEDIUM: connection: make xprt->snd_buf() take the byte count in argument This way the senders don't need to modify the buffer's metadata anymore nor to know about the output's split point. This way the functions can take a const buffer and it's clearer who's in charge of updating the buffer after a send. That's why the buffer realignment is now performed by the caller of the transport's snd_buf() functions. The return type was updated to return a size_t to comply with the count argument.
2018-06-14 12:31:46 -04:00
count -= ret;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
done += ret;
}
else {
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
ret = SSL_get_error(conn->xprt_ctx, ret);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
if (ret == SSL_ERROR_WANT_WRITE) {
BUG/MEDIUM: ssl: Fix some reneg cases not correctly handled. SSL may decide to switch to a handshake in the middle of a transfer due to a reneg. In this case we don't want to re-enable polling because data might have been left pending in the buffer. We just want to switch immediately to the handshake mode.
2012-11-08 12:02:56 -05:00
if (SSL_renegotiate_pending(conn->xprt_ctx)) {
/* handshake is running, and it may need to re-enable write */
conn->flags |= CO_FL_SSL_WAIT_HS;
__conn_sock_want_send(conn);
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
BUG/MAJOR: ssl: buffer overflow using offloaded ciphering on async engine The Openssl's ASYNC API does'nt support moving buffers on SSL_read/write This patch disables the ASYNC mode dynamically when the handshake is left and re-enables it on reneg.
2017-06-06 08:35:14 -04:00
/* Async mode can be re-enabled, because we're leaving data state.*/
if (global_ssl.async)
SSL_set_mode(conn->xprt_ctx, SSL_MODE_ASYNC);
#endif
BUG/MEDIUM: ssl: Fix some reneg cases not correctly handled. SSL may decide to switch to a handshake in the middle of a transfer due to a reneg. In this case we don't want to re-enable polling because data might have been left pending in the buffer. We just want to switch immediately to the handshake mode.
2012-11-08 12:02:56 -05:00
break;
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* we need to poll to retry a write later */
REORG/MEDIUM: connection: introduce the notion of connection handle Till now connections used to rely exclusively on file descriptors. It was planned in the past that alternative solutions would be implemented, leading to member "union t" presenting sock.fd only for now. With QUIC, the connection will need to continue to exist but will not rely on a file descriptor but a connection ID. So this patch introduces a "connection handle" which is either a file descriptor or a connection ID, to replace the existing "union t". We've now removed the intermediate "struct sock" which was never used. There is no functional change at all, though the struct connection was inflated by 32 bits on 64-bit platforms due to alignment.
2017-08-24 08:31:19 -04:00
fd_cant_send(conn->handle.fd);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
break;
}
else if (ret == SSL_ERROR_WANT_READ) {
BUG/MEDIUM: ssl: review polling on reneg. SSL may return SSL_ERROR_WANT_WRITE or SSL_ERROR_WANT_READ when switching from data to handshake even if it does not need to poll first.
2012-11-08 11:56:20 -05:00
/* handshake is running, and it needs to enable read */
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
conn->flags |= CO_FL_SSL_WAIT_HS;
BUG/MEDIUM: ssl: review polling on reneg. SSL may return SSL_ERROR_WANT_WRITE or SSL_ERROR_WANT_READ when switching from data to handshake even if it does not need to poll first.
2012-11-08 11:56:20 -05:00
__conn_sock_want_recv(conn);
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
BUG/MAJOR: ssl: buffer overflow using offloaded ciphering on async engine The Openssl's ASYNC API does'nt support moving buffers on SSL_read/write This patch disables the ASYNC mode dynamically when the handshake is left and re-enables it on reneg.
2017-06-06 08:35:14 -04:00
/* Async mode can be re-enabled, because we're leaving data state.*/
if (global_ssl.async)
SSL_set_mode(conn->xprt_ctx, SSL_MODE_ASYNC);
#endif
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
break;
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
goto out_error;
}
}
MINOR: ssl_sock: make use of CO_FL_WILL_UPDATE Now when ssl_sock_{to,from}_buf are called, if the connection doesn't feature CO_FL_WILL_UPDATE, they will first retrieve the updated flags using conn_refresh_polling_flags() before changing any flag, then call conn_cond_update_sock_polling() before leaving, to commit such changes.
2017-10-25 03:32:15 -04:00
leave:
conn_cond_update_sock_polling(conn);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
return done;
out_error:
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
/* Clear openssl global errors stack */
MINOR: ssl: add debug traces Add some debug trace when haproxy is configured in debug & verbose mode. This is useful for openssl tests. Typically, the error "SSL handshake failure" can be caused by a lot of protocol error. This patch details the encountered error. For exemple: OpenSSL error 0x1408a0c1: ssl3_get_client_hello: no shared cipher Note that my compilator (gcc-4.7) refuse to considers the function ssl_sock_dump_errors() as inline. The condition "if" ensure that the content of the function is not executed in normal case. It should be a pity to call a function just for testing its execution condition, so I use the macro "forceinline".
2016-10-10 05:59:50 -04:00
ssl_sock_dump_errors(conn);
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
ERR_clear_error();
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
conn->flags |= CO_FL_ERROR;
MINOR: ssl_sock: make use of CO_FL_WILL_UPDATE Now when ssl_sock_{to,from}_buf are called, if the connection doesn't feature CO_FL_WILL_UPDATE, they will first retrieve the updated flags using conn_refresh_polling_flags() before changing any flag, then call conn_cond_update_sock_polling() before leaving, to commit such changes.
2017-10-25 03:32:15 -04:00
goto leave;
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
}
static void ssl_sock_close(struct connection *conn) {
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
if (conn->xprt_ctx) {
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
if (global_ssl.async) {
OSSL_ASYNC_FD all_fd[32], afd;
size_t num_all_fds = 0;
int i;
SSL_get_all_async_fds(conn->xprt_ctx, NULL, &num_all_fds);
if (num_all_fds > 32) {
send_log(NULL, LOG_EMERG, "haproxy: openssl returns too many async fds. It seems a bug. Process may crash\n");
return;
}
SSL_get_all_async_fds(conn->xprt_ctx, all_fd, &num_all_fds);
/* If an async job is pending, we must try to
to catch the end using polling before calling
SSL_free */
if (num_all_fds && SSL_waiting_for_async(conn->xprt_ctx)) {
for (i=0 ; i < num_all_fds ; i++) {
/* switch on an handler designed to
* handle the SSL_free
*/
afd = all_fd[i];
fdtab[afd].iocb = ssl_async_fd_free;
fdtab[afd].owner = conn->xprt_ctx;
fd_want_recv(afd);
BUG/MAJOR: ssl: fix segfault on connection close using async engines. This patch ensure that the ASYNC fd handlers won't be wake up too early, disabling the event cache for this fd on connection close and when a WANT_ASYNC is rised by Openssl. The calls to SSL_read/SSL_write/SSL_do_handshake before rising a real read event from the ASYNC fd, generated an EAGAIN followed by a context switch for some engines, or a blocked read for the others. On connection close it resulted in a too early call to SSL_free followed by a segmentation fault.
2017-05-31 06:02:53 -04:00
/* To ensure that the fd cache won't be used
* and we'll catch a real RD event.
*/
fd_cant_recv(afd);
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
}
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
conn->xprt_ctx = NULL;
MEDIUM: ssl: Use the new _HA_ATOMIC_* macros. Use the new _HA_ATOMIC_* macros and add barriers where needed.
2019-03-08 12:54:43 -05:00
_HA_ATOMIC_ADD(&jobs, 1);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
return;
}
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
/* Else we can remove the fds from the fdtab
* and call SSL_free.
* note: we do a fd_remove and not a delete
* because the fd is owned by the engine.
* the engine is responsible to close
*/
for (i=0 ; i < num_all_fds ; i++)
fd_remove(all_fd[i]);
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
}
#endif
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
MEDIUM: ssl: Use the new _HA_ATOMIC_* macros. Use the new _HA_ATOMIC_* macros and add barriers where needed.
2019-03-08 12:54:43 -05:00
_HA_ATOMIC_SUB(&sslconns, 1);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
}
}
/* This function tries to perform a clean shutdown on an SSL connection, and in
* any case, flags the connection as reusable if no handshake was in progress.
*/
static void ssl_sock_shutw(struct connection *conn, int clean)
{
if (conn->flags & CO_FL_HANDSHAKE)
return;
BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL With BoringSSL: SSL_set_shutdown: Assertion `(SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)' failed. "SSL_set_shutdown causes ssl to behave as if the shutdown bitmask (see SSL_get_shutdown) were mode. This may be used to skip sending or receiving close_notify in SSL_shutdown by causing the implementation to believe the events already happened. It is an error to use SSL_set_shutdown to unset a bit that has already been set. Doing so will trigger an assert in debug builds and otherwise be ignored. Use SSL_CTX_set_quiet_shutdown instead." Change logic to not notify on SSL_shutdown when connection is not clean.
2017-01-08 08:07:39 -05:00
if (!clean)
/* don't sent notify on SSL_shutdown */
BUG/MAJOR: ssl: fix a regression in ssl_sock_shutw() Commit 405ff31 ("BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL") introduced a regression causing some random crashes apparently due to memory corruption. The issue is the use of SSL_CTX_set_quiet_shutdown() instead of SSL_set_quiet_shutdown(), making it use a different structure and causing the flag to be put who-knows-where. Many thanks to Jarno Huuskonen who reported this bug early and who bisected the issue to spot this patch. No backport is needed, this is 1.8-specific.
2017-02-13 05:12:29 -05:00
SSL_set_quiet_shutdown(conn->xprt_ctx, 1);
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/* no handshake was in progress, try a clean ssl shutdown */
BUG/MINOR: ssl: assert on SSL_set_shutdown with BoringSSL With BoringSSL: SSL_set_shutdown: Assertion `(SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)' failed. "SSL_set_shutdown causes ssl to behave as if the shutdown bitmask (see SSL_get_shutdown) were mode. This may be used to skip sending or receiving close_notify in SSL_shutdown by causing the implementation to believe the events already happened. It is an error to use SSL_set_shutdown to unset a bit that has already been set. Doing so will trigger an assert in debug builds and otherwise be ignored. Use SSL_CTX_set_quiet_shutdown instead." Change logic to not notify on SSL_shutdown when connection is not clean.
2017-01-08 08:07:39 -05:00
if (SSL_shutdown(conn->xprt_ctx) <= 0) {
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
/* Clear openssl global errors stack */
MINOR: ssl: add debug traces Add some debug trace when haproxy is configured in debug & verbose mode. This is useful for openssl tests. Typically, the error "SSL handshake failure" can be caused by a lot of protocol error. This patch details the encountered error. For exemple: OpenSSL error 0x1408a0c1: ssl3_get_client_hello: no shared cipher Note that my compilator (gcc-4.7) refuse to considers the function ssl_sock_dump_errors() as inline. The condition "if" ensure that the content of the function is not executed in normal case. It should be a pity to call a function just for testing its execution condition, so I use the macro "forceinline".
2016-10-10 05:59:50 -04:00
ssl_sock_dump_errors(conn);
BUG/MEDIUM: ssl: Prevent ssl error from affecting other connections. J. Maurice reported that ssllabs.com test affects unrelated legitimate traffic and cause SSL errors and broken connections. Sometimes openssl store read/write/handshake errors in a global stack. This stack is not specific to the current session. Openssl API does not clean the stack at the beginning of a new read/write. And the function used to retrieve error ID after read/write, returns the generic error SSL_ERROR_SSL if the global stack is not empty. The fix consists in cleaning the errors stack after read/write/handshake errors.
2012-12-14 05:21:13 -05:00
ERR_clear_error();
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
}
MINOR: ssl: add ssl_sock_get_pkey_algo function ssl_sock_get_pkey_algo can be used to report pkey algorithm to log and ppv2 (RSA2048, EC256,...). Extract pkey information is not free in ssl api (lock/alloc/free): haproxy can use the pkey information computed in load_certificate. Store and use this information in a SSL ex_data when available, compute it if not (SSL multicert bundled and generated cert).
2017-10-31 10:46:07 -04:00
/* used for ppv2 pkey alog (can be used for logging) */
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
int ssl_sock_get_pkey_algo(struct connection *conn, struct buffer *out)
MINOR: ssl: add ssl_sock_get_pkey_algo function ssl_sock_get_pkey_algo can be used to report pkey algorithm to log and ppv2 (RSA2048, EC256,...). Extract pkey information is not free in ssl api (lock/alloc/free): haproxy can use the pkey information computed in load_certificate. Store and use this information in a SSL ex_data when available, compute it if not (SSL multicert bundled and generated cert).
2017-10-31 10:46:07 -04:00
{
struct pkey_info *pkinfo;
int bits = 0;
int sig = TLSEXT_signature_anonymous;
int len = -1;
if (!ssl_sock_is_ssl(conn))
return 0;
BUG/MEDIUM: ssl: do not store pkinfo with SSL_set_ex_data Bug from 96b7834e: pkinfo is stored on SSL_CTX ex_data and should not be also stored on SSL ex_data without reservation. Simply extract pkinfo from SSL_CTX in ssl_sock_get_pkey_algo. No backport needed.
2018-06-18 06:44:19 -04:00
pkinfo = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(conn->xprt_ctx), ssl_pkey_info_index);
MINOR: ssl: add ssl_sock_get_pkey_algo function ssl_sock_get_pkey_algo can be used to report pkey algorithm to log and ppv2 (RSA2048, EC256,...). Extract pkey information is not free in ssl api (lock/alloc/free): haproxy can use the pkey information computed in load_certificate. Store and use this information in a SSL ex_data when available, compute it if not (SSL multicert bundled and generated cert).
2017-10-31 10:46:07 -04:00
if (pkinfo) {
sig = pkinfo->sig;
bits = pkinfo->bits;
} else {
/* multicert and generated cert have no pkey info */
X509 *crt;
EVP_PKEY *pkey;
crt = SSL_get_certificate(conn->xprt_ctx);
if (!crt)
return 0;
pkey = X509_get_pubkey(crt);
if (pkey) {
bits = EVP_PKEY_bits(pkey);
switch(EVP_PKEY_base_id(pkey)) {
case EVP_PKEY_RSA:
sig = TLSEXT_signature_rsa;
break;
case EVP_PKEY_EC:
sig = TLSEXT_signature_ecdsa;
break;
case EVP_PKEY_DSA:
sig = TLSEXT_signature_dsa;
break;
}
EVP_PKEY_free(pkey);
}
}
switch(sig) {
case TLSEXT_signature_rsa:
len = chunk_printf(out, "RSA%d", bits);
break;
case TLSEXT_signature_ecdsa:
len = chunk_printf(out, "EC%d", bits);
break;
case TLSEXT_signature_dsa:
len = chunk_printf(out, "DSA%d", bits);
break;
default:
return 0;
}
if (len < 0)
return 0;
return 1;
}
MINOR: ssl: add ssl_sock_get_cert_sig function ssl_sock_get_cert_sig can be used to report cert signature short name to log and ppv2 (RSA-SHA256).
2017-11-02 09:05:23 -04:00
/* used for ppv2 cert signature (can be used for logging) */
const char *ssl_sock_get_cert_sig(struct connection *conn)
{
__OPENSSL_110_CONST__ ASN1_OBJECT *algorithm;
X509 *crt;
if (!ssl_sock_is_ssl(conn))
return NULL;
crt = SSL_get_certificate(conn->xprt_ctx);
if (!crt)
return NULL;
X509_ALGOR_get0(&algorithm, NULL, NULL, X509_get0_tbs_sigalg(crt));
return OBJ_nid2sn(OBJ_obj2nid(algorithm));
}
MINOR: connection: add proxy-v2-options authority This patch add option PP2_TYPE_AUTHORITY to proxy protocol v2 when a TLS connection was negotiated. In this case, authority corresponds to the sni.
2018-02-01 12:29:59 -05:00
/* used for ppv2 authority */
const char *ssl_sock_get_sni(struct connection *conn)
{
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
if (!ssl_sock_is_ssl(conn))
return NULL;
return SSL_get_servername(conn->xprt_ctx, TLSEXT_NAMETYPE_host_name);
#else
return 0;
#endif
}
MINOR: merge ssl_sock_get calls for log and ppv2 Merge ssl_sock_get_version and ssl_sock_get_proto_version. Change ssl_sock_get_cipher to be used in ppv2.
2017-10-13 10:59:49 -04:00
/* used for logging/ppv2, may be changed for a sample fetch later */
MEDIUM: log: report SSL ciphers and version in logs using logformat %sslc/%sslv These two new log-format tags report the SSL protocol version (%sslv) and the SSL ciphers (%sslc) used for the connection with the client. For instance, to append these information just after the client's IP/port address information on an HTTP log line, use the following configuration : log-format %Ci:%Cp\ %sslv:%sslc\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ \ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r It will report a line such as the following one : Oct 12 20:47:30 haproxy[9643]: 127.0.0.1:43602 TLSv1:AES-SHA [12/Oct/2012:20:47:30.303] stick2~ stick2/s1 7/0/12/0/19 200 145 - - ---- 0/0/0/0/0 0/0 "GET /?t=0 HTTP/1.0"
2012-10-12 14:17:54 -04:00
const char *ssl_sock_get_cipher_name(struct connection *conn)
{
MINOR: merge ssl_sock_get calls for log and ppv2 Merge ssl_sock_get_version and ssl_sock_get_proto_version. Change ssl_sock_get_cipher to be used in ppv2.
2017-10-13 10:59:49 -04:00
if (!ssl_sock_is_ssl(conn))
MEDIUM: log: report SSL ciphers and version in logs using logformat %sslc/%sslv These two new log-format tags report the SSL protocol version (%sslv) and the SSL ciphers (%sslc) used for the connection with the client. For instance, to append these information just after the client's IP/port address information on an HTTP log line, use the following configuration : log-format %Ci:%Cp\ %sslv:%sslc\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ \ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r It will report a line such as the following one : Oct 12 20:47:30 haproxy[9643]: 127.0.0.1:43602 TLSv1:AES-SHA [12/Oct/2012:20:47:30.303] stick2~ stick2/s1 7/0/12/0/19 200 145 - - ---- 0/0/0/0/0 0/0 "GET /?t=0 HTTP/1.0"
2012-10-12 14:17:54 -04:00
return NULL;
MINOR: merge ssl_sock_get calls for log and ppv2 Merge ssl_sock_get_version and ssl_sock_get_proto_version. Change ssl_sock_get_cipher to be used in ppv2.
2017-10-13 10:59:49 -04:00
MEDIUM: log: report SSL ciphers and version in logs using logformat %sslc/%sslv These two new log-format tags report the SSL protocol version (%sslv) and the SSL ciphers (%sslc) used for the connection with the client. For instance, to append these information just after the client's IP/port address information on an HTTP log line, use the following configuration : log-format %Ci:%Cp\ %sslv:%sslc\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ \ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r It will report a line such as the following one : Oct 12 20:47:30 haproxy[9643]: 127.0.0.1:43602 TLSv1:AES-SHA [12/Oct/2012:20:47:30.303] stick2~ stick2/s1 7/0/12/0/19 200 145 - - ---- 0/0/0/0/0 0/0 "GET /?t=0 HTTP/1.0"
2012-10-12 14:17:54 -04:00
return SSL_get_cipher_name(conn->xprt_ctx);
}
MINOR: merge ssl_sock_get calls for log and ppv2 Merge ssl_sock_get_version and ssl_sock_get_proto_version. Change ssl_sock_get_cipher to be used in ppv2.
2017-10-13 10:59:49 -04:00
/* used for logging/ppv2, may be changed for a sample fetch later */
MEDIUM: log: report SSL ciphers and version in logs using logformat %sslc/%sslv These two new log-format tags report the SSL protocol version (%sslv) and the SSL ciphers (%sslc) used for the connection with the client. For instance, to append these information just after the client's IP/port address information on an HTTP log line, use the following configuration : log-format %Ci:%Cp\ %sslv:%sslc\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ \ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r It will report a line such as the following one : Oct 12 20:47:30 haproxy[9643]: 127.0.0.1:43602 TLSv1:AES-SHA [12/Oct/2012:20:47:30.303] stick2~ stick2/s1 7/0/12/0/19 200 145 - - ---- 0/0/0/0/0 0/0 "GET /?t=0 HTTP/1.0"
2012-10-12 14:17:54 -04:00
const char *ssl_sock_get_proto_version(struct connection *conn)
{
MINOR: merge ssl_sock_get calls for log and ppv2 Merge ssl_sock_get_version and ssl_sock_get_proto_version. Change ssl_sock_get_cipher to be used in ppv2.
2017-10-13 10:59:49 -04:00
if (!ssl_sock_is_ssl(conn))
MEDIUM: log: report SSL ciphers and version in logs using logformat %sslc/%sslv These two new log-format tags report the SSL protocol version (%sslv) and the SSL ciphers (%sslc) used for the connection with the client. For instance, to append these information just after the client's IP/port address information on an HTTP log line, use the following configuration : log-format %Ci:%Cp\ %sslv:%sslc\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ \ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r It will report a line such as the following one : Oct 12 20:47:30 haproxy[9643]: 127.0.0.1:43602 TLSv1:AES-SHA [12/Oct/2012:20:47:30.303] stick2~ stick2/s1 7/0/12/0/19 200 145 - - ---- 0/0/0/0/0 0/0 "GET /?t=0 HTTP/1.0"
2012-10-12 14:17:54 -04:00
return NULL;
MINOR: merge ssl_sock_get calls for log and ppv2 Merge ssl_sock_get_version and ssl_sock_get_proto_version. Change ssl_sock_get_cipher to be used in ppv2.
2017-10-13 10:59:49 -04:00
MEDIUM: log: report SSL ciphers and version in logs using logformat %sslc/%sslv These two new log-format tags report the SSL protocol version (%sslv) and the SSL ciphers (%sslc) used for the connection with the client. For instance, to append these information just after the client's IP/port address information on an HTTP log line, use the following configuration : log-format %Ci:%Cp\ %sslv:%sslc\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ %cc\ \ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r It will report a line such as the following one : Oct 12 20:47:30 haproxy[9643]: 127.0.0.1:43602 TLSv1:AES-SHA [12/Oct/2012:20:47:30.303] stick2~ stick2/s1 7/0/12/0/19 200 145 - - ---- 0/0/0/0/0 0/0 "GET /?t=0 HTTP/1.0"
2012-10-12 14:17:54 -04:00
return SSL_get_version(conn->xprt_ctx);
}
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
/* Extract a serial from a cert, and copy it to a chunk.
* Returns 1 if serial is found and copied, 0 if no serial found and
* -1 if output is not large enough.
*/
static int
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
ssl_sock_get_serial(X509 *crt, struct buffer *out)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
{
ASN1_INTEGER *serial;
serial = X509_get_serialNumber(crt);
if (!serial)
return 0;
if (out->size < serial->length)
return -1;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
memcpy(out->area, serial->data, serial->length);
out->data = serial->length;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
return 1;
}
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
/* Extract a cert to der, and copy it to a chunk.
CLEANUP: fix typos in the ssl_sock subsystem Fix some typos found in the code comments of the ssl_sock subsystem.
2018-11-15 12:07:59 -05:00
* Returns 1 if the cert is found and copied, 0 on der conversion failure
* and -1 if the output is not large enough.
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
*/
static int
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
ssl_sock_crt2der(X509 *crt, struct buffer *out)
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
{
int len;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
unsigned char *p = (unsigned char *) out->area;;
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
len =i2d_X509(crt, NULL);
if (len <= 0)
return 1;
if (out->size < len)
return -1;
i2d_X509(crt,&p);
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
out->data = len;
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
return 1;
}
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
/* Copy Date in ASN1_UTCTIME format in struct buffer out.
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
* Returns 1 if serial is found and copied, 0 if no valid time found
* and -1 if output is not large enough.
*/
static int
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
ssl_sock_get_time(ASN1_TIME *tm, struct buffer *out)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
{
if (tm->type == V_ASN1_GENERALIZEDTIME) {
ASN1_GENERALIZEDTIME *gentm = (ASN1_GENERALIZEDTIME *)tm;
if (gentm->length < 12)
return 0;
if (gentm->data[0] != 0x32 || gentm->data[1] != 0x30)
return 0;
if (out->size < gentm->length-2)
return -1;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
memcpy(out->area, gentm->data+2, gentm->length-2);
out->data = gentm->length-2;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
return 1;
}
else if (tm->type == V_ASN1_UTCTIME) {
ASN1_UTCTIME *utctm = (ASN1_UTCTIME *)tm;
if (utctm->length < 10)
return 0;
if (utctm->data[0] >= 0x35)
return 0;
if (out->size < utctm->length)
return -1;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
memcpy(out->area, utctm->data, utctm->length);
out->data = utctm->length;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
return 1;
}
return 0;
}
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
/* Extract an entry from a X509_NAME and copy its value to an output chunk.
* Returns 1 if entry found, 0 if entry not found, or -1 if output not large enough.
*/
static int
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
ssl_sock_get_dn_entry(X509_NAME *a, const struct buffer *entry, int pos,
struct buffer *out)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
{
X509_NAME_ENTRY *ne;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
ASN1_OBJECT *obj;
ASN1_STRING *data;
const unsigned char *data_ptr;
int data_len;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
int i, j, n;
int cur = 0;
const char *s;
char tmp[128];
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
int name_count;
name_count = X509_NAME_entry_count(a);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
out->data = 0;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
for (i = 0; i < name_count; i++) {
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
if (pos < 0)
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
j = (name_count-1) - i;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
else
j = i;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
ne = X509_NAME_get_entry(a, j);
obj = X509_NAME_ENTRY_get_object(ne);
data = X509_NAME_ENTRY_get_data(ne);
data_ptr = ASN1_STRING_get0_data(data);
data_len = ASN1_STRING_length(data);
n = OBJ_obj2nid(obj);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
if ((n == NID_undef) || ((s = OBJ_nid2sn(n)) == NULL)) {
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
i2t_ASN1_OBJECT(tmp, sizeof(tmp), obj);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
s = tmp;
}
if (chunk_strcasecmp(entry, s) != 0)
continue;
if (pos < 0)
cur--;
else
cur++;
if (cur != pos)
continue;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
if (data_len > out->size)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
return -1;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
memcpy(out->area, data_ptr, data_len);
out->data = data_len;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
return 1;
}
return 0;
}
/* Extract and format full DN from a X509_NAME and copy result into a chunk
* Returns 1 if dn entries exits, 0 if no dn entry found or -1 if output is not large enough.
*/
static int
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
ssl_sock_get_dn_oneline(X509_NAME *a, struct buffer *out)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
{
X509_NAME_ENTRY *ne;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
ASN1_OBJECT *obj;
ASN1_STRING *data;
const unsigned char *data_ptr;
int data_len;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
int i, n, ln;
int l = 0;
const char *s;
char *p;
char tmp[128];
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
int name_count;
name_count = X509_NAME_entry_count(a);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
out->data = 0;
p = out->area;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
for (i = 0; i < name_count; i++) {
ne = X509_NAME_get_entry(a, i);
obj = X509_NAME_ENTRY_get_object(ne);
data = X509_NAME_ENTRY_get_data(ne);
data_ptr = ASN1_STRING_get0_data(data);
data_len = ASN1_STRING_length(data);
n = OBJ_obj2nid(obj);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
if ((n == NID_undef) || ((s = OBJ_nid2sn(n)) == NULL)) {
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
i2t_ASN1_OBJECT(tmp, sizeof(tmp), obj);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
s = tmp;
}
ln = strlen(s);
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
l += 1 + ln + 1 + data_len;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
if (l > out->size)
return -1;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
out->data = l;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
*(p++)='/';
memcpy(p, s, ln);
p += ln;
*(p++)='=';
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
memcpy(p, data_ptr, data_len);
p += data_len;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
}
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
if (!out->data)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
return 0;
return 1;
}
MINOR: ssl: Add ssl_sock_set_alpn(). Add a new function, ssl_sock_set_alpn(), to be able to change the ALPN for a connection, instead of relying of the one defined in the SSL_CTX.
2018-12-21 13:45:40 -05:00
void ssl_sock_set_alpn(struct connection *conn, const unsigned char *alpn, int len)
{
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
SSL_set_alpn_protos(conn->xprt_ctx, alpn, len);
#endif
}
BUG/MEDIUM: ssl: for a handshake when server-side SNI changes Calling SSL_set_tlsext_host_name() on the current SSL ctx has no effect if the session is being resumed because the hostname is already stored in the session and is not advertised again in subsequent connections. It's visible when enabling SNI and health checks at the same time because checks do not send an SNI and regular traffic reuses the same connection, resulting in no SNI being sent. The only short-term solution is to reset the reused session when the SNI changes compared to the previous one. It can make the server-side performance suffer when SNIs are interleaved but it will work. A better long-term solution would be to keep a small cache of a few contexts for a few SNIs. Now with SSL_set_session(ctx, NULL) it works. This needs to be double- checked though. The man says that SSL_set_session() frees any previously existing context. Some people report a bit of breakage when calling SSL_set_session(NULL) on openssl 1.1.0a (freed session not reusable at all though it's not an issue for now). This needs to be backported to 1.7 and 1.6.
2016-12-22 15:58:38 -05:00
/* Sets advertised SNI for outgoing connections. Please set <hostname> to NULL
* to disable SNI.
*/
MINOR: ssl: provide ia function to set the SNI extension on a connection ssl_sock_set_servername() is used to set the SNI hostname on an outgoing connection. This function comes from code originally provided by Christopher Faulet of Qualys.
2015-07-10 05:33:32 -04:00
void ssl_sock_set_servername(struct connection *conn, const char *hostname)
{
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
BUG/MEDIUM: ssl: for a handshake when server-side SNI changes Calling SSL_set_tlsext_host_name() on the current SSL ctx has no effect if the session is being resumed because the hostname is already stored in the session and is not advertised again in subsequent connections. It's visible when enabling SNI and health checks at the same time because checks do not send an SNI and regular traffic reuses the same connection, resulting in no SNI being sent. The only short-term solution is to reset the reused session when the SNI changes compared to the previous one. It can make the server-side performance suffer when SNIs are interleaved but it will work. A better long-term solution would be to keep a small cache of a few contexts for a few SNIs. Now with SSL_set_session(ctx, NULL) it works. This needs to be double- checked though. The man says that SSL_set_session() frees any previously existing context. Some people report a bit of breakage when calling SSL_set_session(NULL) on openssl 1.1.0a (freed session not reusable at all though it's not an issue for now). This needs to be backported to 1.7 and 1.6.
2016-12-22 15:58:38 -05:00
char *prev_name;
MINOR: ssl: provide ia function to set the SNI extension on a connection ssl_sock_set_servername() is used to set the SNI hostname on an outgoing connection. This function comes from code originally provided by Christopher Faulet of Qualys.
2015-07-10 05:33:32 -04:00
if (!ssl_sock_is_ssl(conn))
return;
BUG/MEDIUM: ssl: for a handshake when server-side SNI changes Calling SSL_set_tlsext_host_name() on the current SSL ctx has no effect if the session is being resumed because the hostname is already stored in the session and is not advertised again in subsequent connections. It's visible when enabling SNI and health checks at the same time because checks do not send an SNI and regular traffic reuses the same connection, resulting in no SNI being sent. The only short-term solution is to reset the reused session when the SNI changes compared to the previous one. It can make the server-side performance suffer when SNIs are interleaved but it will work. A better long-term solution would be to keep a small cache of a few contexts for a few SNIs. Now with SSL_set_session(ctx, NULL) it works. This needs to be double- checked though. The man says that SSL_set_session() frees any previously existing context. Some people report a bit of breakage when calling SSL_set_session(NULL) on openssl 1.1.0a (freed session not reusable at all though it's not an issue for now). This needs to be backported to 1.7 and 1.6.
2016-12-22 15:58:38 -05:00
/* if the SNI changes, we must destroy the reusable context so that a
* new connection will present a new SNI. As an optimization we could
* later imagine having a small cache of ssl_ctx to hold a few SNI per
* server.
*/
prev_name = (char *)SSL_get_servername(conn->xprt_ctx, TLSEXT_NAMETYPE_host_name);
if ((!prev_name && hostname) ||
(prev_name && (!hostname || strcmp(hostname, prev_name) != 0)))
SSL_set_session(conn->xprt_ctx, NULL);
MINOR: ssl: provide ia function to set the SNI extension on a connection ssl_sock_set_servername() is used to set the SNI hostname on an outgoing connection. This function comes from code originally provided by Christopher Faulet of Qualys.
2015-07-10 05:33:32 -04:00
SSL_set_tlsext_host_name(conn->xprt_ctx, hostname);
#endif
}
BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer. 'ssl_sock_get_common_name' applied to a connection was also renamed 'ssl_sock_get_remote_common_name'. Currently, this function is only used with protocol PROXYv2 to retrieve the client certificate's common name. A further usage could be to retrieve the server certificate's common name on an outgoing connection.
2014-06-24 12:26:41 -04:00
/* Extract peer certificate's common name into the chunk dest
* Returns
* the len of the extracted common name
* or 0 if no CN found in DN
* or -1 on error case (i.e. no peer certificate)
*/
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
int ssl_sock_get_remote_common_name(struct connection *conn,
struct buffer *dest)
MEDIUM: connection: Implement and extented PROXY Protocol V2 This commit modifies the PROXY protocol V2 specification to support headers longer than 255 bytes allowing for optional extensions. It implements the PROXY protocol V2 which is a binary representation of V1. This will make parsing more efficient for clients who will know in advance exactly how many bytes to read. Also, it defines and implements some optional PROXY protocol V2 extensions to send information about downstream SSL/TLS connections. Support for PROXY protocol V1 remains unchanged.
2014-05-08 23:42:08 -04:00
{
X509 *crt = NULL;
X509_NAME *name;
const char find_cn[] = "CN";
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
const struct buffer find_cn_chunk = {
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
.area = (char *)&find_cn,
.data = sizeof(find_cn)-1
MEDIUM: connection: Implement and extented PROXY Protocol V2 This commit modifies the PROXY protocol V2 specification to support headers longer than 255 bytes allowing for optional extensions. It implements the PROXY protocol V2 which is a binary representation of V1. This will make parsing more efficient for clients who will know in advance exactly how many bytes to read. Also, it defines and implements some optional PROXY protocol V2 extensions to send information about downstream SSL/TLS connections. Support for PROXY protocol V1 remains unchanged.
2014-05-08 23:42:08 -04:00
};
BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer. 'ssl_sock_get_common_name' applied to a connection was also renamed 'ssl_sock_get_remote_common_name'. Currently, this function is only used with protocol PROXYv2 to retrieve the client certificate's common name. A further usage could be to retrieve the server certificate's common name on an outgoing connection.
2014-06-24 12:26:41 -04:00
int result = -1;
MEDIUM: connection: Implement and extented PROXY Protocol V2 This commit modifies the PROXY protocol V2 specification to support headers longer than 255 bytes allowing for optional extensions. It implements the PROXY protocol V2 which is a binary representation of V1. This will make parsing more efficient for clients who will know in advance exactly how many bytes to read. Also, it defines and implements some optional PROXY protocol V2 extensions to send information about downstream SSL/TLS connections. Support for PROXY protocol V1 remains unchanged.
2014-05-08 23:42:08 -04:00
if (!ssl_sock_is_ssl(conn))
BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer. 'ssl_sock_get_common_name' applied to a connection was also renamed 'ssl_sock_get_remote_common_name'. Currently, this function is only used with protocol PROXYv2 to retrieve the client certificate's common name. A further usage could be to retrieve the server certificate's common name on an outgoing connection.
2014-06-24 12:26:41 -04:00
goto out;
MEDIUM: connection: Implement and extented PROXY Protocol V2 This commit modifies the PROXY protocol V2 specification to support headers longer than 255 bytes allowing for optional extensions. It implements the PROXY protocol V2 which is a binary representation of V1. This will make parsing more efficient for clients who will know in advance exactly how many bytes to read. Also, it defines and implements some optional PROXY protocol V2 extensions to send information about downstream SSL/TLS connections. Support for PROXY protocol V1 remains unchanged.
2014-05-08 23:42:08 -04:00
/* SSL_get_peer_certificate, it increase X509 * ref count */
crt = SSL_get_peer_certificate(conn->xprt_ctx);
if (!crt)
goto out;
name = X509_get_subject_name(crt);
if (!name)
goto out;
BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer. 'ssl_sock_get_common_name' applied to a connection was also renamed 'ssl_sock_get_remote_common_name'. Currently, this function is only used with protocol PROXYv2 to retrieve the client certificate's common name. A further usage could be to retrieve the server certificate's common name on an outgoing connection.
2014-06-24 12:26:41 -04:00
result = ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, dest);
out:
MEDIUM: connection: Implement and extented PROXY Protocol V2 This commit modifies the PROXY protocol V2 specification to support headers longer than 255 bytes allowing for optional extensions. It implements the PROXY protocol V2 which is a binary representation of V1. This will make parsing more efficient for clients who will know in advance exactly how many bytes to read. Also, it defines and implements some optional PROXY protocol V2 extensions to send information about downstream SSL/TLS connections. Support for PROXY protocol V1 remains unchanged.
2014-05-08 23:42:08 -04:00
if (crt)
X509_free(crt);
return result;
}
MEDIUM: connection: add new bit in Proxy Protocol V2 There are two sample commands to get information about the presence of a client certificate. ssl_fc_has_crt is true if there is a certificate present in the current connection ssl_c_used is true if there is a certificate present in the session. If a session has stopped and resumed, then ssl_c_used could be true, while ssl_fc_has_crt is false. In the client byte of the TLS TLV of Proxy Protocol V2, there is only one bit to indicate whether a certificate is present on the connection. The attached patch adds a second bit to indicate the presence for the session. This maintains backward compatibility. [wt: this should be backported to 1.5 to help maintain compatibility between versions]
2014-07-30 10:39:13 -04:00
/* returns 1 if client passed a certificate for this session, 0 if not */
int ssl_sock_get_cert_used_sess(struct connection *conn)
{
X509 *crt = NULL;
if (!ssl_sock_is_ssl(conn))
return 0;
/* SSL_get_peer_certificate, it increase X509 * ref count */
crt = SSL_get_peer_certificate(conn->xprt_ctx);
if (!crt)
return 0;
X509_free(crt);
return 1;
}
/* returns 1 if client passed a certificate for this connection, 0 if not */
int ssl_sock_get_cert_used_conn(struct connection *conn)
MEDIUM: connection: Implement and extented PROXY Protocol V2 This commit modifies the PROXY protocol V2 specification to support headers longer than 255 bytes allowing for optional extensions. It implements the PROXY protocol V2 which is a binary representation of V1. This will make parsing more efficient for clients who will know in advance exactly how many bytes to read. Also, it defines and implements some optional PROXY protocol V2 extensions to send information about downstream SSL/TLS connections. Support for PROXY protocol V1 remains unchanged.
2014-05-08 23:42:08 -04:00
{
if (!ssl_sock_is_ssl(conn))
return 0;
return SSL_SOCK_ST_FL_VERIFY_DONE & conn->xprt_st ? 1 : 0;
}
/* returns result from SSL verify */
unsigned int ssl_sock_get_verify_result(struct connection *conn)
{
if (!ssl_sock_is_ssl(conn))
return (unsigned int)X509_V_ERR_APPLICATION_VERIFICATION;
return (unsigned int)SSL_get_verify_result(conn->xprt_ctx);
}
MINOR: ssl: add a get_alpn() method to ssl_sock This is used to retrieve the TLS ALPN information from a connection. We also support a fallback to NPN if ALPN doesn't find anything or is not available on the existing implementation. It happens that depending on the library version, either one or the other is available. NPN was present in openssl 1.0.1 (very common) while ALPN is in 1.0.2 and onwards (still uncommon at the time of writing). Clients are used to send either one or the other to ensure a smooth transition.
2016-12-04 12:44:29 -05:00
/* Returns the application layer protocol name in <str> and <len> when known.
* Zero is returned if the protocol name was not found, otherwise non-zero is
* returned. The string is allocated in the SSL context and doesn't have to be
* freed by the caller. NPN is also checked if available since older versions
* of openssl (1.0.1) which are more common in field only support this one.
*/
static int ssl_sock_get_alpn(const struct connection *conn, const char **str, int *len)
{
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
*str = NULL;
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
SSL_get0_alpn_selected(conn->xprt_ctx, (const unsigned char **)str, (unsigned *)len);
if (*str)
return 1;
#endif
BUILD: ssl: Fix build with OpenSSL without NPN capability OpenSSL can be built without NEXTPROTONEG support by passing -no-npn to the configure script. This sets the OPENSSL_NO_NEXTPROTONEG flag in opensslconf.h Since NEXTPROTONEG is now considered deprecated, it is superseeded by ALPN (Application Layer Protocol Next), HAProxy should allow building withough NPN support.
2018-02-15 07:34:58 -05:00
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
MINOR: ssl: add a get_alpn() method to ssl_sock This is used to retrieve the TLS ALPN information from a connection. We also support a fallback to NPN if ALPN doesn't find anything or is not available on the existing implementation. It happens that depending on the library version, either one or the other is available. NPN was present in openssl 1.0.1 (very common) while ALPN is in 1.0.2 and onwards (still uncommon at the time of writing). Clients are used to send either one or the other to ensure a smooth transition.
2016-12-04 12:44:29 -05:00
SSL_get0_next_proto_negotiated(conn->xprt_ctx, (const unsigned char **)str, (unsigned *)len);
if (*str)
return 1;
#endif
return 0;
}
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
/***** Below are some sample fetching functions for ACL/patterns *****/
MINOR: ssl/proto_http: Add keywords to take care of early data. Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true if early data were sent, and a new action, "wait-for-handshake", if used, the request won't be forwarded until the SSL handshake is done.
2017-10-02 05:51:03 -04:00
static int
smp_fetch_ssl_fc_has_early(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
struct connection *conn;
conn = objt_conn(smp->sess->origin);
if (!conn || conn->xprt != &ssl_sock)
return 0;
smp->flags = 0;
smp->data.type = SMP_T_BOOL;
MINOR: early data: Never remove the CO_FL_EARLY_DATA flag. It may be useful to keep the CO_FL_EARLY_DATA flag, so that we know early data were used, so instead of doing this, only add the Early-data header, and have the sample fetch ssl_fc_has_early return 1, if CO_FL_EARLY_DATA is set, and if the handshake isn't done yet.
2017-11-29 13:51:19 -05:00
smp->data.u.sint = ((conn->flags & CO_FL_EARLY_DATA) &&
(conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_HANDSHAKE))) ? 1 : 0;
MINOR: ssl/proto_http: Add keywords to take care of early data. Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true if early data were sent, and a new action, "wait-for-handshake", if used, the request won't be forwarded until the SSL handshake is done.
2017-10-02 05:51:03 -04:00
return 1;
}
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
/* boolean, returns true if client cert was present */
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_has_crt(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
{
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
return 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
smp->flags = 0;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_BOOL;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = SSL_SOCK_ST_FL_VERIFY_DONE & conn->xprt_st ? 1 : 0;
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
return 1;
}
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
/* binary, returns a certificate in a binary chunk (der/raw).
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
*/
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_x_der(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
{
int cert_peer = (kw[4] == 'c') ? 1 : 0;
X509 *crt = NULL;
int ret = 0;
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *smp_trash;
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
if (!conn || conn->xprt != &ssl_sock)
return 0;
if (!(conn->flags & CO_FL_CONNECTED)) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
if (cert_peer)
crt = SSL_get_peer_certificate(conn->xprt_ctx);
else
crt = SSL_get_certificate(conn->xprt_ctx);
if (!crt)
goto out;
smp_trash = get_trash_chunk();
if (ssl_sock_crt2der(crt, smp_trash) <= 0)
goto out;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.str = *smp_trash;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_BIN;
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
ret = 1;
out:
/* SSL_get_peer_certificate, it increase X509 * ref count */
if (cert_peer && crt)
X509_free(crt);
return ret;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* binary, returns serial of certificate in a binary chunk.
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_x_serial(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
{
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
int cert_peer = (kw[4] == 'c') ? 1 : 0;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
X509 *crt = NULL;
int ret = 0;
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *smp_trash;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
return 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
if (cert_peer)
crt = SSL_get_peer_certificate(conn->xprt_ctx);
else
crt = SSL_get_certificate(conn->xprt_ctx);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
if (!crt)
goto out;
MINOR: chunks: centralize the trash chunk allocation At the moment, we need trash chunks almost everywhere and the only correctly implemented one is in the sample code. Let's move this to the chunks so that all other places can use this allocator. Additionally, the get_trash_chunk() function now really returns two different chunks. Previously it used to always overwrite the same chunk and point it to a different buffer, which was a bit tricky because it's not obvious that two consecutive results do alias each other.
2012-12-23 14:22:19 -05:00
smp_trash = get_trash_chunk();
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
if (ssl_sock_get_serial(crt, smp_trash) <= 0)
goto out;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.str = *smp_trash;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_BIN;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
ret = 1;
out:
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* SSL_get_peer_certificate, it increase X509 * ref count */
if (cert_peer && crt)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_serial' and 'ssl_f_serial' ssl_c_serial: serial of the certificate presented by the client. ssl_f_serial: serial of the certificate presentend by the frontend.
2012-10-22 11:58:39 -04:00
X509_free(crt);
return ret;
}
MINOR: ssl: add fetch and ACL 'client_crt' to test a client cert is present Useful in case of 'verify optional' to know if the client sent a certificate.
2012-09-21 07:15:06 -04:00
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* binary, returns the client certificate's SHA-1 fingerprint (SHA-1 hash of DER-encoded certificate) in a binary chunk.
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
*/
MINOR: ssl: add pattern fetch 'ssl_c_sha1' This new pattern fetch returns the client certificate's SHA-1 fingerprint (i.e. SHA-1 hash of DER-encoded certificate) in a binary chunk. This can be useful to pass it to a server in a header or to stick a client to a server across multiple SSL connections.
2013-05-14 14:37:59 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_x_sha1(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern fetch 'ssl_c_sha1' This new pattern fetch returns the client certificate's SHA-1 fingerprint (i.e. SHA-1 hash of DER-encoded certificate) in a binary chunk. This can be useful to pass it to a server in a header or to stick a client to a server across multiple SSL connections.
2013-05-14 14:37:59 -04:00
{
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
int cert_peer = (kw[4] == 'c') ? 1 : 0;
MINOR: ssl: add pattern fetch 'ssl_c_sha1' This new pattern fetch returns the client certificate's SHA-1 fingerprint (i.e. SHA-1 hash of DER-encoded certificate) in a binary chunk. This can be useful to pass it to a server in a header or to stick a client to a server across multiple SSL connections.
2013-05-14 14:37:59 -04:00
X509 *crt = NULL;
const EVP_MD *digest;
int ret = 0;
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *smp_trash;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
MINOR: ssl: add pattern fetch 'ssl_c_sha1' This new pattern fetch returns the client certificate's SHA-1 fingerprint (i.e. SHA-1 hash of DER-encoded certificate) in a binary chunk. This can be useful to pass it to a server in a header or to stick a client to a server across multiple SSL connections.
2013-05-14 14:37:59 -04:00
return 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add pattern fetch 'ssl_c_sha1' This new pattern fetch returns the client certificate's SHA-1 fingerprint (i.e. SHA-1 hash of DER-encoded certificate) in a binary chunk. This can be useful to pass it to a server in a header or to stick a client to a server across multiple SSL connections.
2013-05-14 14:37:59 -04:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
if (cert_peer)
crt = SSL_get_peer_certificate(conn->xprt_ctx);
else
crt = SSL_get_certificate(conn->xprt_ctx);
MINOR: ssl: add pattern fetch 'ssl_c_sha1' This new pattern fetch returns the client certificate's SHA-1 fingerprint (i.e. SHA-1 hash of DER-encoded certificate) in a binary chunk. This can be useful to pass it to a server in a header or to stick a client to a server across multiple SSL connections.
2013-05-14 14:37:59 -04:00
if (!crt)
goto out;
smp_trash = get_trash_chunk();
digest = EVP_sha1();
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
X509_digest(crt, digest, (unsigned char *) smp_trash->area,
(unsigned int *)&smp_trash->data);
MINOR: ssl: add pattern fetch 'ssl_c_sha1' This new pattern fetch returns the client certificate's SHA-1 fingerprint (i.e. SHA-1 hash of DER-encoded certificate) in a binary chunk. This can be useful to pass it to a server in a header or to stick a client to a server across multiple SSL connections.
2013-05-14 14:37:59 -04:00
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.str = *smp_trash;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_BIN;
MINOR: ssl: add pattern fetch 'ssl_c_sha1' This new pattern fetch returns the client certificate's SHA-1 fingerprint (i.e. SHA-1 hash of DER-encoded certificate) in a binary chunk. This can be useful to pass it to a server in a header or to stick a client to a server across multiple SSL connections.
2013-05-14 14:37:59 -04:00
ret = 1;
out:
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* SSL_get_peer_certificate, it increase X509 * ref count */
if (cert_peer && crt)
MINOR: ssl: add pattern fetch 'ssl_c_sha1' This new pattern fetch returns the client certificate's SHA-1 fingerprint (i.e. SHA-1 hash of DER-encoded certificate) in a binary chunk. This can be useful to pass it to a server in a header or to stick a client to a server across multiple SSL connections.
2013-05-14 14:37:59 -04:00
X509_free(crt);
return ret;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* string, returns certificate's notafter date in ASN1_UTCTIME format.
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
{
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
int cert_peer = (kw[4] == 'c') ? 1 : 0;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
X509 *crt = NULL;
int ret = 0;
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *smp_trash;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
return 0;
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
if (cert_peer)
crt = SSL_get_peer_certificate(conn->xprt_ctx);
else
crt = SSL_get_certificate(conn->xprt_ctx);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
if (!crt)
goto out;
MINOR: chunks: centralize the trash chunk allocation At the moment, we need trash chunks almost everywhere and the only correctly implemented one is in the sample code. Let's move this to the chunks so that all other places can use this allocator. Additionally, the get_trash_chunk() function now really returns two different chunks. Previously it used to always overwrite the same chunk and point it to a different buffer, which was a bit tricky because it's not obvious that two consecutive results do alias each other.
2012-12-23 14:22:19 -05:00
smp_trash = get_trash_chunk();
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
if (ssl_sock_get_time(X509_getm_notAfter(crt), smp_trash) <= 0)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
goto out;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.str = *smp_trash;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
ret = 1;
out:
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* SSL_get_peer_certificate, it increase X509 * ref count */
if (cert_peer && crt)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
X509_free(crt);
return ret;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* string, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. of certificate's issuer
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_x_i_dn(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
{
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
int cert_peer = (kw[4] == 'c') ? 1 : 0;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
X509 *crt = NULL;
X509_NAME *name;
int ret = 0;
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *smp_trash;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
return 0;
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
if (cert_peer)
crt = SSL_get_peer_certificate(conn->xprt_ctx);
else
crt = SSL_get_certificate(conn->xprt_ctx);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
if (!crt)
goto out;
name = X509_get_issuer_name(crt);
if (!name)
goto out;
MINOR: chunks: centralize the trash chunk allocation At the moment, we need trash chunks almost everywhere and the only correctly implemented one is in the sample code. Let's move this to the chunks so that all other places can use this allocator. Additionally, the get_trash_chunk() function now really returns two different chunks. Previously it used to always overwrite the same chunk and point it to a different buffer, which was a bit tricky because it's not obvious that two consecutive results do alias each other.
2012-12-23 14:22:19 -05:00
smp_trash = get_trash_chunk();
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
if (args && args[0].type == ARGT_STR) {
int pos = 1;
if (args[1].type == ARGT_SINT)
pos = args[1].data.sint;
if (ssl_sock_get_dn_entry(name, &args[0].data.str, pos, smp_trash) <= 0)
goto out;
}
else if (ssl_sock_get_dn_oneline(name, smp_trash) <= 0)
goto out;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.str = *smp_trash;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
ret = 1;
out:
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* SSL_get_peer_certificate, it increase X509 * ref count */
if (cert_peer && crt)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
X509_free(crt);
return ret;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* string, returns notbefore date in ASN1_UTCTIME format.
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
{
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
int cert_peer = (kw[4] == 'c') ? 1 : 0;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
X509 *crt = NULL;
int ret = 0;
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *smp_trash;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
return 0;
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
if (cert_peer)
crt = SSL_get_peer_certificate(conn->xprt_ctx);
else
crt = SSL_get_certificate(conn->xprt_ctx);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
if (!crt)
goto out;
MINOR: chunks: centralize the trash chunk allocation At the moment, we need trash chunks almost everywhere and the only correctly implemented one is in the sample code. Let's move this to the chunks so that all other places can use this allocator. Additionally, the get_trash_chunk() function now really returns two different chunks. Previously it used to always overwrite the same chunk and point it to a different buffer, which was a bit tricky because it's not obvious that two consecutive results do alias each other.
2012-12-23 14:22:19 -05:00
smp_trash = get_trash_chunk();
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
if (ssl_sock_get_time(X509_getm_notBefore(crt), smp_trash) <= 0)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
goto out;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.str = *smp_trash;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
ret = 1;
out:
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* SSL_get_peer_certificate, it increase X509 * ref count */
if (cert_peer && crt)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_notbefore', 'ssl_c_notafter', 'ssl_f_notbefore' and 'ssl_f_notafter' ssl_c_notbefore: start date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_c_notafter: end date of client cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notbefore: start date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z]) ssl_f_notafter: end date of frontend cert (string, eg: "121022182230Z" for YYMMDDhhmmss[Z])
2012-10-22 08:11:22 -04:00
X509_free(crt);
return ret;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* string, returns a string of a formatted full dn \C=..\O=..\OU=.. \CN=.. of certificate's subject
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_x_s_dn(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
{
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
int cert_peer = (kw[4] == 'c') ? 1 : 0;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
X509 *crt = NULL;
X509_NAME *name;
int ret = 0;
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *smp_trash;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
return 0;
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
if (cert_peer)
crt = SSL_get_peer_certificate(conn->xprt_ctx);
else
crt = SSL_get_certificate(conn->xprt_ctx);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
if (!crt)
goto out;
name = X509_get_subject_name(crt);
if (!name)
goto out;
MINOR: chunks: centralize the trash chunk allocation At the moment, we need trash chunks almost everywhere and the only correctly implemented one is in the sample code. Let's move this to the chunks so that all other places can use this allocator. Additionally, the get_trash_chunk() function now really returns two different chunks. Previously it used to always overwrite the same chunk and point it to a different buffer, which was a bit tricky because it's not obvious that two consecutive results do alias each other.
2012-12-23 14:22:19 -05:00
smp_trash = get_trash_chunk();
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
if (args && args[0].type == ARGT_STR) {
int pos = 1;
if (args[1].type == ARGT_SINT)
pos = args[1].data.sint;
if (ssl_sock_get_dn_entry(name, &args[0].data.str, pos, smp_trash) <= 0)
goto out;
}
else if (ssl_sock_get_dn_oneline(name, smp_trash) <= 0)
goto out;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.str = *smp_trash;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
ret = 1;
out:
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* SSL_get_peer_certificate, it increase X509 * ref count */
if (cert_peer && crt)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_s_dn', 'ssl_c_i_dn', 'ssl_f_s_dn' and 'ssl_c_i_dn' ssl_c_s_dn : client cert subject DN (string) ssl_c_i_dn : client cert issuer DN (string) ssl_f_s_dn : frontend cert subject DN (string) ssl_f_i_dn : frontend cert issuer DN (string) Return either the full DN without params, or just the DN entry (first param) or its specific occurrence (second param).
2012-10-17 11:39:35 -04:00
X509_free(crt);
return ret;
}
MINOR: ssl: add fetch and acl "ssl_c_used" to check if current SSL session uses a client certificate.
2012-12-20 09:44:16 -05:00
/* integer, returns true if current session use a client certificate */
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_c_used(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add fetch and acl "ssl_c_used" to check if current SSL session uses a client certificate.
2012-12-20 09:44:16 -05:00
{
X509 *crt;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
MINOR: ssl: add fetch and acl "ssl_c_used" to check if current SSL session uses a client certificate.
2012-12-20 09:44:16 -05:00
return 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add fetch and acl "ssl_c_used" to check if current SSL session uses a client certificate.
2012-12-20 09:44:16 -05:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
/* SSL_get_peer_certificate returns a ptr on allocated X509 struct */
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
crt = SSL_get_peer_certificate(conn->xprt_ctx);
MINOR: ssl: add fetch and acl "ssl_c_used" to check if current SSL session uses a client certificate.
2012-12-20 09:44:16 -05:00
if (crt) {
X509_free(crt);
}
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_BOOL;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = (crt != NULL);
MINOR: ssl: add fetch and acl "ssl_c_used" to check if current SSL session uses a client certificate.
2012-12-20 09:44:16 -05:00
return 1;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* integer, returns the certificate version
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version' ssl_c_version : version of the cert presented by the client (integer) ssl_f_version : version of the cert presented by the frontend (integer)
2012-10-17 09:03:11 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_x_version(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version' ssl_c_version : version of the cert presented by the client (integer) ssl_f_version : version of the cert presented by the frontend (integer)
2012-10-17 09:03:11 -04:00
{
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
int cert_peer = (kw[4] == 'c') ? 1 : 0;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version' ssl_c_version : version of the cert presented by the client (integer) ssl_f_version : version of the cert presented by the frontend (integer)
2012-10-17 09:03:11 -04:00
X509 *crt;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version' ssl_c_version : version of the cert presented by the client (integer) ssl_f_version : version of the cert presented by the frontend (integer)
2012-10-17 09:03:11 -04:00
return 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version' ssl_c_version : version of the cert presented by the client (integer) ssl_f_version : version of the cert presented by the frontend (integer)
2012-10-17 09:03:11 -04:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
if (cert_peer)
crt = SSL_get_peer_certificate(conn->xprt_ctx);
else
crt = SSL_get_certificate(conn->xprt_ctx);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version' ssl_c_version : version of the cert presented by the client (integer) ssl_f_version : version of the cert presented by the frontend (integer)
2012-10-17 09:03:11 -04:00
if (!crt)
return 0;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = (unsigned int)(1 + X509_get_version(crt));
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* SSL_get_peer_certificate increase X509 * ref count */
if (cert_peer)
X509_free(crt);
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_SINT;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_version' and 'ssl_f_version' ssl_c_version : version of the cert presented by the client (integer) ssl_f_version : version of the cert presented by the frontend (integer)
2012-10-17 09:03:11 -04:00
return 1;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* string, returns the certificate's signature algorithm.
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
*/
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_x_sig_alg(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
{
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
int cert_peer = (kw[4] == 'c') ? 1 : 0;
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
X509 *crt;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
__OPENSSL_110_CONST__ ASN1_OBJECT *algorithm;
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
int nid;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
return 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
if (cert_peer)
crt = SSL_get_peer_certificate(conn->xprt_ctx);
else
crt = SSL_get_certificate(conn->xprt_ctx);
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
if (!crt)
return 0;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
X509_ALGOR_get0(&algorithm, NULL, NULL, X509_get0_tbs_sigalg(crt));
nid = OBJ_obj2nid(algorithm);
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.area = (char *)OBJ_nid2sn(nid);
if (!smp->data.u.str.area) {
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* SSL_get_peer_certificate increase X509 * ref count */
if (cert_peer)
X509_free(crt);
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
return 0;
BUG/MINOR: ssl: potential memory leaks using ssl_c_key_alg or ssl_c_sig_alg. The leak occurs in an error case which practically never happens.
2013-10-07 08:31:44 -04:00
}
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
smp->flags |= SMP_F_CONST;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.data = strlen(smp->data.u.str.area);
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* SSL_get_peer_certificate increase X509 * ref count */
if (cert_peer)
X509_free(crt);
MINOR: ssl: add pattern and ACLs 'ssl_c_sig_alg' and 'ssl_f_sig_alg' ssl_c_sig_alg: client cert signature algo (string). Ex: "RSA-SHA1" ssl_f_sig_alg: frontend cert signature algo (string). Ex: "RSA-SHA1"
2012-10-19 12:15:40 -04:00
return 1;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* string, returns the certificate's key algorithm.
* The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate
* should be use.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
{
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
int cert_peer = (kw[4] == 'c') ? 1 : 0;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
X509 *crt;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
ASN1_OBJECT *algorithm;
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
int nid;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
return 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
if (cert_peer)
crt = SSL_get_peer_certificate(conn->xprt_ctx);
else
crt = SSL_get_certificate(conn->xprt_ctx);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
if (!crt)
return 0;
MEDIUM: ssl: Add support for OpenSSL 1.1.0 In the last release a lot of the structures have become opaque for an end user. This means the code using these needs to be changed to use the proper functions to interact with these structures instead of trying to manipulate them directly. This does not fix any deprecations yet that are part of 1.1.0, it only ensures that it can be compiled against that version and is still compatible with older ones. [wt: openssl-0.9.8 doesn't build with it, there are conflicts on certain function prototypes which we declare as inline here and which are defined differently there. But openssl-0.9.8 is not supported anymore so probably it's OK to go without it for now and we'll see later if some users still need it. Emeric has reviewed this change and didn't spot anything obvious which requires special care. Let's try it for real now]
2016-08-29 07:26:37 -04:00
X509_PUBKEY_get0_param(&algorithm, NULL, NULL, NULL, X509_get_X509_PUBKEY(crt));
nid = OBJ_obj2nid(algorithm);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.area = (char *)OBJ_nid2sn(nid);
if (!smp->data.u.str.area) {
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
/* SSL_get_peer_certificate increase X509 * ref count */
if (cert_peer)
X509_free(crt);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
return 0;
BUG/MINOR: ssl: potential memory leaks using ssl_c_key_alg or ssl_c_sig_alg. The leak occurs in an error case which practically never happens.
2013-10-07 08:31:44 -04:00
}
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
smp->flags |= SMP_F_CONST;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.data = strlen(smp->data.u.str.area);
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
if (cert_peer)
X509_free(crt);
MINOR: ssl: add pattern and ACLs fetches 'ssl_c_key_alg' and 'ssl_f_key_alg' ssl_c_key_alg: algo used to encrypt the client's cert key (ex: rsaEncryption) ssl_f_key_alg: algo used to encrypt the frontend's cert key (ex: rsaEncryption)
2012-10-22 06:22:55 -04:00
return 1;
}
MINOR: ssl: adds fetchs and ACLs for ssl back connection. Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their docs: ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id, ssl_bc_session_id and ssl_bc_use_keysize.
2014-04-30 08:21:06 -04:00
/* boolean, returns true if front conn. transport layer is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private)
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
{
BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. Since the split between connections and conn-stream objects, this keywords are broken. This patch must be backported in 1.8
2018-02-19 09:59:48 -05:00
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_BOOL;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = (conn && conn->xprt == &ssl_sock);
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
return 1;
}
MINOR: conf: rename all ssl modules fetches using prefix 'ssl_fc' and 'ssl_c' SSL fetches were renamed : ssl_fc_* = Front Connection (attributes of the connection itself) ssl_c_* = Client side certificate
2012-10-18 09:59:43 -04:00
/* boolean, returns true if client present a SNI */
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_has_sni(const struct arg *args, struct sample *smp, const char *kw, void *private)
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
{
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
struct connection *conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_BOOL;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = (conn && conn->xprt == &ssl_sock) &&
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
conn->xprt_ctx &&
SSL_get_servername(conn->xprt_ctx, TLSEXT_NAMETYPE_host_name) != NULL;
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
return 1;
#else
return 0;
#endif
}
MINOR: ssl/sample: adds ssl_bc_is_resumed fetch keyword. Returns true when the back connection was made over an SSL/TLS transport layer and the newly created SSL session was resumed using a cached session or a TLS ticket.
2018-02-19 10:14:12 -05:00
/* boolean, returns true if client session has been resumed.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
MINOR: Add sample fetch which identifies if the SSL session has been resumed Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-17 20:28:57 -04:00
static int
smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
MINOR: ssl/sample: adds ssl_bc_is_resumed fetch keyword. Returns true when the back connection was made over an SSL/TLS transport layer and the newly created SSL session was resumed using a cached session or a TLS ticket.
2018-02-19 10:14:12 -05:00
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
MINOR: Add sample fetch which identifies if the SSL session has been resumed Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-17 20:28:57 -04:00
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_BOOL;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = (conn && conn->xprt == &ssl_sock) &&
MINOR: Add sample fetch which identifies if the SSL session has been resumed Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-17 20:28:57 -04:00
conn->xprt_ctx &&
SSL_session_reused(conn->xprt_ctx);
return 1;
}
MINOR: ssl: adds fetchs and ACLs for ssl back connection. Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their docs: ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id, ssl_bc_session_id and ssl_bc_use_keysize.
2014-04-30 08:21:06 -04:00
/* string, returns the used cipher if front conn. transport layer is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
{
BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. Since the split between connections and conn-stream objects, this keywords are broken. This patch must be backported in 1.8
2018-02-19 09:59:48 -05:00
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
BUG/MAJOR: samples: check smp->strm before using it Since commit 6879ad3 ("MEDIUM: sample: fill the struct sample with the session, proxy and stream pointers") merged in 1.6-dev2, the sample contains the pointer to the stream and sample fetch functions as well as converters use it heavily. The problem is that earlier commit 87b0966 ("REORG/MAJOR: session: rename the "session" entity to "stream"") had split the session and stream resulting in the possibility for smp->strm to be NULL before the stream was initialized. This is what happens in tcp-request connection rulesets, as discovered by Baptiste. The sample fetch functions must now check that smp->strm is valid before using it. An alternative could consist in using a dummy stream with nothing in it to avoid some checks but it would only result in deferring them to the next step anyway, and making it harder to detect that a stream is valid or the dummy one. There is still an issue with variables which requires a complete independant fix. They use strm->sess to find the session with strm possibly NULL and passed as an argument. All call places indirectly use smp->strm to build strm. So the problem is there but the API needs to be changed to remove this duplicate argument that makes it much harder to know what pointer to use. This fix must be backported to 1.6, as well as the next one fixing variables.
2016-03-10 05:47:01 -05:00
smp->flags = 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 0;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.area = (char *)SSL_get_cipher_name(conn->xprt_ctx);
if (!smp->data.u.str.area)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 0;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
smp->flags |= SMP_F_CONST;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.data = strlen(smp->data.u.str.area);
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 1;
}
MINOR: ssl: adds fetchs and ACLs for ssl back connection. Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their docs: ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id, ssl_bc_session_id and ssl_bc_use_keysize.
2014-04-30 08:21:06 -04:00
/* integer, returns the algoritm's keysize if front conn. transport layer
* is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
{
BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. Since the split between connections and conn-stream objects, this keywords are broken. This patch must be backported in 1.8
2018-02-19 09:59:48 -05:00
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
BUG/MINOR: ssl: fix usage of the various sample fetch functions Technically speaking, many SSL sample fetch functions act on the connection and depend on USE_L5CLI on the client side, which means they're usable as soon as a handshake is completed on a connection. This means that the test consisting in refusing to call them when the stream is NULL will prevent them from working when we implement the tcp-request session ruleset. Better fix this now. The fix consists in using smp->sess->origin when they're called for the front connection, and smp->strm->si[1].end when called for the back connection. There is currently no known side effect for this issue, though it would better be backported into 1.6 so that the code base remains consistend.
2016-03-10 11:05:28 -05:00
int sint;
BUG/MAJOR: samples: check smp->strm before using it Since commit 6879ad3 ("MEDIUM: sample: fill the struct sample with the session, proxy and stream pointers") merged in 1.6-dev2, the sample contains the pointer to the stream and sample fetch functions as well as converters use it heavily. The problem is that earlier commit 87b0966 ("REORG/MAJOR: session: rename the "session" entity to "stream"") had split the session and stream resulting in the possibility for smp->strm to be NULL before the stream was initialized. This is what happens in tcp-request connection rulesets, as discovered by Baptiste. The sample fetch functions must now check that smp->strm is valid before using it. An alternative could consist in using a dummy stream with nothing in it to avoid some checks but it would only result in deferring them to the next step anyway, and making it harder to detect that a stream is valid or the dummy one. There is still an issue with variables which requires a complete independant fix. They use strm->sess to find the session with strm possibly NULL and passed as an argument. All call places indirectly use smp->strm to build strm. So the problem is there but the API needs to be changed to remove this duplicate argument that makes it much harder to know what pointer to use. This fix must be backported to 1.6, as well as the next one fixing variables.
2016-03-10 05:47:01 -05:00
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
smp->flags = 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 0;
MAJOR: sample: converts uint and sint in 64 bits signed integer This patch removes the 32 bits unsigned integer and the 32 bit signed integer. It replaces these types by a unique type 64 bit signed. This makes easy the usage of integer and clarify signed and unsigned use. With the previous version, signed and unsigned are used ones in place of others, and sometimes the converter loose the sign. For example, divisions are processed with "unsigned", if one entry is negative, the result is wrong. Note that the integer pattern matching and dotted version pattern matching are already working with signed 64 bits integer values. There is one user-visible change : the "uint()" and "sint()" sample fetch functions which used to return a constant integer have been replaced with a new more natural, unified "int()" function. These functions were only introduced in the latest 1.6-dev2 so there's no impact on regular deployments.
2015-07-06 17:43:03 -04:00
if (!SSL_get_cipher_bits(conn->xprt_ctx, &sint))
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 0;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = sint;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_SINT;
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 1;
}
MINOR: ssl: adds fetchs and ACLs for ssl back connection. Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their docs: ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id, ssl_bc_session_id and ssl_bc_use_keysize.
2014-04-30 08:21:06 -04:00
/* integer, returns the used keysize if front conn. transport layer is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
{
BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. Since the split between connections and conn-stream objects, this keywords are broken. This patch must be backported in 1.8
2018-02-19 09:59:48 -05:00
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
BUG/MAJOR: samples: check smp->strm before using it Since commit 6879ad3 ("MEDIUM: sample: fill the struct sample with the session, proxy and stream pointers") merged in 1.6-dev2, the sample contains the pointer to the stream and sample fetch functions as well as converters use it heavily. The problem is that earlier commit 87b0966 ("REORG/MAJOR: session: rename the "session" entity to "stream"") had split the session and stream resulting in the possibility for smp->strm to be NULL before the stream was initialized. This is what happens in tcp-request connection rulesets, as discovered by Baptiste. The sample fetch functions must now check that smp->strm is valid before using it. An alternative could consist in using a dummy stream with nothing in it to avoid some checks but it would only result in deferring them to the next step anyway, and making it harder to detect that a stream is valid or the dummy one. There is still an issue with variables which requires a complete independant fix. They use strm->sess to find the session with strm possibly NULL and passed as an argument. All call places indirectly use smp->strm to build strm. So the problem is there but the API needs to be changed to remove this duplicate argument that makes it much harder to know what pointer to use. This fix must be backported to 1.6, as well as the next one fixing variables.
2016-03-10 05:47:01 -05:00
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
smp->flags = 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 0;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = (unsigned int)SSL_get_cipher_bits(conn->xprt_ctx, NULL);
if (!smp->data.u.sint)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 0;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_SINT;
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 1;
}
BUILD: ssl: Fix build with OpenSSL without NPN capability OpenSSL can be built without NEXTPROTONEG support by passing -no-npn to the configure script. This sets the OPENSSL_NO_NEXTPROTONEG flag in opensslconf.h Since NEXTPROTONEG is now considered deprecated, it is superseeded by ALPN (Application Layer Protocol Next), HAProxy should allow building withough NPN support.
2018-02-15 07:34:58 -05:00
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information This may be used to distinguish between SPDY versions for example.
2012-10-15 07:19:06 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_npn(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information This may be used to distinguish between SPDY versions for example.
2012-10-15 07:19:06 -04:00
{
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
smp->flags = SMP_F_CONST;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information This may be used to distinguish between SPDY versions for example.
2012-10-15 07:19:06 -04:00
MEDIUM: ssl: Add ssl_bc_alpn and ssl_bc_npn sample fetches. Add 2 new sample fetches, ssl_bc_alpn and ssl_bc_npn, that provides the ALPN and the NPN for an outgoing connection.
2018-11-22 12:18:29 -05:00
conn = (kw[4] != 'b' ) ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information This may be used to distinguish between SPDY versions for example.
2012-10-15 07:19:06 -04:00
return 0;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.area = NULL;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
SSL_get0_next_proto_negotiated(conn->xprt_ctx,
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
(const unsigned char **)&smp->data.u.str.area,
(unsigned *)&smp->data.u.str.data);
MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information This may be used to distinguish between SPDY versions for example.
2012-10-15 07:19:06 -04:00
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
if (!smp->data.u.str.area)
MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information This may be used to distinguish between SPDY versions for example.
2012-10-15 07:19:06 -04:00
return 0;
return 1;
}
MEDIUM: ssl: add support for the "npn" bind keyword The ssl_npn match could not work by itself because clients do not use the NPN extension unless the server advertises the protocols it supports. Thanks to Simone Bordet for the explanations on how to get it right.
2012-10-18 12:57:14 -04:00
#endif
MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information This may be used to distinguish between SPDY versions for example.
2012-10-15 07:19:06 -04:00
MEDIUM: ssl: Use ALPN support as it will be available in OpenSSL 1.0.2 The current ALPN support is based on custom OpenSSL patches. These are however not the same as what has landed on OpenSSL: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691 This patch change the code so it supports ALPN as it will be part of OpenSSL.
2014-02-13 06:29:42 -05:00
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
{
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
smp->flags = SMP_F_CONST;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
MEDIUM: ssl: Add ssl_bc_alpn and ssl_bc_npn sample fetches. Add 2 new sample fetches, ssl_bc_alpn and ssl_bc_npn, that provides the ALPN and the NPN for an outgoing connection.
2018-11-22 12:18:29 -05:00
conn = (kw[4] != 'b' ) ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
return 0;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.area = NULL;
MEDIUM: ssl: Use ALPN support as it will be available in OpenSSL 1.0.2 The current ALPN support is based on custom OpenSSL patches. These are however not the same as what has landed on OpenSSL: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691 This patch change the code so it supports ALPN as it will be part of OpenSSL.
2014-02-13 06:29:42 -05:00
SSL_get0_alpn_selected(conn->xprt_ctx,
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
(const unsigned char **)&smp->data.u.str.area,
(unsigned *)&smp->data.u.str.data);
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
if (!smp->data.u.str.area)
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
return 0;
return 1;
}
#endif
MINOR: ssl: adds fetchs and ACLs for ssl back connection. Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their docs: ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id, ssl_bc_session_id and ssl_bc_use_keysize.
2014-04-30 08:21:06 -04:00
/* string, returns the used protocol if front conn. transport layer is SSL.
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
{
BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. Since the split between connections and conn-stream objects, this keywords are broken. This patch must be backported in 1.8
2018-02-19 09:59:48 -05:00
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
BUG/MAJOR: samples: check smp->strm before using it Since commit 6879ad3 ("MEDIUM: sample: fill the struct sample with the session, proxy and stream pointers") merged in 1.6-dev2, the sample contains the pointer to the stream and sample fetch functions as well as converters use it heavily. The problem is that earlier commit 87b0966 ("REORG/MAJOR: session: rename the "session" entity to "stream"") had split the session and stream resulting in the possibility for smp->strm to be NULL before the stream was initialized. This is what happens in tcp-request connection rulesets, as discovered by Baptiste. The sample fetch functions must now check that smp->strm is valid before using it. An alternative could consist in using a dummy stream with nothing in it to avoid some checks but it would only result in deferring them to the next step anyway, and making it harder to detect that a stream is valid or the dummy one. There is still an issue with variables which requires a complete independant fix. They use strm->sess to find the session with strm possibly NULL and passed as an argument. All call places indirectly use smp->strm to build strm. So the problem is there but the API needs to be changed to remove this duplicate argument that makes it much harder to know what pointer to use. This fix must be backported to 1.6, as well as the next one fixing variables.
2016-03-10 05:47:01 -05:00
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
smp->flags = 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 0;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.area = (char *)SSL_get_version(conn->xprt_ctx);
if (!smp->data.u.str.area)
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 0;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
smp->flags = SMP_F_CONST;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.data = strlen(smp->data.u.str.area);
MINOR: ssl: add pattern and ACLs fetches 'ssl_fc_protocol', 'ssl_fc_cipher', 'ssl_fc_use_keysize' and 'ssl_fc_alg_keysize' Some front connection fetches : - ssl_fc_protocol = protocol name (string) - ssl_fc_cipher = cipher name (string) - ssl_fc_use_keysize = symmetric cipher key size used in bits (integer) - ssl_fc_alg_keysize = symmetric cipher key size supported in bits (integer)
2012-10-16 08:13:26 -04:00
return 1;
}
REORG/MAJOR: session: rename the "session" entity to "stream" With HTTP/2, we'll have to support multiplexed streams. A stream is in fact the largest part of what we currently call a session, it has buffers, logs, etc. In order to catch any error, this commit removes any reference to the struct session and tries to rename most "session" occurrences in function names to "stream" and "sess" to "strm" when that's related to a session. The files stream.{c,h} were added and session.{c,h} removed. The session will be reintroduced later and a few parts of the stream will progressively be moved overthere. It will more or less contain only what we need in an embryonic session. Sample fetch functions and converters will have to change a bit so that they'll use an L5 (session) instead of what's currently called "L4" which is in fact L6 for now. Once all changes are completed, we should see approximately this : L7 - http_txn L6 - stream L5 - session L4 - connection | applet There will be at most one http_txn per stream, and a same session will possibly be referenced by multiple streams. A connection will point to a session and to a stream. The session will hold all the information we need to keep even when we don't yet have a stream. Some more cleanup is needed because some code was already far from being clean. The server queue management still refers to sessions at many places while comments talk about connections. This will have to be cleaned up once we have a server-side connection pool manager. Stream flags "SN_*" still need to be renamed, it doesn't seem like any of them will need to move to the session.
2015-04-02 18:22:06 -04:00
/* binary, returns the SSL stream id if front conn. transport layer is SSL.
MINOR: ssl: adds fetchs and ACLs for ssl back connection. Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their docs: ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id, ssl_bc_session_id and ssl_bc_use_keysize.
2014-04-30 08:21:06 -04:00
* This function is also usable on backend conn if the fetch keyword 5th
* char is 'b'.
*/
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#if OPENSSL_VERSION_NUMBER > 0x0090800fL
MINOR: ssl: add pattern fetch 'ssl_fc_session_id' This fetch returns the SSL ID of the front connection. Useful to stick on a given client.
2012-10-16 08:59:28 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add pattern fetch 'ssl_fc_session_id' This fetch returns the SSL ID of the front connection. Useful to stick on a given client.
2012-10-16 08:59:28 -04:00
{
BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. Since the split between connections and conn-stream objects, this keywords are broken. This patch must be backported in 1.8
2018-02-19 09:59:48 -05:00
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
BUG/MINOR: ssl: fix usage of the various sample fetch functions Technically speaking, many SSL sample fetch functions act on the connection and depend on USE_L5CLI on the client side, which means they're usable as soon as a handshake is completed on a connection. This means that the test consisting in refusing to call them when the stream is NULL will prevent them from working when we implement the tcp-request session ruleset. Better fix this now. The fix consists in using smp->sess->origin when they're called for the front connection, and smp->strm->si[1].end when called for the back connection. There is currently no known side effect for this issue, though it would better be backported into 1.6 so that the code base remains consistend.
2016-03-10 11:05:28 -05:00
SSL_SESSION *ssl_sess;
BUG/MAJOR: samples: check smp->strm before using it Since commit 6879ad3 ("MEDIUM: sample: fill the struct sample with the session, proxy and stream pointers") merged in 1.6-dev2, the sample contains the pointer to the stream and sample fetch functions as well as converters use it heavily. The problem is that earlier commit 87b0966 ("REORG/MAJOR: session: rename the "session" entity to "stream"") had split the session and stream resulting in the possibility for smp->strm to be NULL before the stream was initialized. This is what happens in tcp-request connection rulesets, as discovered by Baptiste. The sample fetch functions must now check that smp->strm is valid before using it. An alternative could consist in using a dummy stream with nothing in it to avoid some checks but it would only result in deferring them to the next step anyway, and making it harder to detect that a stream is valid or the dummy one. There is still an issue with variables which requires a complete independant fix. They use strm->sess to find the session with strm possibly NULL and passed as an argument. All call places indirectly use smp->strm to build strm. So the problem is there but the API needs to be changed to remove this duplicate argument that makes it much harder to know what pointer to use. This fix must be backported to 1.6, as well as the next one fixing variables.
2016-03-10 05:47:01 -05:00
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
smp->flags = SMP_F_CONST;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_BIN;
MINOR: ssl: add pattern fetch 'ssl_fc_session_id' This fetch returns the SSL ID of the front connection. Useful to stick on a given client.
2012-10-16 08:59:28 -04:00
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
MAJOR: sample: pass a pointer to the session to each sample fetch function Many such function need a session, and till now they used to dereference the stream. Once we remove the stream from the embryonic session, this will not be possible anymore. So as of now, sample fetch functions will be called with this : - sess = NULL, strm = NULL : never - sess = valid, strm = NULL : tcp-req connection - sess = valid, strm = valid, strm->txn = NULL : tcp-req content - sess = valid, strm = valid, strm->txn = valid : http-req / http-res
2015-04-03 19:47:55 -04:00
ssl_sess = SSL_get_session(conn->xprt_ctx);
if (!ssl_sess)
MINOR: ssl: add pattern fetch 'ssl_fc_session_id' This fetch returns the SSL ID of the front connection. Useful to stick on a given client.
2012-10-16 08:59:28 -04:00
return 0;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.area = (char *)SSL_SESSION_get_id(ssl_sess,
(unsigned int *)&smp->data.u.str.data);
if (!smp->data.u.str.area || !smp->data.u.str.data)
MINOR: ssl: add pattern fetch 'ssl_fc_session_id' This fetch returns the SSL ID of the front connection. Useful to stick on a given client.
2012-10-16 08:59:28 -04:00
return 0;
return 1;
}
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#endif
MINOR: ssl: add pattern fetch 'ssl_fc_session_id' This fetch returns the SSL ID of the front connection. Useful to stick on a given client.
2012-10-16 08:59:28 -04:00
MINOR: ssl: add fetch 'ssl_fc_session_key' and 'ssl_bc_session_key' These fetches return the SSL master key of the front/back connection. This is useful to decrypt traffic encrypted with ephemeral ciphers.
2018-04-28 19:15:51 -04:00
#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
static int
smp_fetch_ssl_fc_session_key(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
SSL_SESSION *ssl_sess;
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *data;
MINOR: ssl: add fetch 'ssl_fc_session_key' and 'ssl_bc_session_key' These fetches return the SSL master key of the front/back connection. This is useful to decrypt traffic encrypted with ephemeral ciphers.
2018-04-28 19:15:51 -04:00
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
ssl_sess = SSL_get_session(conn->xprt_ctx);
if (!ssl_sess)
return 0;
data = get_trash_chunk();
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
data->data = SSL_SESSION_get_master_key(ssl_sess,
(unsigned char *) data->area,
data->size);
if (!data->data)
MINOR: ssl: add fetch 'ssl_fc_session_key' and 'ssl_bc_session_key' These fetches return the SSL master key of the front/back connection. This is useful to decrypt traffic encrypted with ephemeral ciphers.
2018-04-28 19:15:51 -04:00
return 0;
smp->flags = 0;
smp->data.type = SMP_T_BIN;
smp->data.u.str = *data;
return 1;
}
#endif
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_sni(const struct arg *args, struct sample *smp, const char *kw, void *private)
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
{
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
smp->flags = SMP_F_CONST;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_STR;
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
return 0;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.area = (char *)SSL_get_servername(conn->xprt_ctx, TLSEXT_NAMETYPE_host_name);
if (!smp->data.u.str.area)
BUG/MAJOR: ssl: missing tests in ACL fetch functions Baptiste Assmann observed a crash of 1.5-dev12 occuring when the ssl_sni fetch was used with no SNI on the input connection and without a prior has_sni check. A code review revealed several issues : 1) it was possible to call the has_sni and ssl_sni fetch functions with a NULL data_ctx if the handshake fails or if the connection is aborted during the handshake. 2) when no SNI is present, strlen() was called with a NULL parameter in smp_fetch_ssl_sni().
2012-09-14 17:56:58 -04:00
return 0;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.data = strlen(smp->data.u.str.area);
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
return 1;
}
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#endif
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
static int
smp_fetch_ssl_fc_cl_bin(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
struct connection *conn;
struct ssl_capture *capture;
conn = objt_conn(smp->sess->origin);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
BUG/MINOR: ssl: fix cipherlist captures with sustainable SSL calls Use SSL_set_ex_data/SSL_get_ex_data standard API call to store capture. We need to avoid internal structures/undocumented calls usage to try to control the beast and limit painful compatibilities.
2017-03-07 12:34:58 -05:00
capture = SSL_get_ex_data(conn->xprt_ctx, ssl_capture_ptr_index);
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
if (!capture)
return 0;
smp->flags = SMP_F_CONST;
smp->data.type = SMP_T_BIN;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
smp->data.u.str.area = capture->ciphersuite;
smp->data.u.str.data = capture->ciphersuite_len;
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
return 1;
}
static int
smp_fetch_ssl_fc_cl_hex(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *data;
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
if (!smp_fetch_ssl_fc_cl_bin(args, smp, kw, private))
return 0;
data = get_trash_chunk();
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
dump_binary(data, smp->data.u.str.area, smp->data.u.str.data);
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
smp->data.type = SMP_T_BIN;
smp->data.u.str = *data;
return 1;
}
static int
smp_fetch_ssl_fc_cl_xxh64(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
struct connection *conn;
struct ssl_capture *capture;
conn = objt_conn(smp->sess->origin);
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
BUG/MINOR: ssl: fix cipherlist captures with sustainable SSL calls Use SSL_set_ex_data/SSL_get_ex_data standard API call to store capture. We need to avoid internal structures/undocumented calls usage to try to control the beast and limit painful compatibilities.
2017-03-07 12:34:58 -05:00
capture = SSL_get_ex_data(conn->xprt_ctx, ssl_capture_ptr_index);
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
if (!capture)
return 0;
smp->data.type = SMP_T_SINT;
smp->data.u.sint = capture->xxh64;
return 1;
}
static int
smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *kw, void *private)
{
MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use smp_fetch_ssl_fc_cl_str as very limited usage (only work with openssl == 1.0.2 compiled with the option enable-ssl-trace). It use internal cipher.algorithm_ssl attribut and SSL_CIPHER_standard_name (available with ssl-trace). This patch implement this (debug) function in a standard way. It used common SSL_CIPHER_get_name to display cipher name. It work with openssl >= 1.0.2 and boringssl.
2017-09-01 11:32:08 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && !defined(LIBRESSL_VERSION_NUMBER)
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *data;
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
int i;
if (!smp_fetch_ssl_fc_cl_bin(args, smp, kw, private))
return 0;
data = get_trash_chunk();
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
for (i = 0; i + 1 < smp->data.u.str.data; i += 2) {
MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use smp_fetch_ssl_fc_cl_str as very limited usage (only work with openssl == 1.0.2 compiled with the option enable-ssl-trace). It use internal cipher.algorithm_ssl attribut and SSL_CIPHER_standard_name (available with ssl-trace). This patch implement this (debug) function in a standard way. It used common SSL_CIPHER_get_name to display cipher name. It work with openssl >= 1.0.2 and boringssl.
2017-09-01 11:32:08 -04:00
const char *str;
const SSL_CIPHER *cipher;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
const unsigned char *bin = (const unsigned char *) smp->data.u.str.area + i;
MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use smp_fetch_ssl_fc_cl_str as very limited usage (only work with openssl == 1.0.2 compiled with the option enable-ssl-trace). It use internal cipher.algorithm_ssl attribut and SSL_CIPHER_standard_name (available with ssl-trace). This patch implement this (debug) function in a standard way. It used common SSL_CIPHER_get_name to display cipher name. It work with openssl >= 1.0.2 and boringssl.
2017-09-01 11:32:08 -04:00
uint16_t id = (bin[0] << 8) | bin[1];
#if defined(OPENSSL_IS_BORINGSSL)
cipher = SSL_get_cipher_by_value(id);
#else
BUILD: ssl: fix null-deref warning in ssl_fc_cipherlist_str sample fetch Gcc 6.4 detects a potential null-deref warning in smp_fetch_ssl_fc_cl_str(). This one is not real since already addressed a few lines above. Let's use __objt_conn() instead of objt_conn() to avoid the extra test that confuses it. This could be backported to 1.8.
2018-10-15 05:01:59 -04:00
struct connection *conn = __objt_conn(smp->sess->origin);
MINOR: ssl: rework smp_fetch_ssl_fc_cl_str without internal ssl use smp_fetch_ssl_fc_cl_str as very limited usage (only work with openssl == 1.0.2 compiled with the option enable-ssl-trace). It use internal cipher.algorithm_ssl attribut and SSL_CIPHER_standard_name (available with ssl-trace). This patch implement this (debug) function in a standard way. It used common SSL_CIPHER_get_name to display cipher name. It work with openssl >= 1.0.2 and boringssl.
2017-09-01 11:32:08 -04:00
cipher = SSL_CIPHER_find(conn->xprt_ctx, bin);
#endif
str = SSL_CIPHER_get_name(cipher);
if (!str || strcmp(str, "(NONE)") == 0)
chunk_appendf(data, "%sUNKNOWN(%04x)", i == 0 ? "" : ",", id);
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
else
chunk_appendf(data, "%s%s", i == 0 ? "" : ",", str);
}
smp->data.type = SMP_T_STR;
smp->data.u.str = *data;
return 1;
#else
return smp_fetch_ssl_fc_cl_xxh64(args, smp, kw, private);
#endif
}
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#if OPENSSL_VERSION_NUMBER > 0x0090800fL
MINOR: ssl: add ssl_fc_unique_id to fetch TLS Unique ID The TLS unique id, or unique channel binding, is a byte string that can be pulled from a TLS connection and it is unique to that connection. It is defined in RFC 5929 section 3. The value is used by various upper layer protocols as part of an extra layer of security. For example XMPP (RFC 6120) and EST (RFC 7030). Add the ssl_fc_unique_id keyword and corresponding sample fetch method. Value is retrieved from OpenSSL and base64 encoded as described in RFC 5929 section 3.
2014-04-08 18:48:47 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add ssl_fc_unique_id to fetch TLS Unique ID The TLS unique id, or unique channel binding, is a byte string that can be pulled from a TLS connection and it is unique to that connection. It is defined in RFC 5929 section 3. The value is used by various upper layer protocols as part of an extra layer of security. For example XMPP (RFC 6120) and EST (RFC 7030). Add the ssl_fc_unique_id keyword and corresponding sample fetch method. Value is retrieved from OpenSSL and base64 encoded as described in RFC 5929 section 3.
2014-04-08 18:48:47 -04:00
{
BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. Since the split between connections and conn-stream objects, this keywords are broken. This patch must be backported in 1.8
2018-02-19 09:59:48 -05:00
struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
MINOR: ssl: add ssl_fc_unique_id to fetch TLS Unique ID The TLS unique id, or unique channel binding, is a byte string that can be pulled from a TLS connection and it is unique to that connection. It is defined in RFC 5929 section 3. The value is used by various upper layer protocols as part of an extra layer of security. For example XMPP (RFC 6120) and EST (RFC 7030). Add the ssl_fc_unique_id keyword and corresponding sample fetch method. Value is retrieved from OpenSSL and base64 encoded as described in RFC 5929 section 3.
2014-04-08 18:48:47 -04:00
int finished_len;
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *finished_trash;
MINOR: ssl: add ssl_fc_unique_id to fetch TLS Unique ID The TLS unique id, or unique channel binding, is a byte string that can be pulled from a TLS connection and it is unique to that connection. It is defined in RFC 5929 section 3. The value is used by various upper layer protocols as part of an extra layer of security. For example XMPP (RFC 6120) and EST (RFC 7030). Add the ssl_fc_unique_id keyword and corresponding sample fetch method. Value is retrieved from OpenSSL and base64 encoded as described in RFC 5929 section 3.
2014-04-08 18:48:47 -04:00
smp->flags = 0;
if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
return 0;
if (!(conn->flags & CO_FL_CONNECTED)) {
smp->flags |= SMP_F_MAY_CHANGE;
return 0;
}
finished_trash = get_trash_chunk();
if (!SSL_session_reused(conn->xprt_ctx))
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
finished_len = SSL_get_peer_finished(conn->xprt_ctx,
finished_trash->area,
finished_trash->size);
MINOR: ssl: add ssl_fc_unique_id to fetch TLS Unique ID The TLS unique id, or unique channel binding, is a byte string that can be pulled from a TLS connection and it is unique to that connection. It is defined in RFC 5929 section 3. The value is used by various upper layer protocols as part of an extra layer of security. For example XMPP (RFC 6120) and EST (RFC 7030). Add the ssl_fc_unique_id keyword and corresponding sample fetch method. Value is retrieved from OpenSSL and base64 encoded as described in RFC 5929 section 3.
2014-04-08 18:48:47 -04:00
else
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
finished_len = SSL_get_finished(conn->xprt_ctx,
finished_trash->area,
finished_trash->size);
MINOR: ssl: add ssl_fc_unique_id to fetch TLS Unique ID The TLS unique id, or unique channel binding, is a byte string that can be pulled from a TLS connection and it is unique to that connection. It is defined in RFC 5929 section 3. The value is used by various upper layer protocols as part of an extra layer of security. For example XMPP (RFC 6120) and EST (RFC 7030). Add the ssl_fc_unique_id keyword and corresponding sample fetch method. Value is retrieved from OpenSSL and base64 encoded as described in RFC 5929 section 3.
2014-04-08 18:48:47 -04:00
if (!finished_len)
return 0;
MEDIUM: chunks: make the chunk struct's fields match the buffer struct Chunks are only a subset of a buffer (a non-wrapping version with no head offset). Despite this we still carry a lot of duplicated code between buffers and chunks. Replacing chunks with buffers would significantly reduce the maintenance efforts. This first patch renames the chunk's fields to match the name and types used by struct buffers, with the goal of isolating the code changes from the declaration changes. Most of the changes were made with spatch using this coccinelle script : @rule_d1@ typedef chunk; struct chunk chunk; @@ - chunk.str + chunk.area @rule_d2@ typedef chunk; struct chunk chunk; @@ - chunk.len + chunk.data @rule_i1@ typedef chunk; struct chunk *chunk; @@ - chunk->str + chunk->area @rule_i2@ typedef chunk; struct chunk *chunk; @@ - chunk->len + chunk->data Some minor updates to 3 http functions had to be performed to take size_t ints instead of ints in order to match the unsigned length here.
2018-07-13 04:54:26 -04:00
finished_trash->data = finished_len;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.str = *finished_trash;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_BIN;
MINOR: ssl: add ssl_fc_unique_id to fetch TLS Unique ID The TLS unique id, or unique channel binding, is a byte string that can be pulled from a TLS connection and it is unique to that connection. It is defined in RFC 5929 section 3. The value is used by various upper layer protocols as part of an extra layer of security. For example XMPP (RFC 6120) and EST (RFC 7030). Add the ssl_fc_unique_id keyword and corresponding sample fetch method. Value is retrieved from OpenSSL and base64 encoded as described in RFC 5929 section 3.
2014-04-08 18:48:47 -04:00
return 1;
}
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#endif
MINOR: ssl: add ssl_fc_unique_id to fetch TLS Unique ID The TLS unique id, or unique channel binding, is a byte string that can be pulled from a TLS connection and it is unique to that connection. It is defined in RFC 5929 section 3. The value is used by various upper layer protocols as part of an extra layer of security. For example XMPP (RFC 6120) and EST (RFC 7030). Add the ssl_fc_unique_id keyword and corresponding sample fetch method. Value is retrieved from OpenSSL and base64 encoded as described in RFC 5929 section 3.
2014-04-08 18:48:47 -04:00
MINOR: conf: rename all ssl modules fetches using prefix 'ssl_fc' and 'ssl_c' SSL fetches were renamed : ssl_fc_* = Front Connection (attributes of the connection itself) ssl_c_* = Client side certificate
2012-10-18 09:59:43 -04:00
/* integer, returns the first verify error in CA chain of client certificate chain. */
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_c_ca_err(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
{
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
return 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
smp->flags = SMP_F_MAY_CHANGE;
return 0;
}
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_SINT;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = (unsigned long long int)SSL_SOCK_ST_TO_CA_ERROR(conn->xprt_st);
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
smp->flags = 0;
return 1;
}
MINOR: conf: rename all ssl modules fetches using prefix 'ssl_fc' and 'ssl_c' SSL fetches were renamed : ssl_fc_* = Front Connection (attributes of the connection itself) ssl_c_* = Client side certificate
2012-10-18 09:59:43 -04:00
/* integer, returns the depth of the first verify error in CA chain of client certificate chain. */
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_c_ca_err_depth(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
{
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
return 0;
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
smp->flags = SMP_F_MAY_CHANGE;
return 0;
}
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_SINT;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = (long long int)SSL_SOCK_ST_TO_CAEDEPTH(conn->xprt_st);
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
smp->flags = 0;
return 1;
}
MINOR: conf: rename all ssl modules fetches using prefix 'ssl_fc' and 'ssl_c' SSL fetches were renamed : ssl_fc_* = Front Connection (attributes of the connection itself) ssl_c_* = Client side certificate
2012-10-18 09:59:43 -04:00
/* integer, returns the first verify error on client certificate */
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_c_err(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
{
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
return 0;
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
smp->flags = SMP_F_MAY_CHANGE;
return 0;
}
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_SINT;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = (long long int)SSL_SOCK_ST_TO_CRTERROR(conn->xprt_st);
MINOR: ssl: add fetches and ACLs to return verify errors Add fetch 'ssl_verify_caerr': returns the first ssl verify error at depth > 0 (CA chain). Add fetch 'ssl_verify_caerr_depth': returns the first ssl verify error depth (max returns is 15 if depth > 15). Add fetch 'ssl_verify_crterr': returns the fist ssl verify error at depth == 0.
2012-09-21 09:27:54 -04:00
smp->flags = 0;
return 1;
}
MINOR: conf: rename all ssl modules fetches using prefix 'ssl_fc' and 'ssl_c' SSL fetches were renamed : ssl_fc_* = Front Connection (attributes of the connection itself) ssl_c_* = Client side certificate
2012-10-18 09:59:43 -04:00
/* integer, returns the verify result on client cert */
MINOR: ssl: add fetch and ACL 'ssl_verify_result' This fetch returns the final ssl verify error.
2012-09-21 09:27:20 -04:00
static int
MEDIUM: sample: change the prototype of sample-fetches functions This patch removes the "opt" entry from the prototype of the sample-fetches fucntions. This permits to remove some weight in the prototype call.
2015-05-11 09:42:45 -04:00
smp_fetch_ssl_c_verify(const struct arg *args, struct sample *smp, const char *kw, void *private)
MINOR: ssl: add fetch and ACL 'ssl_verify_result' This fetch returns the final ssl verify error.
2012-09-21 09:27:20 -04:00
{
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
struct connection *conn;
MEDIUM: sample change the prototype of sample-fetches and converters functions This patch removes the structs "session", "stream" and "proxy" from the sample-fetches and converters function prototypes. This permits to remove some weight in the prototype call.
2015-05-11 09:20:49 -04:00
conn = objt_conn(smp->sess->origin);
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn || conn->xprt != &ssl_sock)
return 0;
if (!(conn->flags & CO_FL_CONNECTED)) {
MINOR: ssl: add fetch and ACL 'ssl_verify_result' This fetch returns the final ssl verify error.
2012-09-21 09:27:20 -04:00
smp->flags = SMP_F_MAY_CHANGE;
return 0;
}
MAJOR: stream-int: stop using si->conn and use si->end instead The connection will only remain there as a pre-allocated entity whose goal is to be placed in ->end when establishing an outgoing connection. All connection initialization can be made on this connection, but all information retrieved should be applied to the end point only. This change is huge because there were many users of si->conn. Now the only users are those who initialize the new connection. The difficulty appears in a few places such as backend.c, proto_http.c, peers.c where si->conn is used to hold the connection's target address before assigning the connection to the stream interface. This is why we have to keep si->conn for now. A future improvement might consist in dynamically allocating the connection when it is needed.
2013-10-01 04:45:07 -04:00
if (!conn->xprt_ctx)
MINOR: ssl: add fetch and ACL 'ssl_verify_result' This fetch returns the final ssl verify error.
2012-09-21 09:27:20 -04:00
return 0;
MEDIUM: samples: Use the "struct sample_data" in the "struct sample" This patch remove the struct information stored both in the struct sample_data and in the striuct sample. Now, only thestruct sample_data contains data, and the struct sample use the struct sample_data for storing his own data.
2015-08-19 03:00:18 -04:00
smp->data.type = SMP_T_SINT;
MINOR: samples: rename union from "data" to "u" The union name "data" is a little bit heavy while we read the source code because we can read "data.data.sint". The rename from "data" to "u" makes the read easiest like "data.u.sint".
2015-08-19 03:07:19 -04:00
smp->data.u.sint = (long long int)SSL_get_verify_result(conn->xprt_ctx);
MINOR: ssl: add fetch and ACL 'ssl_verify_result' This fetch returns the final ssl verify error.
2012-09-21 09:27:20 -04:00
smp->flags = 0;
return 1;
}
MEDIUM: conf: rename 'cafile' and 'crlfile' statements 'ca-file' and 'crl-file' These names were not really handy.
2012-10-05 06:00:26 -04:00
/* parse the "ca-file" bind keyword */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_bind_parse_ca_file(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
{
if (!*args[cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing CAfile path", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if ((*args[cur_arg + 1] != '/') && global_ssl.ca_base)
memprintf(&conf->ca_file, "%s/%s", global_ssl.ca_base, args[cur_arg + 1]);
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
else
memprintf(&conf->ca_file, "%s", args[cur_arg + 1]);
MINOR: ssl: add 'crt-base' and 'ca-base' global statements. 'crt-base' sets root directory used for relative certificates paths. 'ca-base' sets root directory used for relative CAs and CRLs paths.
2012-10-02 12:42:10 -04:00
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
return 0;
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int bind_parse_ca_file(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_ca_file(args, cur_arg, px, &conf->ssl_conf, err);
}
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
/* parse the "ca-sign-file" bind keyword */
static int bind_parse_ca_sign_file(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing CAfile path", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if ((*args[cur_arg + 1] != '/') && global_ssl.ca_base)
memprintf(&conf->ca_sign_file, "%s/%s", global_ssl.ca_base, args[cur_arg + 1]);
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
else
memprintf(&conf->ca_sign_file, "%s", args[cur_arg + 1]);
return 0;
}
CLEANUP: ssl: Fix bind keywords name in comments Along with a whitespace cleanup and a grammar typo
2016-11-13 11:37:11 -05:00
/* parse the "ca-sign-pass" bind keyword */
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
static int bind_parse_ca_sign_pass(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing CAkey password", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
memprintf(&conf->ca_sign_pass, "%s", args[cur_arg + 1]);
return 0;
}
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
/* parse the "ciphers" bind keyword */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
{
if (!*args[cur_arg + 1]) {
MINOR: standard: make memprintf() support a NULL destination Doing so removes many checks that were systematically made because the callees don't know if the caller passed a valid pointer.
2012-09-20 13:43:14 -04:00
memprintf(err, "'%s' : missing cipher suite", args[cur_arg]);
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
return ERR_ALERT | ERR_FATAL;
}
MINOR: ssl: add defines LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS. These ones are used to set the default ciphers suite on "bind" lines and "server" lines respectively, instead of using OpenSSL's defaults. These are probably mainly useful for distro packagers.
2012-10-05 09:47:31 -04:00
free(conf->ciphers);
MAJOR: listeners: use dual-linked lists to chain listeners with frontends Navigating through listeners was very inconvenient and error-prone. Not to mention that listeners were linked in reverse order and reverted afterwards. In order to definitely get rid of these issues, we now do the following : - frontends have a dual-linked list of bind_conf - frontends have a dual-linked list of listeners - bind_conf have a dual-linked list of listeners - listeners have a pointer to their bind_conf This way we can now navigate from anywhere to anywhere and always find the proper bind_conf for a given listener, as well as find the list of listeners for a current bind_conf.
2012-09-20 10:48:07 -04:00
conf->ciphers = strdup(args[cur_arg + 1]);
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
return 0;
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err);
}
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
/* parse the "ciphersuites" bind keyword */
static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
memprintf(err, "'%s' : missing cipher suite", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
free(conf->ciphersuites);
conf->ciphersuites = strdup(args[cur_arg + 1]);
return 0;
}
static int bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_ciphersuites(args, cur_arg, px, &conf->ssl_conf, err);
}
#endif
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
/* parse the "crt" bind keyword */
MAJOR: listeners: use dual-linked lists to chain listeners with frontends Navigating through listeners was very inconvenient and error-prone. Not to mention that listeners were linked in reverse order and reverted afterwards. In order to definitely get rid of these issues, we now do the following : - frontends have a dual-linked list of bind_conf - frontends have a dual-linked list of listeners - bind_conf have a dual-linked list of listeners - listeners have a pointer to their bind_conf This way we can now navigate from anywhere to anywhere and always find the proper bind_conf for a given listener, as well as find the list of listeners for a current bind_conf.
2012-09-20 10:48:07 -04:00
static int bind_parse_crt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
{
MINOR: ssl: use MAXPATHLEN instead of PATH_MAX Apollon Oikonomopoulos reported a build failure on Hurd where PATH_MAX is not defined. The only place where it is referenced is ssl_sock.c, all other places use MAXPATHLEN instead, with a fallback to 128 when the OS does not define it. So let's switch to MAXPATHLEN as well.
2013-08-13 10:59:39 -04:00
char path[MAXPATHLEN];
BUILD/MINOR: ssl: remove one call to sprintf() Lukas reported another OpenBSD complaint about this use of sprintf() that I missed : src/ssl_sock.o(.text+0x2a79): In function `bind_parse_crt': src/ssl_sock.c:3015: warning: sprintf() is often misused, please use snprintf() This one was even easier to handle. Note that some of these calls could be simplified by checking the snprintf output size instead of doing the preliminary size computation.
2014-04-14 12:05:41 -04:00
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
if (!*args[cur_arg + 1]) {
MINOR: standard: make memprintf() support a NULL destination Doing so removes many checks that were systematically made because the callees don't know if the caller passed a valid pointer.
2012-09-20 13:43:14 -04:00
memprintf(err, "'%s' : missing certificate location", args[cur_arg]);
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
return ERR_ALERT | ERR_FATAL;
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if ((*args[cur_arg + 1] != '/' ) && global_ssl.crt_base) {
if ((strlen(global_ssl.crt_base) + 1 + strlen(args[cur_arg + 1]) + 1) > MAXPATHLEN) {
MINOR: ssl: add 'crt-base' and 'ca-base' global statements. 'crt-base' sets root directory used for relative certificates paths. 'ca-base' sets root directory used for relative CAs and CRLs paths.
2012-10-02 12:42:10 -04:00
memprintf(err, "'%s' : path too long", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
snprintf(path, sizeof(path), "%s/%s", global_ssl.crt_base, args[cur_arg + 1]);
MEDIUM: ssl: remote the proxy argument from most functions Most of the SSL functions used to have a proxy argument which was mostly used to be able to emit clean errors using Alert(). First, many of them were converted to memprintf() and don't require this pointer anymore. Second, the rare which still need it also have either a bind_conf argument or a server argument, both of which carry a pointer to the relevant proxy. So let's now get rid of it, it needlessly complicates the API and certain functions already have many arguments.
2016-12-22 11:08:28 -05:00
if (ssl_sock_load_cert(path, conf, err) > 0)
MINOR: ssl: add 'crt-base' and 'ca-base' global statements. 'crt-base' sets root directory used for relative certificates paths. 'ca-base' sets root directory used for relative CAs and CRLs paths.
2012-10-02 12:42:10 -04:00
return ERR_ALERT | ERR_FATAL;
return 0;
}
MEDIUM: ssl: remote the proxy argument from most functions Most of the SSL functions used to have a proxy argument which was mostly used to be able to emit clean errors using Alert(). First, many of them were converted to memprintf() and don't require this pointer anymore. Second, the rare which still need it also have either a bind_conf argument or a server argument, both of which carry a pointer to the relevant proxy. So let's now get rid of it, it needlessly complicates the API and certain functions already have many arguments.
2016-12-22 11:08:28 -05:00
if (ssl_sock_load_cert(args[cur_arg + 1], conf, err) > 0)
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
return ERR_ALERT | ERR_FATAL;
return 0;
}
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
/* parse the "crt-list" bind keyword */
static int bind_parse_crt_list(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
if (!*args[cur_arg + 1]) {
memprintf(err, "'%s' : missing certificate location", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
if (ssl_sock_load_cert_list_file(args[cur_arg + 1], conf, px, err) > 0) {
BUG/MEDIUM: ssl: improve error processing and reporting in ssl_sock_load_cert_list_file() fe61656b added the ability to load a list of certificates from a file, but error control was incomplete and misleading, as some errors such as missing files were not reported, and errors reported with Alert() instead of memprintf() were inappropriate and mixed with upper errors. Also, the code really supports a single SNI filter right now, so let's correct it and the doc for that, leaving room for later change if needed.
2013-04-02 11:35:58 -04:00
memprintf(err, "'%s' : %s", args[cur_arg], *err);
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
return ERR_ALERT | ERR_FATAL;
BUG/MEDIUM: ssl: improve error processing and reporting in ssl_sock_load_cert_list_file() fe61656b added the ability to load a list of certificates from a file, but error control was incomplete and misleading, as some errors such as missing files were not reported, and errors reported with Alert() instead of memprintf() were inappropriate and mixed with upper errors. Also, the code really supports a single SNI filter right now, so let's correct it and the doc for that, leaving room for later change if needed.
2013-04-02 11:35:58 -04:00
}
MEDIUM: ssl: add mapping from SNI to cert file using "crt-list" It designates a list of PEM file with an optional list of SNI filter per certificate, with the following format for each line : <crtfile>[ <snifilter>]* Wildcards are supported in the SNI filter. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of SNI filter. If no SNI filter is specified the CN and alt subjects are used.
2013-01-22 09:31:15 -05:00
return 0;
}
MEDIUM: conf: rename 'cafile' and 'crlfile' statements 'ca-file' and 'crl-file' These names were not really handy.
2012-10-05 06:00:26 -04:00
/* parse the "crl-file" bind keyword */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
{
BUG/MINOR: build: Fix compilation issue on openssl 0.9.6 due to missing CRL feature.
2012-10-02 13:25:50 -04:00
#ifndef X509_V_FLAG_CRL_CHECK
if (err)
memprintf(err, "'%s' : library does not support CRL verify", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
if (!*args[cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing CRLfile path", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if ((*args[cur_arg + 1] != '/') && global_ssl.ca_base)
memprintf(&conf->crl_file, "%s/%s", global_ssl.ca_base, args[cur_arg + 1]);
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
else
memprintf(&conf->crl_file, "%s", args[cur_arg + 1]);
MINOR: ssl: add 'crt-base' and 'ca-base' global statements. 'crt-base' sets root directory used for relative certificates paths. 'ca-base' sets root directory used for relative CAs and CRLs paths.
2012-10-02 12:42:10 -04:00
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
return 0;
BUG/MINOR: build: Fix compilation issue on openssl 0.9.6 due to missing CRL feature.
2012-10-02 13:25:50 -04:00
#endif
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int bind_parse_crl_file(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_crl_file(args, cur_arg, px, &conf->ssl_conf, err);
}
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
MINOR: ssl: add curve suite for ECDHE negotiation Add 'curves' parameter on 'bind' and for 'crt-list' to set curve suite. (ex: curves X25519:P-256)
2017-01-09 10:15:54 -05:00
/* parse the "curves" bind keyword keyword */
static int ssl_bind_parse_curves(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
if (!*args[cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing curve suite", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
conf->curves = strdup(args[cur_arg + 1]);
return 0;
#else
if (err)
memprintf(err, "'%s' : library does not support curve suite", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
static int bind_parse_curves(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_curves(args, cur_arg, px, &conf->ssl_conf, err);
}
CLEANUP: ssl: Fix bind keywords name in comments Along with a whitespace cleanup and a grammar typo
2016-11-13 11:37:11 -05:00
/* parse the "ecdhe" bind keyword keyword */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_bind_parse_ecdhe(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
MINOR: ssl: add elliptic curve Diffie-Hellman support for ssl key generation Add 'ecdhe' on 'bind' statement: to set named curve used to generate ECDHE keys (ex: ecdhe secp521r1)
2012-09-20 11:10:03 -04:00
{
#if OPENSSL_VERSION_NUMBER < 0x0090800fL
if (err)
memprintf(err, "'%s' : library does not support elliptic curve Diffie-Hellman (too old)", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#elif defined(OPENSSL_NO_ECDH)
if (err)
memprintf(err, "'%s' : library does not support elliptic curve Diffie-Hellman (disabled via OPENSSL_NO_ECDH)", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
if (!*args[cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing named curve", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
conf->ecdhe = strdup(args[cur_arg + 1]);
return 0;
#endif
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int bind_parse_ecdhe(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_ecdhe(args, cur_arg, px, &conf->ssl_conf, err);
}
MINOR: ssl: add elliptic curve Diffie-Hellman support for ssl key generation Add 'ecdhe' on 'bind' statement: to set named curve used to generate ECDHE keys (ex: ecdhe secp521r1)
2012-09-20 11:10:03 -04:00
CLEANUP: ssl: Fix bind keywords name in comments Along with a whitespace cleanup and a grammar typo
2016-11-13 11:37:11 -05:00
/* parse the "crt-ignore-err" and "ca-ignore-err" bind keywords */
MINOR: ssl: add ignore verify errors options Allow to ignore some verify errors and to let them pass the handshake. Add option 'crt-ignore-err <list>' Ignore verify errors at depth == 0 (client certificate) <list> is string 'all' or a comma separated list of verify error IDs (see http://www.openssl.org/docs/apps/verify.html) Add option 'ca-ignore-err <list>' Same as 'crt-ignore-err' for all depths > 0 (CA chain certs) Ex ignore all errors on CA and expired or not-yet-valid errors on client certificate: bind 0.0.0.0:443 ssl crt crt.pem verify required cafile ca.pem ca-ignore-err all crt-ignore-err 10,9
2012-09-21 08:31:21 -04:00
static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
int code;
char *p = args[cur_arg + 1];
unsigned long long *ignerr = &conf->crt_ignerr;
if (!*p) {
if (err)
memprintf(err, "'%s' : missing error IDs list", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
if (strcmp(args[cur_arg], "ca-ignore-err") == 0)
ignerr = &conf->ca_ignerr;
if (strcmp(p, "all") == 0) {
*ignerr = ~0ULL;
return 0;
}
while (p) {
code = atoi(p);
if ((code <= 0) || (code > 63)) {
if (err)
memprintf(err, "'%s' : ID '%d' out of range (1..63) in error IDs list '%s'",
args[cur_arg], code, args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
*ignerr |= 1ULL << code;
p = strchr(p, ',');
if (p)
p++;
}
return 0;
}
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
/* parse tls_method_options "no-xxx" and "force-xxx" */
static int parse_tls_method_options(char *arg, struct tls_version_filter *methods, char **err)
MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind. These options force the SSL lib to use the specified protocol. They are complentary to no-tlsv*/no-sslv3.
2012-10-05 08:14:21 -04:00
{
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
uint16_t v;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
char *p;
p = strchr(arg, '-');
if (!p)
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
goto fail;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
p++;
if (!strcmp(p, "sslv3"))
v = CONF_SSLV3;
else if (!strcmp(p, "tlsv10"))
v = CONF_TLSV10;
else if (!strcmp(p, "tlsv11"))
v = CONF_TLSV11;
else if (!strcmp(p, "tlsv12"))
v = CONF_TLSV12;
MINOR: ssl: support TLSv1.3 for bind and server This patch add 'no-tlsv13' and 'force-tlsv13' configuration. This is only useful with openssl-dev and boringssl.
2017-03-30 13:29:39 -04:00
else if (!strcmp(p, "tlsv13"))
v = CONF_TLSV13;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
else
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
goto fail;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
if (!strncmp(arg, "no-", 3))
methods->flags |= methodVersions[v].flag;
else if (!strncmp(arg, "force-", 6))
methods->min = methods->max = v;
else
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
goto fail;
MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind. These options force the SSL lib to use the specified protocol. They are complentary to no-tlsv*/no-sslv3.
2012-10-05 08:14:21 -04:00
return 0;
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
fail:
if (err)
memprintf(err, "'%s' : option not implemented", arg);
return ERR_ALERT | ERR_FATAL;
MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind. These options force the SSL lib to use the specified protocol. They are complentary to no-tlsv*/no-sslv3.
2012-10-05 08:14:21 -04:00
}
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
static int bind_parse_tls_method_options(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind. These options force the SSL lib to use the specified protocol. They are complentary to no-tlsv*/no-sslv3.
2012-10-05 08:14:21 -04:00
{
MINOR: ssl: remove duplicate ssl_methods in struct bind_conf Patch "MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list" introduce ssl_methods in struct ssl_bind_conf. struct bind_conf have now ssl_methods and ssl_conf.ssl_methods (unused). It's error-prone. This patch remove the duplicate structure to avoid any confusion.
2017-08-09 12:26:20 -04:00
return parse_tls_method_options(args[cur_arg], &conf->ssl_conf.ssl_methods, err);
MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind. These options force the SSL lib to use the specified protocol. They are complentary to no-tlsv*/no-sslv3.
2012-10-05 08:14:21 -04:00
}
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
static int srv_parse_tls_method_options(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind. These options force the SSL lib to use the specified protocol. They are complentary to no-tlsv*/no-sslv3.
2012-10-05 08:14:21 -04:00
{
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
return parse_tls_method_options(args[*cur_arg], &newsrv->ssl_ctx.methods, err);
}
/* parse tls_method min/max: "ssl-min-ver" and "ssl-max-ver" */
static int parse_tls_method_minmax(char **args, int cur_arg, struct tls_version_filter *methods, char **err)
{
uint16_t i, v = 0;
char *argv = args[cur_arg + 1];
if (!*argv) {
if (err)
memprintf(err, "'%s' : missing the ssl/tls version", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
if (!strcmp(argv, methodVersions[i].name))
v = i;
if (!v) {
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
if (err)
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
memprintf(err, "'%s' : unknown ssl/tls version", args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
if (!strcmp("ssl-min-ver", args[cur_arg]))
methods->min = v;
else if (!strcmp("ssl-max-ver", args[cur_arg]))
methods->max = v;
else {
if (err)
memprintf(err, "'%s' : option not implemented", args[cur_arg]);
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
return ERR_ALERT | ERR_FATAL;
}
MINOR: ssl: add 'force-sslv3' and 'force-tlsvXX' statements on bind. These options force the SSL lib to use the specified protocol. They are complentary to no-tlsv*/no-sslv3.
2012-10-05 08:14:21 -04:00
return 0;
}
MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list SSL/TLS version can be changed per certificat if and only if openssl lib support earlier callback on handshake and, of course, is implemented in haproxy. It's ok for BoringSSL. For Openssl, version 1.1.1 have such callback and could support it.
2017-05-18 06:46:50 -04:00
static int ssl_bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
BUG/MINOR: ssl: fix warning about ssl-min/max-ver support In 84e417d8 ("MINOR: ssl: support Openssl 1.1.1 early callback for switchctx") the code was extended to also support OpenSSL 1.1.1 (code already supported BoringSSL). A configuration check warning was updated but with the wrong logic, the #ifdef needs a && instead of an ||. Reported in #54. Should be backported to 1.8.
2019-03-05 17:14:32 -05:00
#if (OPENSSL_VERSION_NUMBER < 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL)
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_warning("crt-list: ssl-min-ver and ssl-max-ver are not supported with this Openssl version (skipped).\n");
MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list SSL/TLS version can be changed per certificat if and only if openssl lib support earlier callback on handshake and, of course, is implemented in haproxy. It's ok for BoringSSL. For Openssl, version 1.1.1 have such callback and could support it.
2017-05-18 06:46:50 -04:00
#endif
return parse_tls_method_minmax(args, cur_arg, &conf->ssl_methods, err);
}
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
static int bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
MINOR: ssl: remove duplicate ssl_methods in struct bind_conf Patch "MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list" introduce ssl_methods in struct ssl_bind_conf. struct bind_conf have now ssl_methods and ssl_conf.ssl_methods (unused). It's error-prone. This patch remove the duplicate structure to avoid any confusion.
2017-08-09 12:26:20 -04:00
return parse_tls_method_minmax(args, cur_arg, &conf->ssl_conf.ssl_methods, err);
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
}
static int srv_parse_tls_method_minmax(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
return parse_tls_method_minmax(args, *cur_arg, &newsrv->ssl_ctx.methods, err);
}
MINOR: ssl: add statement 'no-tls-tickets' on bind to disable stateless session resumption Disables the stateless session resumption (RFC 5077 TLS Ticket extension) and force to use stateful session resumption. Stateless session resumption is more expensive in CPU usage.
2012-10-02 07:45:20 -04:00
/* parse the "no-tls-tickets" bind keyword */
MEDIUM: ssl: remove ssl-options from crt-list ssl-options are link to the initial negotiation environnement worn by default_ctx. Remove it from crt-list to avoid any confusion.
2017-01-20 07:06:27 -05:00
static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
MINOR: ssl: add statement 'no-tls-tickets' on bind to disable stateless session resumption Disables the stateless session resumption (RFC 5077 TLS Ticket extension) and force to use stateful session resumption. Stateless session resumption is more expensive in CPU usage.
2012-10-02 07:45:20 -04:00
{
MINOR: ssl: use bit fields to store ssl options instead of one int each Too many SSL options already and some still to come, use a bit field and get rid of all the integers. No functional change here.
2012-10-05 07:48:26 -04:00
conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS;
MINOR: ssl: add statement 'no-tls-tickets' on bind to disable stateless session resumption Disables the stateless session resumption (RFC 5077 TLS Ticket extension) and force to use stateful session resumption. Stateless session resumption is more expensive in CPU usage.
2012-10-02 07:45:20 -04:00
return 0;
}
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
/* parse the "allow-0rtt" bind keyword */
static int ssl_bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
conf->early_data = 1;
return 0;
}
static int bind_parse_allow_0rtt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
MINOR: ssl: Don't abuse ssl_options. A bind_conf does contain a ssl_bind_conf, which already has a flag to know if early data are activated, so use that, instead of adding a new flag in the ssl_options field.
2017-10-27 08:58:08 -04:00
conf->ssl_conf.early_data = 1;
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
return 0;
}
MEDIUM: ssl: add support for the "npn" bind keyword The ssl_npn match could not work by itself because clients do not use the NPN extension unless the server advertises the protocols it supports. Thanks to Simone Bordet for the explanations on how to get it right.
2012-10-18 12:57:14 -04:00
/* parse the "npn" bind keyword */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_bind_parse_npn(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
MEDIUM: ssl: add support for the "npn" bind keyword The ssl_npn match could not work by itself because clients do not use the NPN extension unless the server advertises the protocols it supports. Thanks to Simone Bordet for the explanations on how to get it right.
2012-10-18 12:57:14 -04:00
{
BUILD: ssl: Fix build with OpenSSL without NPN capability OpenSSL can be built without NEXTPROTONEG support by passing -no-npn to the configure script. This sets the OPENSSL_NO_NEXTPROTONEG flag in opensslconf.h Since NEXTPROTONEG is now considered deprecated, it is superseeded by ALPN (Application Layer Protocol Next), HAProxy should allow building withough NPN support.
2018-02-15 07:34:58 -05:00
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
MEDIUM: ssl: add support for the "npn" bind keyword The ssl_npn match could not work by itself because clients do not use the NPN extension unless the server advertises the protocols it supports. Thanks to Simone Bordet for the explanations on how to get it right.
2012-10-18 12:57:14 -04:00
char *p1, *p2;
if (!*args[cur_arg + 1]) {
memprintf(err, "'%s' : missing the comma-delimited NPN protocol suite", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
free(conf->npn_str);
BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation After seeing previous ALPN fix, I suspected that NPN code was wrong as well, and indeed it was since ALPN was copied from it. This fix must be backported into 1.6 and 1.5.
2016-02-12 11:11:12 -05:00
/* the NPN string is built as a suite of (<len> <name>)*,
* so we reuse each comma to store the next <len> and need
* one more for the end of the string.
*/
MEDIUM: ssl: add support for the "npn" bind keyword The ssl_npn match could not work by itself because clients do not use the NPN extension unless the server advertises the protocols it supports. Thanks to Simone Bordet for the explanations on how to get it right.
2012-10-18 12:57:14 -04:00
conf->npn_len = strlen(args[cur_arg + 1]) + 1;
BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation After seeing previous ALPN fix, I suspected that NPN code was wrong as well, and indeed it was since ALPN was copied from it. This fix must be backported into 1.6 and 1.5.
2016-02-12 11:11:12 -05:00
conf->npn_str = calloc(1, conf->npn_len + 1);
MEDIUM: ssl: add support for the "npn" bind keyword The ssl_npn match could not work by itself because clients do not use the NPN extension unless the server advertises the protocols it supports. Thanks to Simone Bordet for the explanations on how to get it right.
2012-10-18 12:57:14 -04:00
memcpy(conf->npn_str + 1, args[cur_arg + 1], conf->npn_len);
/* replace commas with the name length */
p1 = conf->npn_str;
p2 = p1 + 1;
while (1) {
p2 = memchr(p1 + 1, ',', conf->npn_str + conf->npn_len - (p1 + 1));
if (!p2)
p2 = p1 + 1 + strlen(p1 + 1);
if (p2 - (p1 + 1) > 255) {
*p2 = '\0';
memprintf(err, "'%s' : NPN protocol name too long : '%s'", args[cur_arg], p1 + 1);
return ERR_ALERT | ERR_FATAL;
}
*p1 = p2 - (p1 + 1);
p1 = p2;
if (!*p2)
break;
*(p2++) = '\0';
}
return 0;
#else
if (err)
memprintf(err, "'%s' : library does not support TLS NPN extension", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int bind_parse_npn(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_npn(args, cur_arg, px, &conf->ssl_conf, err);
}
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
/* parse the "alpn" bind keyword */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_bind_parse_alpn(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
{
MEDIUM: ssl: Use ALPN support as it will be available in OpenSSL 1.0.2 The current ALPN support is based on custom OpenSSL patches. These are however not the same as what has landed on OpenSSL: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691 This patch change the code so it supports ALPN as it will be part of OpenSSL.
2014-02-13 06:29:42 -05:00
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
char *p1, *p2;
if (!*args[cur_arg + 1]) {
memprintf(err, "'%s' : missing the comma-delimited ALPN protocol suite", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
free(conf->alpn_str);
BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation The first time I tried it (1.6.3) I got a segmentation fault :( After some investigation with gdb and valgrind I found the problem. memcpy() copies past an allocated buffer in "bind_parse_alpn". This patch fixes it. [wt: this fix must be backported into 1.6 and 1.5]
2016-02-12 11:05:24 -05:00
/* the ALPN string is built as a suite of (<len> <name>)*,
* so we reuse each comma to store the next <len> and need
* one more for the end of the string.
*/
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
conf->alpn_len = strlen(args[cur_arg + 1]) + 1;
BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation The first time I tried it (1.6.3) I got a segmentation fault :( After some investigation with gdb and valgrind I found the problem. memcpy() copies past an allocated buffer in "bind_parse_alpn". This patch fixes it. [wt: this fix must be backported into 1.6 and 1.5]
2016-02-12 11:05:24 -05:00
conf->alpn_str = calloc(1, conf->alpn_len + 1);
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
memcpy(conf->alpn_str + 1, args[cur_arg + 1], conf->alpn_len);
/* replace commas with the name length */
p1 = conf->alpn_str;
p2 = p1 + 1;
while (1) {
p2 = memchr(p1 + 1, ',', conf->alpn_str + conf->alpn_len - (p1 + 1));
if (!p2)
p2 = p1 + 1 + strlen(p1 + 1);
if (p2 - (p1 + 1) > 255) {
*p2 = '\0';
memprintf(err, "'%s' : ALPN protocol name too long : '%s'", args[cur_arg], p1 + 1);
return ERR_ALERT | ERR_FATAL;
}
*p1 = p2 - (p1 + 1);
p1 = p2;
if (!*p2)
break;
*(p2++) = '\0';
}
return 0;
#else
if (err)
memprintf(err, "'%s' : library does not support TLS ALPN extension", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int bind_parse_alpn(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_alpn(args, cur_arg, px, &conf->ssl_conf, err);
}
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
/* parse the "ssl" bind keyword */
MAJOR: listeners: use dual-linked lists to chain listeners with frontends Navigating through listeners was very inconvenient and error-prone. Not to mention that listeners were linked in reverse order and reverted afterwards. In order to definitely get rid of these issues, we now do the following : - frontends have a dual-linked list of bind_conf - frontends have a dual-linked list of listeners - bind_conf have a dual-linked list of listeners - listeners have a pointer to their bind_conf This way we can now navigate from anywhere to anywhere and always find the proper bind_conf for a given listener, as well as find the list of listeners for a current bind_conf.
2012-09-20 10:48:07 -04:00
static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
{
MINOR: listener: move the transport layer pointer to the bind_conf A mistake was made when the socket layer was cut into proto and transport, the transport was attached to the listener while all listeners in a single "bind" line always have exactly the same transport. It doesn't seem obvious but this is the reason why there are so many #ifdefs USE_OPENSSL in cfgparse : a lot of operations have to be open-coded because cfgparse only manipulates bind_conf and we don't have the information of the transport layer here. Very little code makes use of the transport layer, mainly session setup and log. These places can afford an extra pointer indirection (the listener points to the bind_conf). This change is thus very small, it saves a little bit of memory (8B per listener) and makes the code more flexible.
2016-12-21 16:04:54 -05:00
conf->xprt = &ssl_sock;
MAJOR: listeners: use dual-linked lists to chain listeners with frontends Navigating through listeners was very inconvenient and error-prone. Not to mention that listeners were linked in reverse order and reverted afterwards. In order to definitely get rid of these issues, we now do the following : - frontends have a dual-linked list of bind_conf - frontends have a dual-linked list of listeners - bind_conf have a dual-linked list of listeners - listeners have a pointer to their bind_conf This way we can now navigate from anywhere to anywhere and always find the proper bind_conf for a given listener, as well as find the list of listeners for a current bind_conf.
2012-09-20 10:48:07 -04:00
conf->is_ssl = 1;
MINOR: ssl: add defines LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS. These ones are used to set the default ciphers suite on "bind" lines and "server" lines respectively, instead of using OpenSSL's defaults. These are probably mainly useful for distro packagers.
2012-10-05 09:47:31 -04:00
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites)
conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
#endif
MEDIUM: ssl: remove ssl-options from crt-list ssl-options are link to the initial negotiation environnement worn by default_ctx. Remove it from crt-list to avoid any confusion.
2017-01-20 07:06:27 -05:00
conf->ssl_options |= global_ssl.listen_default_ssloptions;
MINOR: ssl: remove duplicate ssl_methods in struct bind_conf Patch "MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list" introduce ssl_methods in struct ssl_bind_conf. struct bind_conf have now ssl_methods and ssl_conf.ssl_methods (unused). It's error-prone. This patch remove the duplicate structure to avoid any confusion.
2017-08-09 12:26:20 -04:00
conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags;
if (!conf->ssl_conf.ssl_methods.min)
conf->ssl_conf.ssl_methods.min = global_ssl.listen_default_sslmethods.min;
if (!conf->ssl_conf.ssl_methods.max)
conf->ssl_conf.ssl_methods.max = global_ssl.listen_default_sslmethods.max;
MINOR: ssl: add defines LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS. These ones are used to set the default ciphers suite on "bind" lines and "server" lines respectively, instead of using OpenSSL's defaults. These are probably mainly useful for distro packagers.
2012-10-05 09:47:31 -04:00
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
return 0;
}
MINOR: ssl: add prefer-client-ciphers Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], which may not always be a good thing. The benefit of server side cipher prioritization may not apply to all cases out there, and it appears that the various SSL libs are going away from this recommendation ([2], [3]), as insecure ciphers suites are properly blacklisted/removed and honoring the client's preference is more likely to improve user experience (for example using SW-friendly ciphers on devices without HW AES support). This is especially true for TLSv1.3, which will restrict the cipher suites to just AES-GCM and Chacha20/Poly1305. Apache [4], nginx [5] and others give admins full flexibility, we should as well. The initial proposal to change the current default and add a "prefer-server-ciphers" option (as implemented in e566ecb) has been declined due to the possible security impact. This patch implements prefer-client-ciphers without changing the defaults. [1] https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html [2] https://github.com/openssl/openssl/issues/541 [3] https://github.com/libressl-portable/portable/issues/66 [4] https://httpd.apache.org/docs/2.0/en/mod/mod_ssl.html#sslhonorcipherorder [5] https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
2017-05-04 11:45:40 -04:00
/* parse the "prefer-client-ciphers" bind keyword */
static int bind_parse_pcc(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
conf->ssl_options |= BC_SSL_O_PREF_CLIE_CIPH;
return 0;
}
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
/* parse the "generate-certificates" bind keyword */
static int bind_parse_generate_certs(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
conf->generate_certs = 1;
#else
memprintf(err, "%sthis version of openssl cannot generate SSL certificates.\n",
err && *err ? *err : "");
#endif
return 0;
}
MEDIUM: ssl: add bind-option "strict-sni" This new option ensures that there is no possible fallback to a default certificate if the client does not provide an SNI which is explicitly handled by a certificate.
2013-01-24 11:17:15 -05:00
/* parse the "strict-sni" bind keyword */
static int bind_parse_strict_sni(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
conf->strict_sni = 1;
return 0;
}
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
/* parse the "tls-ticket-keys" bind keyword */
static int bind_parse_tls_ticket_keys(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
FILE *f;
int i = 0;
char thisline[LINESIZE];
MINOR: Add TLS ticket keys reference and use it in the listener struct Within the listener struct we need to use a reference to the TLS ticket keys which binds the actual keys with the filename. This will make it possible to update the keys through the socket Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:00 -04:00
struct tls_keys_ref *keys_ref;
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
if (!*args[cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing TLS ticket keys file path", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
keys_ref = tlskeys_ref_lookup(args[cur_arg + 1]);
BUG/MINOR: ssl: properly ref-count the tls_keys entries Commit 200b0fa ("MEDIUM: Add support for updating TLS ticket keys via socket") introduced support for updating TLS ticket keys from the CLI, but missed a small corner case : if multiple bind lines reference the same tls_keys file, the same reference is used (as expected), but during the clean shutdown, it will lead to a double free when destroying the bind_conf contexts since none of the lines knows if others still use it. The impact is very low however, mostly a core and/or a message in the system's log upon old process termination. Let's introduce some basic refcounting to prevent this from happening, so that only the last bind_conf frees it. Thanks to Janusz Dziemidowicz and Thierry Fournier for both reporting the same issue with an easy reproducer. This fix needs to be backported from 1.6 to 1.8.
2018-07-17 04:05:32 -04:00
if (keys_ref) {
keys_ref->refcount++;
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
conf->keys_ref = keys_ref;
return 0;
}
CLEANUP: uniformize last argument of malloc/calloc Instead of repeating the type of the LHS argument (sizeof(struct ...)) in calls to malloc/calloc, we directly use the pointer name (sizeof(*...)). The following Coccinelle patch was used: @@ type T; T *x; @@ x = malloc( - sizeof(T) + sizeof(*x) ) @@ type T; T *x; @@ x = calloc(1, - sizeof(T) + sizeof(*x) ) When the LHS is not just a variable name, no change is made. Moreover, the following patch was used to ensure that "1" is consistently used as a first argument of calloc, not the last one: @@ @@ calloc( + 1, ... - ,1 )
2016-04-03 07:48:43 -04:00
keys_ref = malloc(sizeof(*keys_ref));
BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file This patch fixes missing allocation checks loading tls key file and avoid memory leak in some error cases. This patch should be backport on branches 1.9 and 1.8
2019-01-10 04:51:13 -05:00
if (!keys_ref) {
if (err)
memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
return ERR_ALERT | ERR_FATAL;
}
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(union tls_sess_key));
BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file This patch fixes missing allocation checks loading tls key file and avoid memory leak in some error cases. This patch should be backport on branches 1.9 and 1.8
2019-01-10 04:51:13 -05:00
if (!keys_ref->tlskeys) {
free(keys_ref);
if (err)
memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
return ERR_ALERT | ERR_FATAL;
}
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
if ((f = fopen(args[cur_arg + 1], "r")) == NULL) {
BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file This patch fixes missing allocation checks loading tls key file and avoid memory leak in some error cases. This patch should be backport on branches 1.9 and 1.8
2019-01-10 04:51:13 -05:00
free(keys_ref->tlskeys);
free(keys_ref);
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
if (err)
memprintf(err, "'%s' : unable to load ssl tickets keys file", args[cur_arg+1]);
return ERR_ALERT | ERR_FATAL;
}
MINOR: Add TLS ticket keys reference and use it in the listener struct Within the listener struct we need to use a reference to the TLS ticket keys which binds the actual keys with the filename. This will make it possible to update the keys through the socket Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:00 -04:00
keys_ref->filename = strdup(args[cur_arg + 1]);
BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file This patch fixes missing allocation checks loading tls key file and avoid memory leak in some error cases. This patch should be backport on branches 1.9 and 1.8
2019-01-10 04:51:13 -05:00
if (!keys_ref->filename) {
free(keys_ref->tlskeys);
free(keys_ref);
if (err)
memprintf(err, "'%s' : allocation error", args[cur_arg+1]);
return ERR_ALERT | ERR_FATAL;
}
MINOR: Add TLS ticket keys reference and use it in the listener struct Within the listener struct we need to use a reference to the TLS ticket keys which binds the actual keys with the filename. This will make it possible to update the keys through the socket Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:00 -04:00
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
keys_ref->key_size_bits = 0;
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
while (fgets(thisline, sizeof(thisline), f) != NULL) {
int len = strlen(thisline);
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
int dec_size;
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
/* Strip newline characters from the end */
if(thisline[len - 1] == '\n')
thisline[--len] = 0;
if(thisline[len - 1] == '\r')
thisline[--len] = 0;
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
dec_size = base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(union tls_sess_key));
if (dec_size < 0) {
BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file This patch fixes missing allocation checks loading tls key file and avoid memory leak in some error cases. This patch should be backport on branches 1.9 and 1.8
2019-01-10 04:51:13 -05:00
free(keys_ref->filename);
free(keys_ref->tlskeys);
free(keys_ref);
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
if (err)
memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1);
BUG/MINOR: ssl: close ssl key file on error Explicitly close the FILE opened to read the ssl key file when parsing fails to find a valid key. This fix needs to be backported to 1.6.
2016-06-22 11:46:29 -04:00
fclose(f);
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
return ERR_ALERT | ERR_FATAL;
}
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
else if (!keys_ref->key_size_bits && (dec_size == sizeof(struct tls_sess_key_128))) {
keys_ref->key_size_bits = 128;
}
else if (!keys_ref->key_size_bits && (dec_size == sizeof(struct tls_sess_key_256))) {
keys_ref->key_size_bits = 256;
}
else if (((dec_size != sizeof(struct tls_sess_key_128)) && (dec_size != sizeof(struct tls_sess_key_256)))
|| ((dec_size == sizeof(struct tls_sess_key_128) && (keys_ref->key_size_bits != 128)))
|| ((dec_size == sizeof(struct tls_sess_key_256) && (keys_ref->key_size_bits != 256)))) {
free(keys_ref->filename);
free(keys_ref->tlskeys);
free(keys_ref);
if (err)
memprintf(err, "'%s' : wrong sized key on line %d", args[cur_arg+1], i + 1);
fclose(f);
return ERR_ALERT | ERR_FATAL;
}
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
i++;
}
if (i < TLS_TICKETS_NO) {
BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file This patch fixes missing allocation checks loading tls key file and avoid memory leak in some error cases. This patch should be backport on branches 1.9 and 1.8
2019-01-10 04:51:13 -05:00
free(keys_ref->filename);
free(keys_ref->tlskeys);
free(keys_ref);
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
if (err)
memprintf(err, "'%s' : please supply at least %d keys in the tls-tickets-file", args[cur_arg+1], TLS_TICKETS_NO);
BUG/MINOR: ssl: close ssl key file on error Explicitly close the FILE opened to read the ssl key file when parsing fails to find a valid key. This fix needs to be backported to 1.6.
2016-06-22 11:46:29 -04:00
fclose(f);
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
return ERR_ALERT | ERR_FATAL;
}
fclose(f);
/* Use penultimate key for encryption, handle when TLS_TICKETS_NO = 1 */
BUG/MEDIUM: Fix RFC5077 resumption when more than TLS_TICKETS_NO are present Olivier Doucet reported the issue on the ML and tested that when using more than TLS_TICKETS_NO keys in the file, the CPU usage is much higeher than expected. Lukas Tribus then provided a test case which showed that resumption doesn't work at all in that case. This fix needs to be backported to 1.6. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2016-03-25 17:16:57 -04:00
i -= 2;
keys_ref->tls_ticket_enc_index = i < 0 ? 0 : i % TLS_TICKETS_NO;
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
keys_ref->unique_id = -1;
BUG/MINOR: ssl: properly ref-count the tls_keys entries Commit 200b0fa ("MEDIUM: Add support for updating TLS ticket keys via socket") introduced support for updating TLS ticket keys from the CLI, but missed a small corner case : if multiple bind lines reference the same tls_keys file, the same reference is used (as expected), but during the clean shutdown, it will lead to a double free when destroying the bind_conf contexts since none of the lines knows if others still use it. The impact is very low however, mostly a core and/or a message in the system's log upon old process termination. Let's introduce some basic refcounting to prevent this from happening, so that only the last bind_conf frees it. Thanks to Janusz Dziemidowicz and Thierry Fournier for both reporting the same issue with an easy reproducer. This fix needs to be backported from 1.6 to 1.8.
2018-07-17 04:05:32 -04:00
keys_ref->refcount = 1;
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
HA_RWLOCK_INIT(&keys_ref->lock);
MINOR: Add TLS ticket keys reference and use it in the listener struct Within the listener struct we need to use a reference to the TLS ticket keys which binds the actual keys with the filename. This will make it possible to update the keys through the socket Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:00 -04:00
conf->keys_ref = keys_ref;
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
MEDIUM: Add support for updating TLS ticket keys via socket Until now, HAproxy needed to be restarted to change the TLS ticket keys. With this patch, the TLS keys can be updated on a per-file basis using the admin socket. Two new socket commands have been introduced: "show tls-keys" and "set ssl tls-keys". Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-09 02:46:01 -04:00
LIST_ADD(&tlskeys_reference, &keys_ref->list);
MEDIUM: Add support for configurable TLS ticket keys Until now, the TLS ticket keys couldn't have been configured and shared between multiple instances or multiple servers running HAproxy. The result was that if a request got a TLS ticket from one instance/server and it hits another one afterwards, it will have to go through the full SSL handshake and negotation. This patch enables adding a ticket file to the bind line, which will be used for all SSL contexts created from that bind line. We can use the same file on all instances or servers to mitigate this issue and have consistent TLS tickets assigned. Clients will no longer have to negotiate every time they change the handling process. Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-02-27 13:56:49 -05:00
return 0;
#else
if (err)
memprintf(err, "'%s' : TLS ticket callback extension not supported", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */
}
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
/* parse the "verify" bind keyword */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int ssl_bind_parse_verify(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
{
if (!*args[cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing verify method", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
if (strcmp(args[cur_arg + 1], "none") == 0)
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
conf->verify = SSL_SOCK_VERIFY_NONE;
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
else if (strcmp(args[cur_arg + 1], "optional") == 0)
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
conf->verify = SSL_SOCK_VERIFY_OPTIONAL;
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
else if (strcmp(args[cur_arg + 1], "required") == 0)
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
conf->verify = SSL_SOCK_VERIFY_REQUIRED;
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
else {
if (err)
memprintf(err, "'%s' : unknown verify method '%s', only 'none', 'optional', and 'required' are supported\n",
args[cur_arg], args[cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
return 0;
}
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static int bind_parse_verify(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_verify(args, cur_arg, px, &conf->ssl_conf, err);
}
MEDIUM: ssl: add client certificate authentication support Add keyword 'verify' on bind: 'verify none': authentication disabled (default) 'verify optional': accept connection without certificate and process a verify if the client sent a certificate 'verify required': reject connection without certificate and process a verify if the client send a certificate Add keyword 'cafile' on bind: 'cafile <path>' path to a client CA file used to verify. 'crlfile <path>' path to a client CRL file used to verify.
2012-09-20 12:23:56 -04:00
MINOR: ssl: add "no-ca-names" parameter for bind This option prevent to send CA names in server hello message when ca-file is used. This parameter is also available in "crt-list".
2017-07-28 09:01:05 -04:00
/* parse the "no-ca-names" bind keyword */
static int ssl_bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
{
conf->no_ca_names = 1;
return 0;
}
static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, err);
}
MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c All SSL-specific "server" keywords are now processed in ssl_sock.c. At the moment, there is no more "not implemented" hint when SSL is disabled, but keywords could be added in server.c if needed.
2012-10-10 17:04:25 -04:00
/************** "server" keywords ****************/
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
/* parse the "npn" bind keyword */
static int srv_parse_npn(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
char *p1, *p2;
if (!*args[*cur_arg + 1]) {
memprintf(err, "'%s' : missing the comma-delimited NPN protocol suite", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
free(newsrv->ssl_ctx.npn_str);
/* the NPN string is built as a suite of (<len> <name>)*,
* so we reuse each comma to store the next <len> and need
* one more for the end of the string.
*/
newsrv->ssl_ctx.npn_len = strlen(args[*cur_arg + 1]) + 1;
newsrv->ssl_ctx.npn_str = calloc(1, newsrv->ssl_ctx.npn_len + 1);
memcpy(newsrv->ssl_ctx.npn_str + 1, args[*cur_arg + 1],
newsrv->ssl_ctx.npn_len);
/* replace commas with the name length */
p1 = newsrv->ssl_ctx.npn_str;
p2 = p1 + 1;
while (1) {
p2 = memchr(p1 + 1, ',', newsrv->ssl_ctx.npn_str +
newsrv->ssl_ctx.npn_len - (p1 + 1));
if (!p2)
p2 = p1 + 1 + strlen(p1 + 1);
if (p2 - (p1 + 1) > 255) {
*p2 = '\0';
memprintf(err, "'%s' : NPN protocol name too long : '%s'", args[*cur_arg], p1 + 1);
return ERR_ALERT | ERR_FATAL;
}
*p1 = p2 - (p1 + 1);
p1 = p2;
if (!*p2)
break;
*(p2++) = '\0';
}
return 0;
#else
if (err)
memprintf(err, "'%s' : library does not support TLS NPN extension", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
MEDIUM: checks: Add check-alpn. Add a way to configure the ALPN used by check, with a new "check-alpn" keyword. By default, the checks will use the server ALPN, but it may not be convenient, for instance because the server may use HTTP/2, while checks are unable to do HTTP/2 yet.
2018-12-21 13:47:01 -05:00
/* parse the "alpn" or the "check-alpn" server keyword */
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
static int srv_parse_alpn(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
char *p1, *p2;
MEDIUM: checks: Add check-alpn. Add a way to configure the ALPN used by check, with a new "check-alpn" keyword. By default, the checks will use the server ALPN, but it may not be convenient, for instance because the server may use HTTP/2, while checks are unable to do HTTP/2 yet.
2018-12-21 13:47:01 -05:00
char **alpn_str;
int *alpn_len;
if (*args[*cur_arg] == 'c') {
alpn_str = &newsrv->check.alpn_str;
alpn_len = &newsrv->check.alpn_len;
} else {
alpn_str = &newsrv->ssl_ctx.alpn_str;
alpn_len = &newsrv->ssl_ctx.alpn_len;
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
MEDIUM: checks: Add check-alpn. Add a way to configure the ALPN used by check, with a new "check-alpn" keyword. By default, the checks will use the server ALPN, but it may not be convenient, for instance because the server may use HTTP/2, while checks are unable to do HTTP/2 yet.
2018-12-21 13:47:01 -05:00
}
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
if (!*args[*cur_arg + 1]) {
memprintf(err, "'%s' : missing the comma-delimited ALPN protocol suite", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
MEDIUM: checks: Add check-alpn. Add a way to configure the ALPN used by check, with a new "check-alpn" keyword. By default, the checks will use the server ALPN, but it may not be convenient, for instance because the server may use HTTP/2, while checks are unable to do HTTP/2 yet.
2018-12-21 13:47:01 -05:00
free(*alpn_str);
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
/* the ALPN string is built as a suite of (<len> <name>)*,
* so we reuse each comma to store the next <len> and need
* one more for the end of the string.
*/
MEDIUM: checks: Add check-alpn. Add a way to configure the ALPN used by check, with a new "check-alpn" keyword. By default, the checks will use the server ALPN, but it may not be convenient, for instance because the server may use HTTP/2, while checks are unable to do HTTP/2 yet.
2018-12-21 13:47:01 -05:00
*alpn_len = strlen(args[*cur_arg + 1]) + 1;
*alpn_str = calloc(1, *alpn_len + 1);
memcpy(*alpn_str + 1, args[*cur_arg + 1], *alpn_len);
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
/* replace commas with the name length */
MEDIUM: checks: Add check-alpn. Add a way to configure the ALPN used by check, with a new "check-alpn" keyword. By default, the checks will use the server ALPN, but it may not be convenient, for instance because the server may use HTTP/2, while checks are unable to do HTTP/2 yet.
2018-12-21 13:47:01 -05:00
p1 = *alpn_str;
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
p2 = p1 + 1;
while (1) {
MEDIUM: checks: Add check-alpn. Add a way to configure the ALPN used by check, with a new "check-alpn" keyword. By default, the checks will use the server ALPN, but it may not be convenient, for instance because the server may use HTTP/2, while checks are unable to do HTTP/2 yet.
2018-12-21 13:47:01 -05:00
p2 = memchr(p1 + 1, ',', *alpn_str + *alpn_len - (p1 + 1));
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
if (!p2)
p2 = p1 + 1 + strlen(p1 + 1);
if (p2 - (p1 + 1) > 255) {
*p2 = '\0';
memprintf(err, "'%s' : ALPN protocol name too long : '%s'", args[*cur_arg], p1 + 1);
return ERR_ALERT | ERR_FATAL;
}
*p1 = p2 - (p1 + 1);
p1 = p2;
if (!*p2)
break;
*(p2++) = '\0';
}
return 0;
#else
if (err)
memprintf(err, "'%s' : library does not support TLS ALPN extension", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#endif
}
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
/* parse the "ca-file" server keyword */
static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing CAfile path", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if ((*args[*cur_arg + 1] != '/') && global_ssl.ca_base)
memprintf(&newsrv->ssl_ctx.ca_file, "%s/%s", global_ssl.ca_base, args[*cur_arg + 1]);
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
else
memprintf(&newsrv->ssl_ctx.ca_file, "%s", args[*cur_arg + 1]);
return 0;
}
MINOR: checks: Add a new keyword to specify a SNI when doing SSL checks. Add a new keyword, "check-sni", to be able to specify the SNI to be used when doing health checks over SSL.
2017-10-17 11:33:43 -04:00
/* parse the "check-sni" server keyword */
static int srv_parse_check_sni(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing SNI", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
newsrv->check.sni = strdup(args[*cur_arg + 1]);
if (!newsrv->check.sni) {
memprintf(err, "'%s' : failed to allocate memory", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
return 0;
}
MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c All SSL-specific "server" keywords are now processed in ssl_sock.c. At the moment, there is no more "not implemented" hint when SSL is disabled, but keywords could be added in server.c if needed.
2012-10-10 17:04:25 -04:00
/* parse the "check-ssl" server keyword */
static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->check.use_ssl = 1;
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
#endif
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
newsrv->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
newsrv->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags;
if (!newsrv->ssl_ctx.methods.min)
newsrv->ssl_ctx.methods.min = global_ssl.connect_default_sslmethods.min;
if (!newsrv->ssl_ctx.methods.max)
newsrv->ssl_ctx.methods.max = global_ssl.connect_default_sslmethods.max;
MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c All SSL-specific "server" keywords are now processed in ssl_sock.c. At the moment, there is no more "not implemented" hint when SSL is disabled, but keywords could be added in server.c if needed.
2012-10-10 17:04:25 -04:00
return 0;
}
/* parse the "ciphers" server keyword */
static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
memprintf(err, "'%s' : missing cipher suite", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
free(newsrv->ssl_ctx.ciphers);
newsrv->ssl_ctx.ciphers = strdup(args[*cur_arg + 1]);
return 0;
}
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
/* parse the "ciphersuites" server keyword */
static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
memprintf(err, "'%s' : missing cipher suite", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
free(newsrv->ssl_ctx.ciphersuites);
newsrv->ssl_ctx.ciphersuites = strdup(args[*cur_arg + 1]);
return 0;
}
#endif
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
/* parse the "crl-file" server keyword */
static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
#ifndef X509_V_FLAG_CRL_CHECK
if (err)
memprintf(err, "'%s' : library does not support CRL verify", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
if (!*args[*cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing CRLfile path", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if ((*args[*cur_arg + 1] != '/') && global_ssl.ca_base)
memprintf(&newsrv->ssl_ctx.crl_file, "%s/%s", global_ssl.ca_base, args[*cur_arg + 1]);
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
else
memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]);
return 0;
#endif
}
MINOR: ssl: add 'crt' statement on server. crt: client certificate to send
2012-10-26 06:58:00 -04:00
/* parse the "crt" server keyword */
static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing certificate file path", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if ((*args[*cur_arg + 1] != '/') && global_ssl.crt_base)
BUG/MINOR: Use crt_base instead of ca_base when crt is parsed on a server line In srv_parse_crt, crt_base was checked but ca_base was used to build the certifacte path. This patch must be backported in 1.7, 1.6 and 1.5.
2017-11-23 03:13:32 -05:00
memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]);
MINOR: ssl: add 'crt' statement on server. crt: client certificate to send
2012-10-26 06:58:00 -04:00
else
memprintf(&newsrv->ssl_ctx.client_crt, "%s", args[*cur_arg + 1]);
return 0;
}
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
MINOR: server: Make 'default-server' support 'check-ssl' keyword. This patch makes 'default-server' directive support 'check-ssl' setting to enable SSL for health checks. A new keyword 'no-check-ssl' has been added to disable this setting both in 'server' and 'default-server' directives.
2017-03-13 05:38:04 -04:00
/* parse the "no-check-ssl" server keyword */
static int srv_parse_no_check_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->check.use_ssl = 0;
free(newsrv->ssl_ctx.ciphers);
newsrv->ssl_ctx.ciphers = NULL;
newsrv->ssl_ctx.options &= ~global_ssl.connect_default_ssloptions;
return 0;
}
MINOR: server: Make 'default-server' support 'send-proxy-v2-ssl*' keywords. This patch makes 'default-server' directive support 'send-proxy-v2-ssl' (resp. 'send-proxy-v2-ssl-cn') setting. A new keyword 'no-send-proxy-v2-ssl' (resp. 'no-send-proxy-v2-ssl-cn') has been added to disable 'send-proxy-v2-ssl' (resp. 'send-proxy-v2-ssl-cn') setting both in 'server' and 'default-server' directives.
2017-03-13 07:08:01 -04:00
/* parse the "no-send-proxy-v2-ssl" server keyword */
static int srv_parse_no_send_proxy_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->pp_opts &= ~SRV_PP_V2;
newsrv->pp_opts &= ~SRV_PP_V2_SSL;
return 0;
}
/* parse the "no-send-proxy-v2-ssl-cn" server keyword */
static int srv_parse_no_send_proxy_cn(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->pp_opts &= ~SRV_PP_V2;
newsrv->pp_opts &= ~SRV_PP_V2_SSL;
newsrv->pp_opts &= ~SRV_PP_V2_SSL_CN;
return 0;
}
MINOR: server: Make 'default-server' support 'ssl' keyword. This patch makes 'default-server' directive support 'ssl' setting. A new keyword 'no-ssl' has been added to disable this setting both in 'server' and 'default-server' directives.
2017-03-13 06:54:17 -04:00
/* parse the "no-ssl" server keyword */
static int srv_parse_no_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->use_ssl = 0;
free(newsrv->ssl_ctx.ciphers);
newsrv->ssl_ctx.ciphers = NULL;
return 0;
}
MINOR: ssl: Handle sending early data to server. This adds a new keyword on the "server" line, "allow-0rtt", if set, we'll try to send early data to the server, as long as the client sent early data, as in case the server rejects the early data, we no longer have them, and can't resend them, so the only option we have is to send back a 425, and we need to be sure the client knows how to interpret it correctly.
2017-11-03 11:27:47 -04:00
/* parse the "allow-0rtt" server keyword */
static int srv_parse_allow_0rtt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->ssl_ctx.options |= SRV_SSL_O_EARLY_DATA;
return 0;
}
MINOR: ssl/server: add the "no-ssl-reuse" server option This option disables SSL session reuse when SSL is used to communicate with the server. It will force the server to perform a full handshake for every new connection. It's probably only useful for benchmarking, troubleshooting, and for paranoid users.
2015-02-05 10:47:07 -05:00
/* parse the "no-ssl-reuse" server keyword */
static int srv_parse_no_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->ssl_ctx.options |= SRV_SSL_O_NO_REUSE;
return 0;
}
MINOR: ssl: add statement 'no-tls-tickets' on server side.
2012-10-11 09:28:34 -04:00
/* parse the "no-tls-tickets" server keyword */
static int srv_parse_no_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLS_TICKETS;
return 0;
}
MEDIUM: connection: Implement and extented PROXY Protocol V2 This commit modifies the PROXY protocol V2 specification to support headers longer than 255 bytes allowing for optional extensions. It implements the PROXY protocol V2 which is a binary representation of V1. This will make parsing more efficient for clients who will know in advance exactly how many bytes to read. Also, it defines and implements some optional PROXY protocol V2 extensions to send information about downstream SSL/TLS connections. Support for PROXY protocol V1 remains unchanged.
2014-05-08 23:42:08 -04:00
/* parse the "send-proxy-v2-ssl" server keyword */
static int srv_parse_send_proxy_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->pp_opts |= SRV_PP_V2;
newsrv->pp_opts |= SRV_PP_V2_SSL;
return 0;
}
/* parse the "send-proxy-v2-ssl-cn" server keyword */
static int srv_parse_send_proxy_cn(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->pp_opts |= SRV_PP_V2;
newsrv->pp_opts |= SRV_PP_V2_SSL;
newsrv->pp_opts |= SRV_PP_V2_SSL_CN;
return 0;
}
MINOR: ssl: add statement 'no-tls-tickets' on server side.
2012-10-11 09:28:34 -04:00
MEDIUM: ssl: add sni support on the server lines The new "sni" server directive takes a sample fetch expression and uses its return value as a hostname sent as the TLS SNI extension. A typical use case consists in forwarding the front connection's SNI value to the server in a bridged HTTPS forwarder : sni ssl_fc_sni
2015-07-09 05:40:25 -04:00
/* parse the "sni" server keyword */
static int srv_parse_sni(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
memprintf(err, "'%s' : the current SSL library doesn't support the SNI TLS extension", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
MINOR: server: Make 'default-server' support 'sni' keyword. This patch makes 'default-server' directives support 'sni' settings. A field 'sni_expr' has been added to 'struct server' to temporary stores SNI expressions as strings during both 'default-server' and 'server' lines parsing. So, to duplicate SNI expressions from 'default-server' 'sni' setting for new 'server' instances we only have to "strdup" these strings as this is often done for most of the 'server' settings. Then, sample expressions are computed calling sample_parse_expr() (only for 'server' instances). A new function has been added to produce the same error output as before in case of any error during 'sni' settings parsing (display_parser_err()). Should not break anything.
2017-03-20 09:54:41 -04:00
char *arg;
MEDIUM: ssl: add sni support on the server lines The new "sni" server directive takes a sample fetch expression and uses its return value as a hostname sent as the TLS SNI extension. A typical use case consists in forwarding the front connection's SNI value to the server in a bridged HTTPS forwarder : sni ssl_fc_sni
2015-07-09 05:40:25 -04:00
MINOR: server: Make 'default-server' support 'sni' keyword. This patch makes 'default-server' directives support 'sni' settings. A field 'sni_expr' has been added to 'struct server' to temporary stores SNI expressions as strings during both 'default-server' and 'server' lines parsing. So, to duplicate SNI expressions from 'default-server' 'sni' setting for new 'server' instances we only have to "strdup" these strings as this is often done for most of the 'server' settings. Then, sample expressions are computed calling sample_parse_expr() (only for 'server' instances). A new function has been added to produce the same error output as before in case of any error during 'sni' settings parsing (display_parser_err()). Should not break anything.
2017-03-20 09:54:41 -04:00
arg = args[*cur_arg + 1];
if (!*arg) {
MEDIUM: ssl: add sni support on the server lines The new "sni" server directive takes a sample fetch expression and uses its return value as a hostname sent as the TLS SNI extension. A typical use case consists in forwarding the front connection's SNI value to the server in a bridged HTTPS forwarder : sni ssl_fc_sni
2015-07-09 05:40:25 -04:00
memprintf(err, "'%s' : missing sni expression", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
MINOR: server: Make 'default-server' support 'sni' keyword. This patch makes 'default-server' directives support 'sni' settings. A field 'sni_expr' has been added to 'struct server' to temporary stores SNI expressions as strings during both 'default-server' and 'server' lines parsing. So, to duplicate SNI expressions from 'default-server' 'sni' setting for new 'server' instances we only have to "strdup" these strings as this is often done for most of the 'server' settings. Then, sample expressions are computed calling sample_parse_expr() (only for 'server' instances). A new function has been added to produce the same error output as before in case of any error during 'sni' settings parsing (display_parser_err()). Should not break anything.
2017-03-20 09:54:41 -04:00
free(newsrv->sni_expr);
newsrv->sni_expr = strdup(arg);
MEDIUM: ssl: add sni support on the server lines The new "sni" server directive takes a sample fetch expression and uses its return value as a hostname sent as the TLS SNI extension. A typical use case consists in forwarding the front connection's SNI value to the server in a bridged HTTPS forwarder : sni ssl_fc_sni
2015-07-09 05:40:25 -04:00
return 0;
#endif
}
MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c All SSL-specific "server" keywords are now processed in ssl_sock.c. At the moment, there is no more "not implemented" hint when SSL is disabled, but keywords could be added in server.c if needed.
2012-10-10 17:04:25 -04:00
/* parse the "ssl" server keyword */
static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->use_ssl = 1;
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
#endif
MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c All SSL-specific "server" keywords are now processed in ssl_sock.c. At the moment, there is no more "not implemented" hint when SSL is disabled, but keywords could be added in server.c if needed.
2012-10-10 17:04:25 -04:00
return 0;
}
MINOR: server: Make 'default-server' support 'no-ssl*' and 'no-tlsv*' keywords. This patch makes 'default-server' directive support 'no-sslv3' (resp. 'no-ssl-reuse', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', and 'no-tls-tickets') setting. New keywords 'sslv3' (resp. 'ssl-reuse', 'tlsv10', 'tlsv11', 'tlsv12', and 'tls-no-tickets') have been added to disable these settings both in 'server' and 'default-server' directives.
2017-03-13 06:32:20 -04:00
/* parse the "ssl-reuse" server keyword */
static int srv_parse_ssl_reuse(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_REUSE;
return 0;
}
/* parse the "tls-tickets" server keyword */
static int srv_parse_tls_tickets(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
newsrv->ssl_ctx.options &= ~SRV_SSL_O_NO_TLS_TICKETS;
return 0;
}
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
/* parse the "verify" server keyword */
static int srv_parse_verify(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing verify method", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
if (strcmp(args[*cur_arg + 1], "none") == 0)
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
newsrv->ssl_ctx.verify = SSL_SOCK_VERIFY_NONE;
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
else if (strcmp(args[*cur_arg + 1], "required") == 0)
MEDIUM: ssl: Set verify 'required' as global default for servers side. If no CA file specified on a server line, the config parser will show an error. Adds an cmdline option '-dV' to re-set verify 'none' as global default on servers side (previous behavior). Also adds 'ssl-server-verify' global statement to set global default to 'none' or 'required'. WARNING: this changes the default verify mode from "none" to "required" on the server side, and it *will* break insecure setups.
2014-01-29 06:24:34 -05:00
newsrv->ssl_ctx.verify = SSL_SOCK_VERIFY_REQUIRED;
MINOR: ssl: add statements 'verify', 'ca-file' and 'crl-file' on servers. It now becomes possible to verify the server's certificate using the "verify" directive. This one only supports "none" and "required", as it does not make much sense to also support "optional" here.
2012-10-11 10:11:36 -04:00
else {
if (err)
memprintf(err, "'%s' : unknown verify method '%s', only 'none' and 'required' are supported\n",
args[*cur_arg], args[*cur_arg + 1]);
return ERR_ALERT | ERR_FATAL;
}
return 0;
}
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
/* parse the "verifyhost" server keyword */
static int srv_parse_verifyhost(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
if (!*args[*cur_arg + 1]) {
if (err)
memprintf(err, "'%s' : missing hostname to verify against", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
MINOR: server: Make 'default-server' support 'verifyhost' setting. This patch makes 'default-server' directive support 'verifyhost' setting. Note: there was a little memory leak when several 'verifyhost' arguments were supplied on the same 'server' line.
2017-03-13 10:52:01 -04:00
free(newsrv->ssl_ctx.verify_host);
MINOR: ssl: Add statement 'verifyhost' to "server" statements verifyhost allows you to specify a hostname that the remote server's SSL certificate must match. Connections that don't match will be closed with an SSL error.
2013-06-27 03:05:25 -04:00
newsrv->ssl_ctx.verify_host = strdup(args[*cur_arg + 1]);
return 0;
}
MINOR: ssl: add statement to force some ssl options in global. Adds global statements 'ssl-default-server-options' and 'ssl-default-bind-options' to force on 'server' and 'bind' lines some ssl options. Currently available options are 'no-sslv3', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', 'force-sslv3', 'force-tlsv10', 'force-tlsv11', 'force-tlsv12', and 'no-tls-tickets'. Example: global ssl-default-server-options no-sslv3 ssl-default-bind-options no-sslv3
2014-10-30 10:56:50 -04:00
/* parse the "ssl-default-bind-options" keyword in global section */
static int ssl_parse_default_bind_options(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err) {
int i = 1;
if (*(args[i]) == 0) {
memprintf(err, "global statement '%s' expects an option as an argument.", args[0]);
return -1;
}
while (*(args[i])) {
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
if (!strcmp(args[i], "no-tls-tickets"))
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
global_ssl.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS;
MINOR: ssl: add prefer-client-ciphers Currently we unconditionally set SSL_OP_CIPHER_SERVER_PREFERENCE [1], which may not always be a good thing. The benefit of server side cipher prioritization may not apply to all cases out there, and it appears that the various SSL libs are going away from this recommendation ([2], [3]), as insecure ciphers suites are properly blacklisted/removed and honoring the client's preference is more likely to improve user experience (for example using SW-friendly ciphers on devices without HW AES support). This is especially true for TLSv1.3, which will restrict the cipher suites to just AES-GCM and Chacha20/Poly1305. Apache [4], nginx [5] and others give admins full flexibility, we should as well. The initial proposal to change the current default and add a "prefer-server-ciphers" option (as implemented in e566ecb) has been declined due to the possible security impact. This patch implements prefer-client-ciphers without changing the defaults. [1] https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html [2] https://github.com/openssl/openssl/issues/541 [3] https://github.com/libressl-portable/portable/issues/66 [4] https://httpd.apache.org/docs/2.0/en/mod/mod_ssl.html#sslhonorcipherorder [5] https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
2017-05-04 11:45:40 -04:00
else if (!strcmp(args[i], "prefer-client-ciphers"))
global_ssl.listen_default_ssloptions |= BC_SSL_O_PREF_CLIE_CIPH;
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
else if (!strcmp(args[i], "ssl-min-ver") || !strcmp(args[i], "ssl-max-ver")) {
if (!parse_tls_method_minmax(args, i, &global_ssl.listen_default_sslmethods, err))
i++;
else {
memprintf(err, "%s on global statement '%s'.", *err, args[0]);
return -1;
}
}
else if (parse_tls_method_options(args[i], &global_ssl.listen_default_sslmethods, err)) {
MINOR: ssl: add statement to force some ssl options in global. Adds global statements 'ssl-default-server-options' and 'ssl-default-bind-options' to force on 'server' and 'bind' lines some ssl options. Currently available options are 'no-sslv3', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', 'force-sslv3', 'force-tlsv10', 'force-tlsv11', 'force-tlsv12', and 'no-tls-tickets'. Example: global ssl-default-server-options no-sslv3 ssl-default-bind-options no-sslv3
2014-10-30 10:56:50 -04:00
memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
return -1;
}
i++;
}
return 0;
}
/* parse the "ssl-default-server-options" keyword in global section */
static int ssl_parse_default_server_options(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err) {
int i = 1;
if (*(args[i]) == 0) {
memprintf(err, "global statement '%s' expects an option as an argument.", args[0]);
return -1;
}
while (*(args[i])) {
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
if (!strcmp(args[i], "no-tls-tickets"))
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
global_ssl.connect_default_ssloptions |= SRV_SSL_O_NO_TLS_TICKETS;
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
else if (!strcmp(args[i], "ssl-min-ver") || !strcmp(args[i], "ssl-max-ver")) {
if (!parse_tls_method_minmax(args, i, &global_ssl.connect_default_sslmethods, err))
i++;
else {
memprintf(err, "%s on global statement '%s'.", *err, args[0]);
return -1;
}
}
else if (parse_tls_method_options(args[i], &global_ssl.connect_default_sslmethods, err)) {
MINOR: ssl: add statement to force some ssl options in global. Adds global statements 'ssl-default-server-options' and 'ssl-default-bind-options' to force on 'server' and 'bind' lines some ssl options. Currently available options are 'no-sslv3', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', 'force-sslv3', 'force-tlsv10', 'force-tlsv11', 'force-tlsv12', and 'no-tls-tickets'. Example: global ssl-default-server-options no-sslv3 ssl-default-bind-options no-sslv3
2014-10-30 10:56:50 -04:00
memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]);
return -1;
}
i++;
}
return 0;
}
MINOR: cfgparse: move parsing of "ca-base" and "crt-base" to ssl_sock This removes 2 #ifdefs and makes the code much cleaner. The controls are still there and the two parsers have been merged into a single function ssl_parse_global_ca_crt_base(). It's worth noting that there's still a check to prevent a change when the value was already specified. This test seems useless and possibly counter-productive, it may have to be revisited later, but for now it was implemented identically.
2016-12-21 16:44:46 -05:00
/* parse the "ca-base" / "crt-base" keywords in global section.
* Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
char **target;
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
target = (args[0][1] == 'a') ? &global_ssl.ca_base : &global_ssl.crt_base;
MINOR: cfgparse: move parsing of "ca-base" and "crt-base" to ssl_sock This removes 2 #ifdefs and makes the code much cleaner. The controls are still there and the two parsers have been merged into a single function ssl_parse_global_ca_crt_base(). It's worth noting that there's still a check to prevent a change when the value was already specified. This test seems useless and possibly counter-productive, it may have to be revisited later, but for now it was implemented identically.
2016-12-21 16:44:46 -05:00
if (too_many_args(1, args, err, NULL))
return -1;
if (*target) {
memprintf(err, "'%s' already specified.", args[0]);
return -1;
}
if (*(args[1]) == 0) {
memprintf(err, "global statement '%s' expects a directory path as an argument.", args[0]);
return -1;
}
*target = strdup(args[1]);
return 0;
}
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
/* parse the "ssl-mode-async" keyword in global section.
* Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_ssl_async(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
BUILD: ssl: support OPENSSL_NO_ASYNC #define Support build without ASYNC support. This #define is set per default in BoringSSL.
2017-10-24 12:11:48 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
global_ssl.async = 1;
BUG/MEDIUM: ssl engines: Fix async engines fds were not considered to fix fd limit automatically. The number of async fd is computed considering the maxconn, the number of sides using ssl and the number of engines using async mode. This patch should be backported on haproxy 1.8
2017-12-06 07:51:49 -05:00
global.ssl_used_async_engines = nb_engines;
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
return 0;
#else
memprintf(err, "'%s': openssl library does not support async mode", args[0]);
return -1;
#endif
}
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#ifndef OPENSSL_NO_ENGINE
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
static int ssl_check_async_engine_count(void) {
int err_code = 0;
MEDIUM: ssl: handle multiple async engines This patch adds the support of a maximum of 32 engines in async mode. Some tests have been done using 2 engines simultaneously. This patch also removes specific 'async' attribute from the connection structure. All the code relies only on Openssl functions.
2017-05-17 14:42:48 -04:00
if (global_ssl.async && (openssl_engines_initialized > 32)) {
CLEANUP: log: Rename Alert/Warning in ha_alert/ha_warning
2017-11-24 10:50:31 -05:00
ha_alert("ssl-mode-async only supports a maximum of 32 engines.\n");
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
err_code = ERR_ABORT;
}
return err_code;
}
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
/* parse the "ssl-engine" keyword in global section.
* Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_ssl_engine(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
char *algo;
int ret = -1;
if (*(args[1]) == 0) {
memprintf(err, "global statement '%s' expects a valid engine name as an argument.", args[0]);
return ret;
}
if (*(args[2]) == 0) {
/* if no list of algorithms is given, it defaults to ALL */
algo = strdup("ALL");
goto add_engine;
}
/* otherwise the expected format is ssl-engine <engine_name> algo <list of algo> */
if (strcmp(args[2], "algo") != 0) {
memprintf(err, "global statement '%s' expects to have algo keyword.", args[0]);
return ret;
}
if (*(args[3]) == 0) {
memprintf(err, "global statement '%s' expects algorithm names as an argument.", args[0]);
return ret;
}
algo = strdup(args[3]);
add_engine:
if (ssl_init_single_engine(args[1], algo)==0) {
openssl_engines_initialized++;
ret = 0;
}
free(algo);
return ret;
}
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#endif
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
MINOR: cfgparse: move parsing of ssl-default-{bind,server}-ciphers to ssl_sock These ones are pretty similar, just an strdup. Contrary to ca-base and crt-base they support being changed.
2016-12-21 17:23:19 -05:00
/* parse the "ssl-default-bind-ciphers" / "ssl-default-server-ciphers" keywords
* in global section. Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_ciphers(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
char **target;
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
target = (args[0][12] == 'b') ? &global_ssl.listen_default_ciphers : &global_ssl.connect_default_ciphers;
MINOR: cfgparse: move parsing of ssl-default-{bind,server}-ciphers to ssl_sock These ones are pretty similar, just an strdup. Contrary to ca-base and crt-base they support being changed.
2016-12-21 17:23:19 -05:00
if (too_many_args(1, args, err, NULL))
return -1;
if (*(args[1]) == 0) {
memprintf(err, "global statement '%s' expects a cipher suite as an argument.", args[0]);
return -1;
}
free(*target);
*target = strdup(args[1]);
return 0;
}
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
/* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords
* in global section. Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_ciphersuites(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
char **target;
target = (args[0][12] == 'b') ? &global_ssl.listen_default_ciphersuites : &global_ssl.connect_default_ciphersuites;
if (too_many_args(1, args, err, NULL))
return -1;
if (*(args[1]) == 0) {
memprintf(err, "global statement '%s' expects a cipher suite as an argument.", args[0]);
return -1;
}
free(*target);
*target = strdup(args[1]);
return 0;
}
#endif
MEDIUM: cfgparse: move all tune.ssl.* keywords to ssl_sock The following keywords were still parsed in cfgparse and were moved to ssl_sock to remove some #ifdefs : "tune.ssl.cachesize", "tune.ssl.default-dh-param", "tune.ssl.force-private-cache", "tune.ssl.lifetime", "tune.ssl.maxrecord", "tune.ssl.ssl-ctx-cache-size". It's worth mentionning that some of them used to have incorrect sign checks possibly resulting in some negative values being used. All of them are now checked for being positive.
2016-12-21 17:13:03 -05:00
/* parse various global tune.ssl settings consisting in positive integers.
* Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_int(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
int *target;
if (strcmp(args[0], "tune.ssl.cachesize") == 0)
target = &global.tune.sslcachesize;
else if (strcmp(args[0], "tune.ssl.maxrecord") == 0)
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
target = (int *)&global_ssl.max_record;
MEDIUM: cfgparse: move all tune.ssl.* keywords to ssl_sock The following keywords were still parsed in cfgparse and were moved to ssl_sock to remove some #ifdefs : "tune.ssl.cachesize", "tune.ssl.default-dh-param", "tune.ssl.force-private-cache", "tune.ssl.lifetime", "tune.ssl.maxrecord", "tune.ssl.ssl-ctx-cache-size". It's worth mentionning that some of them used to have incorrect sign checks possibly resulting in some negative values being used. All of them are now checked for being positive.
2016-12-21 17:13:03 -05:00
else if (strcmp(args[0], "tune.ssl.ssl-ctx-cache-size") == 0)
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
target = &global_ssl.ctx_cache;
MEDIUM: cfgparse: move maxsslconn parsing to ssl_sock This one simply reuses the existing integer parser. It implicitly adds a control against negative numbers.
2016-12-21 17:17:25 -05:00
else if (strcmp(args[0], "maxsslconn") == 0)
target = &global.maxsslconn;
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0)
target = &global_ssl.capture_cipherlist;
MEDIUM: cfgparse: move all tune.ssl.* keywords to ssl_sock The following keywords were still parsed in cfgparse and were moved to ssl_sock to remove some #ifdefs : "tune.ssl.cachesize", "tune.ssl.default-dh-param", "tune.ssl.force-private-cache", "tune.ssl.lifetime", "tune.ssl.maxrecord", "tune.ssl.ssl-ctx-cache-size". It's worth mentionning that some of them used to have incorrect sign checks possibly resulting in some negative values being used. All of them are now checked for being positive.
2016-12-21 17:13:03 -05:00
else {
memprintf(err, "'%s' keyword not unhandled (please report this bug).", args[0]);
return -1;
}
if (too_many_args(1, args, err, NULL))
return -1;
if (*(args[1]) == 0) {
memprintf(err, "'%s' expects an integer argument.", args[0]);
return -1;
}
*target = atoi(args[1]);
if (*target < 0) {
memprintf(err, "'%s' expects a positive numeric value.", args[0]);
return -1;
}
return 0;
}
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
static int ssl_parse_global_capture_cipherlist(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
int ret;
ret = ssl_parse_global_int(args, section_type, curpx, defpx, file, line, err);
if (ret != 0)
return ret;
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
if (pool_head_ssl_capture) {
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
memprintf(err, "'%s' is already configured.", args[0]);
return -1;
}
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_cipherlist, MEM_F_SHARED);
if (!pool_head_ssl_capture) {
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
memprintf(err, "Out of memory error.");
return -1;
}
return 0;
}
MEDIUM: cfgparse: move all tune.ssl.* keywords to ssl_sock The following keywords were still parsed in cfgparse and were moved to ssl_sock to remove some #ifdefs : "tune.ssl.cachesize", "tune.ssl.default-dh-param", "tune.ssl.force-private-cache", "tune.ssl.lifetime", "tune.ssl.maxrecord", "tune.ssl.ssl-ctx-cache-size". It's worth mentionning that some of them used to have incorrect sign checks possibly resulting in some negative values being used. All of them are now checked for being positive.
2016-12-21 17:13:03 -05:00
/* parse "ssl.force-private-cache".
* Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_private_cache(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
if (too_many_args(0, args, err, NULL))
return -1;
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
global_ssl.private_cache = 1;
MEDIUM: cfgparse: move all tune.ssl.* keywords to ssl_sock The following keywords were still parsed in cfgparse and were moved to ssl_sock to remove some #ifdefs : "tune.ssl.cachesize", "tune.ssl.default-dh-param", "tune.ssl.force-private-cache", "tune.ssl.lifetime", "tune.ssl.maxrecord", "tune.ssl.ssl-ctx-cache-size". It's worth mentionning that some of them used to have incorrect sign checks possibly resulting in some negative values being used. All of them are now checked for being positive.
2016-12-21 17:13:03 -05:00
return 0;
}
/* parse "ssl.lifetime".
* Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_lifetime(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
const char *res;
if (too_many_args(1, args, err, NULL))
return -1;
if (*(args[1]) == 0) {
memprintf(err, "'%s' expects ssl sessions <lifetime> in seconds as argument.", args[0]);
return -1;
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
res = parse_time_err(args[1], &global_ssl.life_time, TIME_UNIT_S);
MEDIUM: cfgparse: move all tune.ssl.* keywords to ssl_sock The following keywords were still parsed in cfgparse and were moved to ssl_sock to remove some #ifdefs : "tune.ssl.cachesize", "tune.ssl.default-dh-param", "tune.ssl.force-private-cache", "tune.ssl.lifetime", "tune.ssl.maxrecord", "tune.ssl.ssl-ctx-cache-size". It's worth mentionning that some of them used to have incorrect sign checks possibly resulting in some negative values being used. All of them are now checked for being positive.
2016-12-21 17:13:03 -05:00
if (res) {
memprintf(err, "unexpected character '%c' in argument to <%s>.", *res, args[0]);
return -1;
}
return 0;
}
#ifndef OPENSSL_NO_DH
MEDIUM: cfgparse: move ssl-dh-param-file parsing to ssl_sock This one was missing an arg count check which was added in the operation.
2016-12-21 17:28:13 -05:00
/* parse "ssl-dh-param-file".
* Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_dh_param_file(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
if (too_many_args(1, args, err, NULL))
return -1;
if (*(args[1]) == 0) {
memprintf(err, "'%s' expects a file path as an argument.", args[0]);
return -1;
}
if (ssl_sock_load_global_dh_param_from_file(args[1])) {
memprintf(err, "'%s': unable to load DH parameters from file <%s>.", args[0], args[1]);
return -1;
}
return 0;
}
MEDIUM: cfgparse: move all tune.ssl.* keywords to ssl_sock The following keywords were still parsed in cfgparse and were moved to ssl_sock to remove some #ifdefs : "tune.ssl.cachesize", "tune.ssl.default-dh-param", "tune.ssl.force-private-cache", "tune.ssl.lifetime", "tune.ssl.maxrecord", "tune.ssl.ssl-ctx-cache-size". It's worth mentionning that some of them used to have incorrect sign checks possibly resulting in some negative values being used. All of them are now checked for being positive.
2016-12-21 17:13:03 -05:00
/* parse "ssl.default-dh-param".
* Returns <0 on alert, >0 on warning, 0 on success.
*/
static int ssl_parse_global_default_dh(char **args, int section_type, struct proxy *curpx,
struct proxy *defpx, const char *file, int line,
char **err)
{
if (too_many_args(1, args, err, NULL))
return -1;
if (*(args[1]) == 0) {
memprintf(err, "'%s' expects an integer argument.", args[0]);
return -1;
}
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
global_ssl.default_dh_param = atoi(args[1]);
if (global_ssl.default_dh_param < 1024) {
MEDIUM: cfgparse: move all tune.ssl.* keywords to ssl_sock The following keywords were still parsed in cfgparse and were moved to ssl_sock to remove some #ifdefs : "tune.ssl.cachesize", "tune.ssl.default-dh-param", "tune.ssl.force-private-cache", "tune.ssl.lifetime", "tune.ssl.maxrecord", "tune.ssl.ssl-ctx-cache-size". It's worth mentionning that some of them used to have incorrect sign checks possibly resulting in some negative values being used. All of them are now checked for being positive.
2016-12-21 17:13:03 -05:00
memprintf(err, "'%s' expects a value >= 1024.", args[0]);
return -1;
}
return 0;
}
#endif
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
/* This function is used with TLS ticket keys management. It permits to browse
* each reference. The variable <getnext> must contain the current node,
* <end> point to the root node.
*/
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
static inline
struct tls_keys_ref *tlskeys_list_get_next(struct tls_keys_ref *getnext, struct list *end)
{
struct tls_keys_ref *ref = getnext;
while (1) {
/* Get next list entry. */
ref = LIST_NEXT(&ref->list, struct tls_keys_ref *, list);
/* If the entry is the last of the list, return NULL. */
if (&ref->list == end)
return NULL;
return ref;
}
}
static inline
struct tls_keys_ref *tlskeys_ref_lookup_ref(const char *reference)
{
int id;
char *error;
/* If the reference starts by a '#', this is numeric id. */
if (reference[0] == '#') {
/* Try to convert the numeric id. If the conversion fails, the lookup fails. */
id = strtol(reference + 1, &error, 10);
if (*error != '\0')
return NULL;
/* Perform the unique id lookup. */
return tlskeys_ref_lookupid(id);
}
/* Perform the string lookup. */
return tlskeys_ref_lookup(reference);
}
#endif
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
static int cli_io_handler_tlskeys_files(struct appctx *appctx);
static inline int cli_io_handler_tlskeys_entries(struct appctx *appctx) {
return cli_io_handler_tlskeys_files(appctx);
}
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
/* dumps all tls keys. Relies on cli.i0 (non-null = only list file names), cli.i1
* (next index to be dumped), and cli.p0 (next key reference).
*/
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
static int cli_io_handler_tlskeys_files(struct appctx *appctx) {
struct stream_interface *si = appctx->owner;
switch (appctx->st2) {
case STAT_ST_INIT:
/* Display the column headers. If the message cannot be sent,
CLEANUP: fix typos in the ssl_sock subsystem Fix some typos found in the code comments of the ssl_sock subsystem.
2018-11-15 12:07:59 -05:00
* quit the function with returning 0. The function is called
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
* later and restart at the state "STAT_ST_INIT".
*/
chunk_reset(&trash);
if (appctx->io_handler == cli_io_handler_tlskeys_entries)
chunk_appendf(&trash, "# id secret\n");
else
chunk_appendf(&trash, "# id (file)\n");
REORG: channel: finally rename the last bi_* / bo_* functions For HTTP/2 we'll need some buffer-only equivalent functions to some of the ones applying to channels and still squatting the bi_* / bo_* namespace. Since these names have kept being misleading for quite some time now and are really getting annoying, it's time to rename them. This commit will use "ci/co" as the prefix (for "channel in", "channel out") instead of "bi/bo". The following ones were renamed : bi_getblk_nc, bi_getline_nc, bi_putblk, bi_putchr, bo_getblk, bo_getblk_nc, bo_getline, bo_getline_nc, bo_inject, bi_putchk, bi_putstr, bo_getchr, bo_skip, bi_swpbuf
2017-10-19 08:32:15 -04:00
if (ci_putchk(si_ic(si), &trash) == -1) {
MINOR: stream-int: replace si_cant_put() with si_rx_room_{blk,rdy}() Remaining calls to si_cant_put() were all for lack of room and were turned to si_rx_room_blk(). A few places where SI_FL_RXBLK_ROOM was cleared by hand were converted to si_rx_room_rdy(). The now unused si_cant_put() function was removed.
2018-11-15 05:08:52 -05:00
si_rx_room_blk(si);
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 0;
}
/* Now, we start the browsing of the references lists.
* Note that the following call to LIST_ELEM return bad pointer. The only
* available field of this pointer is <list>. It is used with the function
* tlskeys_list_get_next() for retruning the first available entry
*/
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
if (appctx->ctx.cli.p0 == NULL) {
appctx->ctx.cli.p0 = LIST_ELEM(&tlskeys_reference, struct tls_keys_ref *, list);
appctx->ctx.cli.p0 = tlskeys_list_get_next(appctx->ctx.cli.p0, &tlskeys_reference);
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
}
appctx->st2 = STAT_ST_LIST;
/* fall through */
case STAT_ST_LIST:
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
while (appctx->ctx.cli.p0) {
struct tls_keys_ref *ref = appctx->ctx.cli.p0;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
chunk_reset(&trash);
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
if (appctx->io_handler == cli_io_handler_tlskeys_entries && appctx->ctx.cli.i1 == 0)
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
chunk_appendf(&trash, "# ");
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
if (appctx->ctx.cli.i1 == 0)
chunk_appendf(&trash, "%d (%s)\n", ref->unique_id, ref->filename);
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
if (appctx->io_handler == cli_io_handler_tlskeys_entries) {
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
int head;
HA_RWLOCK_RDLOCK(TLSKEYS_REF_LOCK, &ref->lock);
head = ref->tls_ticket_enc_index;
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
while (appctx->ctx.cli.i1 < TLS_TICKETS_NO) {
MAJOR: chunks: replace struct chunk with struct buffer Now all the code used to manipulate chunks uses a struct buffer instead. The functions are still called "chunk*", and some of them will progressively move to the generic buffer handling code as they are cleaned up.
2018-07-13 05:56:34 -04:00
struct buffer *t2 = get_trash_chunk();
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
chunk_reset(t2);
/* should never fail here because we dump only a key in the t2 buffer */
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
if (ref->key_size_bits == 128) {
t2->data = a2base64((char *)(ref->tlskeys + (head + 2 + appctx->ctx.cli.i1) % TLS_TICKETS_NO),
sizeof(struct tls_sess_key_128),
t2->area, t2->size);
chunk_appendf(&trash, "%d.%d %s\n", ref->unique_id, appctx->ctx.cli.i1,
t2->area);
}
else if (ref->key_size_bits == 256) {
t2->data = a2base64((char *)(ref->tlskeys + (head + 2 + appctx->ctx.cli.i1) % TLS_TICKETS_NO),
sizeof(struct tls_sess_key_256),
t2->area, t2->size);
chunk_appendf(&trash, "%d.%d %s\n", ref->unique_id, appctx->ctx.cli.i1,
t2->area);
}
else {
/* This case should never happen */
chunk_appendf(&trash, "%d.%d <unknown>\n", ref->unique_id, appctx->ctx.cli.i1);
}
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
REORG: channel: finally rename the last bi_* / bo_* functions For HTTP/2 we'll need some buffer-only equivalent functions to some of the ones applying to channels and still squatting the bi_* / bo_* namespace. Since these names have kept being misleading for quite some time now and are really getting annoying, it's time to rename them. This commit will use "ci/co" as the prefix (for "channel in", "channel out") instead of "bi/bo". The following ones were renamed : bi_getblk_nc, bi_getline_nc, bi_putblk, bi_putchr, bo_getblk, bo_getblk_nc, bo_getline, bo_getline_nc, bo_inject, bi_putchk, bi_putstr, bo_getchr, bo_skip, bi_swpbuf
2017-10-19 08:32:15 -04:00
if (ci_putchk(si_ic(si), &trash) == -1) {
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
/* let's try again later from this stream. We add ourselves into
* this stream's users so that it can remove us upon termination.
*/
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
HA_RWLOCK_RDUNLOCK(TLSKEYS_REF_LOCK, &ref->lock);
MINOR: stream-int: replace si_cant_put() with si_rx_room_{blk,rdy}() Remaining calls to si_cant_put() were all for lack of room and were turned to si_rx_room_blk(). A few places where SI_FL_RXBLK_ROOM was cleared by hand were converted to si_rx_room_rdy(). The now unused si_cant_put() function was removed.
2018-11-15 05:08:52 -05:00
si_rx_room_blk(si);
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 0;
}
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
appctx->ctx.cli.i1++;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
}
BUG/MINOR: ssl/threads: Make management of the TLS ticket keys files thread-safe A TLS ticket keys file can be updated on the CLI and used in same time. So we need to protect it to be sure all accesses are thread-safe. Because updates are infrequent, a R/W lock has been used. This patch must be backported in 1.8
2018-02-16 05:23:49 -05:00
HA_RWLOCK_RDUNLOCK(TLSKEYS_REF_LOCK, &ref->lock);
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
appctx->ctx.cli.i1 = 0;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
}
REORG: channel: finally rename the last bi_* / bo_* functions For HTTP/2 we'll need some buffer-only equivalent functions to some of the ones applying to channels and still squatting the bi_* / bo_* namespace. Since these names have kept being misleading for quite some time now and are really getting annoying, it's time to rename them. This commit will use "ci/co" as the prefix (for "channel in", "channel out") instead of "bi/bo". The following ones were renamed : bi_getblk_nc, bi_getline_nc, bi_putblk, bi_putchr, bo_getblk, bo_getblk_nc, bo_getline, bo_getline_nc, bo_inject, bi_putchk, bi_putstr, bo_getchr, bo_skip, bi_swpbuf
2017-10-19 08:32:15 -04:00
if (ci_putchk(si_ic(si), &trash) == -1) {
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
/* let's try again later from this stream. We add ourselves into
* this stream's users so that it can remove us upon termination.
*/
MINOR: stream-int: replace si_cant_put() with si_rx_room_{blk,rdy}() Remaining calls to si_cant_put() were all for lack of room and were turned to si_rx_room_blk(). A few places where SI_FL_RXBLK_ROOM was cleared by hand were converted to si_rx_room_rdy(). The now unused si_cant_put() function was removed.
2018-11-15 05:08:52 -05:00
si_rx_room_blk(si);
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 0;
}
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
if (appctx->ctx.cli.i0 == 0) /* don't display everything if not necessary */
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
break;
/* get next list entry and check the end of the list */
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
appctx->ctx.cli.p0 = tlskeys_list_get_next(appctx->ctx.cli.p0, &tlskeys_reference);
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
}
appctx->st2 = STAT_ST_FIN;
/* fall through */
default:
appctx->st2 = STAT_ST_FIN;
return 1;
}
return 0;
}
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
/* sets cli.i0 to non-zero if only file lists should be dumped */
MEDIUM: cli: Add payload support In order to use arbitrary data in the CLI (multiple lines or group of words that must be considered as a whole, for example), it is now possible to add a payload to the commands. To do so, the first line needs to end with a special pattern: <<\n. Everything that follows will be left untouched by the CLI parser and will be passed to the commands parsers. Per-command support will need to be added to take advantage of this feature. Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
2018-04-18 07:26:46 -04:00
static int cli_parse_show_tlskeys(char **args, char *payload, struct appctx *appctx, void *private)
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
{
/* no parameter, shows only file list */
if (!*args[2]) {
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
appctx->ctx.cli.i0 = 1;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
appctx->io_handler = cli_io_handler_tlskeys_files;
BUG/MEDIUM: cli: fix "show stat resolvers" and "show tls-keys" The recent CLI reorganization managed to break these two commands by having their parser return 1 (indicating an end of processing) instead of 0 to indicate new calls to the io handler were needed. Namely the faulty commits are : 69e9644 ("REORG: cli: move show stat resolvers to dns.c") 32af203 ("REORG: cli: move ssl CLI functions to ssl_sock.c") The fix is trivial and there is no other loss of functionality. Thanks to Dragan Dosen for reporting the issue and the faulty commits. The backport is needed in 1.7.
2016-12-05 08:50:15 -05:00
return 0;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
}
if (args[2][0] == '*') {
/* list every TLS ticket keys */
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
appctx->ctx.cli.i0 = 1;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
} else {
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
appctx->ctx.cli.p0 = tlskeys_ref_lookup_ref(args[2]);
if (!appctx->ctx.cli.p0) {
MINOR: add severity information to cli feedback messages
2017-07-20 10:49:14 -04:00
appctx->ctx.cli.severity = LOG_ERR;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
appctx->ctx.cli.msg = "'show tls-keys' unable to locate referenced filename\n";
CLEANUP: cli: rename STAT_CLI_* to CLI_ST_* These are in CLI states, not stats states anymore. STAT_CLI_O_CUSTOM was more appropriately renamed CLI_ST_CALLBACK.
2016-11-24 09:53:53 -05:00
appctx->st0 = CLI_ST_PRINT;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 1;
}
}
appctx->io_handler = cli_io_handler_tlskeys_entries;
BUG/MEDIUM: cli: fix "show stat resolvers" and "show tls-keys" The recent CLI reorganization managed to break these two commands by having their parser return 1 (indicating an end of processing) instead of 0 to indicate new calls to the io handler were needed. Namely the faulty commits are : 69e9644 ("REORG: cli: move show stat resolvers to dns.c") 32af203 ("REORG: cli: move ssl CLI functions to ssl_sock.c") The fix is trivial and there is no other loss of functionality. Thanks to Dragan Dosen for reporting the issue and the faulty commits. The backport is needed in 1.7.
2016-12-05 08:50:15 -05:00
return 0;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
}
MEDIUM: cli: Add payload support In order to use arbitrary data in the CLI (multiple lines or group of words that must be considered as a whole, for example), it is now possible to add a payload to the commands. To do so, the first line needs to end with a special pattern: <<\n. Everything that follows will be left untouched by the CLI parser and will be passed to the commands parsers. Per-command support will need to be added to take advantage of this feature. Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
2018-04-18 07:26:46 -04:00
static int cli_parse_set_tlskeys(char **args, char *payload, struct appctx *appctx, void *private)
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
{
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
struct tls_keys_ref *ref;
BUG/MEDIUM: cli/ssl: don't store base64dec() result in the trash's length By convenience or laziness we used to store base64dec()'s return code into trash.data and to compare it against 0 to check for conversion failure, but it's now unsigned since commit 843b7cb ("MEDIUM: chunks: make the chunk struct's fields match the buffer struct"). Let's clean this up and test the result itself without storing it first. No backport is needed.
2018-08-21 23:26:57 -04:00
int ret;
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
/* Expect two parameters: the filename and the new new TLS key in encoding */
if (!*args[3] || !*args[4]) {
MINOR: add severity information to cli feedback messages
2017-07-20 10:49:14 -04:00
appctx->ctx.cli.severity = LOG_ERR;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
appctx->ctx.cli.msg = "'set ssl tls-key' expects a filename and the new TLS key in base64 encoding.\n";
CLEANUP: cli: rename STAT_CLI_* to CLI_ST_* These are in CLI states, not stats states anymore. STAT_CLI_O_CUSTOM was more appropriately renamed CLI_ST_CALLBACK.
2016-11-24 09:53:53 -05:00
appctx->st0 = CLI_ST_PRINT;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 1;
}
MINOR: appctx/cli: remove the "tlskeys" entry from the appctx union This one now migrates to the general purpose cli.p0 for the ref pointer, cli.i0 for the dump_all flag and cli.i1 for the dump_keys_index. A few comments were added. The applet.h file doesn't depend on openssl anymore. It's worth noting that the previous dependency was accidental and only used to work because all files including this one used to have openssl included prior to loading this file.
2016-12-16 12:47:27 -05:00
ref = tlskeys_ref_lookup_ref(args[3]);
if (!ref) {
MINOR: add severity information to cli feedback messages
2017-07-20 10:49:14 -04:00
appctx->ctx.cli.severity = LOG_ERR;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
appctx->ctx.cli.msg = "'set ssl tls-key' unable to locate referenced filename\n";
CLEANUP: cli: rename STAT_CLI_* to CLI_ST_* These are in CLI states, not stats states anymore. STAT_CLI_O_CUSTOM was more appropriately renamed CLI_ST_CALLBACK.
2016-11-24 09:53:53 -05:00
appctx->st0 = CLI_ST_PRINT;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 1;
}
BUG/MEDIUM: cli/ssl: don't store base64dec() result in the trash's length By convenience or laziness we used to store base64dec()'s return code into trash.data and to compare it against 0 to check for conversion failure, but it's now unsigned since commit 843b7cb ("MEDIUM: chunks: make the chunk struct's fields match the buffer struct"). Let's clean this up and test the result itself without storing it first. No backport is needed.
2018-08-21 23:26:57 -04:00
ret = base64dec(args[4], strlen(args[4]), trash.area, trash.size);
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
if (ret < 0) {
MINOR: add severity information to cli feedback messages
2017-07-20 10:49:14 -04:00
appctx->ctx.cli.severity = LOG_ERR;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
appctx->ctx.cli.msg = "'set ssl tls-key' received invalid base64 encoded TLS key.\n";
CLEANUP: cli: rename STAT_CLI_* to CLI_ST_* These are in CLI states, not stats states anymore. STAT_CLI_O_CUSTOM was more appropriately renamed CLI_ST_CALLBACK.
2016-11-24 09:53:53 -05:00
appctx->st0 = CLI_ST_PRINT;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 1;
}
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
BUG/MEDIUM: cli/ssl: don't store base64dec() result in the trash's length By convenience or laziness we used to store base64dec()'s return code into trash.data and to compare it against 0 to check for conversion failure, but it's now unsigned since commit 843b7cb ("MEDIUM: chunks: make the chunk struct's fields match the buffer struct"). Let's clean this up and test the result itself without storing it first. No backport is needed.
2018-08-21 23:26:57 -04:00
trash.data = ret;
MINOR: ssl: add support of aes256 bits ticket keys on file and cli. Openssl switched from aes128 to aes256 since may 2016 to compute tls ticket secrets used by default. But Haproxy still handled only 128 bits keys for both tls key file and CLI. This patch permit the user to set aes256 keys throught CLI or the key file (80 bytes encoded in base64) in the same way that aes128 keys were handled (48 bytes encoded in base64): - first 16 bytes for the key name - next 16/32 bytes for aes 128/256 key bits key - last 16/32 bytes for hmac 128/256 bits Both sizes are now supported (but keys from same file must be of the same size and can but updated via CLI only using a key of the same size). Note: This feature need the fix "dec func ignores padding for output size checking."
2019-01-10 11:51:55 -05:00
if (ssl_sock_update_tlskey_ref(ref, &trash) < 0) {
appctx->ctx.cli.severity = LOG_ERR;
appctx->ctx.cli.msg = "'set ssl tls-key' received a key of wrong size.\n";
appctx->st0 = CLI_ST_PRINT;
return 1;
}
MINOR: add severity information to cli feedback messages
2017-07-20 10:49:14 -04:00
appctx->ctx.cli.severity = LOG_INFO;
BUG/MINOR: cli: Ensure all command outputs end with a LF Since 200b0fac ("MEDIUM: Add support for updating TLS ticket keys via socket"), 4147b2ef ("MEDIUM: ssl: basic OCSP stapling support."), 4df59e9 ("MINOR: cli: add socket commands and config to prepend informational messages with severity") and 654694e1 ("MEDIUM: stats/cli: add support for "set table key" to enter values"), commands 'set ssl tls-key', 'set ssl ocsp-response', 'set severity-output' and 'set table' do not always send an extra LF at the end of their outputs. This is required as mentioned in doc/management.txt: "Since multiple commands may be issued at once, haproxy uses the empty line as a delimiter to mark an end of output for each command" Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
2018-03-15 16:48:50 -04:00
appctx->ctx.cli.msg = "TLS ticket key updated!\n";
CLEANUP: cli: rename STAT_CLI_* to CLI_ST_* These are in CLI states, not stats states anymore. STAT_CLI_O_CUSTOM was more appropriately renamed CLI_ST_CALLBACK.
2016-11-24 09:53:53 -05:00
appctx->st0 = CLI_ST_PRINT;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 1;
}
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
#endif
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
MEDIUM: cli: Add payload support In order to use arbitrary data in the CLI (multiple lines or group of words that must be considered as a whole, for example), it is now possible to add a payload to the commands. To do so, the first line needs to end with a special pattern: <<\n. Everything that follows will be left untouched by the CLI parser and will be passed to the commands parsers. Per-command support will need to be added to take advantage of this feature. Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
2018-04-18 07:26:46 -04:00
static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx *appctx, void *private)
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
{
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
char *err = NULL;
BUG/MEDIUM: cli/ssl: don't store base64dec() result in the trash's length By convenience or laziness we used to store base64dec()'s return code into trash.data and to compare it against 0 to check for conversion failure, but it's now unsigned since commit 843b7cb ("MEDIUM: chunks: make the chunk struct's fields match the buffer struct"). Let's clean this up and test the result itself without storing it first. No backport is needed.
2018-08-21 23:26:57 -04:00
int i, j, ret;
MINOR: ssl: Add payload support to "set ssl ocsp-response" It is now possible to use a payload with the "set ssl ocsp-response" command. These syntaxes will work the same way: # echo "set ssl ocsp-response $(base64 -w 10000 ocsp.der)" | \ socat /tmp/sock1 - # echo -e "set ssl ocsp-response <<\n$(base64 ocsp.der)\n" | \ socat /tmp/sock1 - Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
2018-04-18 08:04:58 -04:00
if (!payload)
payload = args[3];
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
/* Expect one parameter: the new response in base64 encoding */
MINOR: ssl: Add payload support to "set ssl ocsp-response" It is now possible to use a payload with the "set ssl ocsp-response" command. These syntaxes will work the same way: # echo "set ssl ocsp-response $(base64 -w 10000 ocsp.der)" | \ socat /tmp/sock1 - # echo -e "set ssl ocsp-response <<\n$(base64 ocsp.der)\n" | \ socat /tmp/sock1 - Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
2018-04-18 08:04:58 -04:00
if (!*payload) {
MINOR: add severity information to cli feedback messages
2017-07-20 10:49:14 -04:00
appctx->ctx.cli.severity = LOG_ERR;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n";
CLEANUP: cli: rename STAT_CLI_* to CLI_ST_* These are in CLI states, not stats states anymore. STAT_CLI_O_CUSTOM was more appropriately renamed CLI_ST_CALLBACK.
2016-11-24 09:53:53 -05:00
appctx->st0 = CLI_ST_PRINT;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 1;
}
MINOR: ssl: Add payload support to "set ssl ocsp-response" It is now possible to use a payload with the "set ssl ocsp-response" command. These syntaxes will work the same way: # echo "set ssl ocsp-response $(base64 -w 10000 ocsp.der)" | \ socat /tmp/sock1 - # echo -e "set ssl ocsp-response <<\n$(base64 ocsp.der)\n" | \ socat /tmp/sock1 - Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
2018-04-18 08:04:58 -04:00
/* remove \r and \n from the payload */
for (i = 0, j = 0; payload[i]; i++) {
if (payload[i] == '\r' || payload[i] == '\n')
continue;
payload[j++] = payload[i];
}
payload[j] = 0;
BUG/MEDIUM: cli/ssl: don't store base64dec() result in the trash's length By convenience or laziness we used to store base64dec()'s return code into trash.data and to compare it against 0 to check for conversion failure, but it's now unsigned since commit 843b7cb ("MEDIUM: chunks: make the chunk struct's fields match the buffer struct"). Let's clean this up and test the result itself without storing it first. No backport is needed.
2018-08-21 23:26:57 -04:00
ret = base64dec(payload, j, trash.area, trash.size);
if (ret < 0) {
MINOR: add severity information to cli feedback messages
2017-07-20 10:49:14 -04:00
appctx->ctx.cli.severity = LOG_ERR;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";
CLEANUP: cli: rename STAT_CLI_* to CLI_ST_* These are in CLI states, not stats states anymore. STAT_CLI_O_CUSTOM was more appropriately renamed CLI_ST_CALLBACK.
2016-11-24 09:53:53 -05:00
appctx->st0 = CLI_ST_PRINT;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 1;
}
BUG/MEDIUM: cli/ssl: don't store base64dec() result in the trash's length By convenience or laziness we used to store base64dec()'s return code into trash.data and to compare it against 0 to check for conversion failure, but it's now unsigned since commit 843b7cb ("MEDIUM: chunks: make the chunk struct's fields match the buffer struct"). Let's clean this up and test the result itself without storing it first. No backport is needed.
2018-08-21 23:26:57 -04:00
trash.data = ret;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
if (ssl_sock_update_ocsp_response(&trash, &err)) {
if (err) {
memprintf(&err, "%s.\n", err);
appctx->ctx.cli.err = err;
CLEANUP: cli: rename STAT_CLI_* to CLI_ST_* These are in CLI states, not stats states anymore. STAT_CLI_O_CUSTOM was more appropriately renamed CLI_ST_CALLBACK.
2016-11-24 09:53:53 -05:00
appctx->st0 = CLI_ST_PRINT_FREE;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
}
MINOR: cli: Ensure the CLI always outputs an error when it should When using the CLI_ST_PRINT_FREE state, always output something back if the faulty function did not fill the 'err' variable. The map/acl code could lead to a crash whereas the SSL code was silently failing. Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
2018-04-16 13:02:42 -04:00
else {
appctx->ctx.cli.severity = LOG_ERR;
appctx->ctx.cli.msg = "Failed to update OCSP response.\n";
appctx->st0 = CLI_ST_PRINT;
}
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 1;
}
MINOR: add severity information to cli feedback messages
2017-07-20 10:49:14 -04:00
appctx->ctx.cli.severity = LOG_INFO;
BUG/MINOR: cli: Ensure all command outputs end with a LF Since 200b0fac ("MEDIUM: Add support for updating TLS ticket keys via socket"), 4147b2ef ("MEDIUM: ssl: basic OCSP stapling support."), 4df59e9 ("MINOR: cli: add socket commands and config to prepend informational messages with severity") and 654694e1 ("MEDIUM: stats/cli: add support for "set table key" to enter values"), commands 'set ssl tls-key', 'set ssl ocsp-response', 'set severity-output' and 'set table' do not always send an extra LF at the end of their outputs. This is required as mentioned in doc/management.txt: "Since multiple commands may be issued at once, haproxy uses the empty line as a delimiter to mark an end of output for each command" Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
2018-03-15 16:48:50 -04:00
appctx->ctx.cli.msg = "OCSP Response updated!\n";
CLEANUP: cli: rename STAT_CLI_* to CLI_ST_* These are in CLI states, not stats states anymore. STAT_CLI_O_CUSTOM was more appropriately renamed CLI_ST_CALLBACK.
2016-11-24 09:53:53 -05:00
appctx->st0 = CLI_ST_PRINT;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 1;
#else
MINOR: add severity information to cli feedback messages
2017-07-20 10:49:14 -04:00
appctx->ctx.cli.severity = LOG_ERR;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
appctx->ctx.cli.msg = "HAProxy was compiled against a version of OpenSSL that doesn't support OCSP stapling.\n";
CLEANUP: cli: rename STAT_CLI_* to CLI_ST_* These are in CLI states, not stats states anymore. STAT_CLI_O_CUSTOM was more appropriately renamed CLI_ST_CALLBACK.
2016-11-24 09:53:53 -05:00
appctx->st0 = CLI_ST_PRINT;
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
return 1;
#endif
}
/* register cli keywords */
static struct cli_kw_list cli_kws = {{ },{
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
{ { "show", "tls-keys", NULL }, "show tls-keys [id|*]: show tls keys references or dump tls ticket keys when id specified", cli_parse_show_tlskeys, NULL },
BUG/MINOR: cli: restore "set ssl tls-key" command in 32af203b75 ("REORG: cli: move ssl CLI functions to ssl_sock.c") "set ssl tls-key" was accidentally replaced with "set ssl tls-keys" (keys instead of key). This is undocumented and breaks upgrades from 1.6 to 1.7. This patch restores "set ssl tls-key" and also registers a helptext. This should be backported to 1.7.
2017-10-24 06:26:31 -04:00
{ { "set", "ssl", "tls-key", NULL }, "set ssl tls-key [id|keyfile] <tlskey>: set the next TLS key for the <id> or <keyfile> listener to <tlskey>", cli_parse_set_tlskeys, NULL },
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
#endif
BUILD: ssl: fix to build (again) with boringssl Limitations: . disable force-ssl/tls (need more work) should be set earlier with SSL_CTX_new (SSL_CTX_set_ssl_version is removed) . disable generate-certificates (need more work) introduce SSL_NO_GENERATE_CERTIFICATES to disable generate-certificates. Cleanup some #ifdef and type related to boringssl env.
2017-01-13 11:48:18 -05:00
{ { "set", "ssl", "ocsp-response", NULL }, NULL, cli_parse_set_ocspresponse, NULL },
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
{ { NULL }, NULL, NULL, NULL }
}};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws);
REORG: cli: move ssl CLI functions to ssl_sock.c Move ssl CLI functions to ssl_sock.c and use the cli keyword API to register ssl actions on the CLI.
2016-10-29 12:09:35 -04:00
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
/* Note: must not be declared <const> as its list will be overwritten.
* Please take care of keeping this list alphabetically sorted.
*/
BUG/MEDIUM: prevent gcc from moving empty keywords lists into BSS Benoit Dolez reported a failure to start haproxy 1.5-dev19. The process would immediately report an internal error with missing fetches from some crap instead of ACL names. The cause is that some versions of gcc seem to trim static structs containing a variable array when moving them to BSS, and only keep the fixed size, which is just a list head for all ACL and sample fetch keywords. This was confirmed at least with gcc 3.4.6. And we can't move these structs to const because they contain a list element which is needed to link all of them together during the parsing. The bug indeed appeared with 1.5-dev19 because it's the first one to have some empty ACL keyword lists. One solution is to impose -fno-zero-initialized-in-bss to everyone but this is not really nice. Another solution consists in ensuring the struct is never empty so that it does not move there. The easy solution consists in having a non-null list head since it's not yet initialized. A new "ILH" list head type was thus created for this purpose : create an Initialized List Head so that gcc cannot move the struct to BSS. This fixes the issue for this version of gcc and does not create any burden for the declarations.
2013-06-21 17:16:39 -04:00
static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, {
MINOR: ssl: adds fetchs and ACLs for ssl back connection. Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their docs: ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id, ssl_bc_session_id and ssl_bc_use_keysize.
2014-04-30 08:21:06 -04:00
{ "ssl_bc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV },
MAJOR: sample: converts uint and sint in 64 bits signed integer This patch removes the 32 bits unsigned integer and the 32 bit signed integer. It replaces these types by a unique type 64 bit signed. This makes easy the usage of integer and clarify signed and unsigned use. With the previous version, signed and unsigned are used ones in place of others, and sometimes the converter loose the sign. For example, divisions are processed with "unsigned", if one entry is negative, the result is wrong. Note that the integer pattern matching and dotted version pattern matching are already working with signed 64 bits integer values. There is one user-visible change : the "uint()" and "sint()" sample fetch functions which used to return a constant integer have been replaced with a new more natural, unified "int()" function. These functions were only introduced in the latest 1.6-dev2 so there's no impact on regular deployments.
2015-07-06 17:43:03 -04:00
{ "ssl_bc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV },
MEDIUM: ssl: Add ssl_bc_alpn and ssl_bc_npn sample fetches. Add 2 new sample fetches, ssl_bc_alpn and ssl_bc_npn, that provides the ALPN and the NPN for an outgoing connection.
2018-11-22 12:18:29 -05:00
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
BUG/MINOR: fix ssl_fc_alpn and actually add ssl_bc_alpn When ssl_bc_alpn was meant to be added, a typo slipped in and as a result ssl_fc_alpn behaved as ssl_bc_alpn, and ssl_bc_alpn was not a valid keyword. this patch aims at fixing this.
2018-12-03 16:21:04 -05:00
{ "ssl_bc_alpn", smp_fetch_ssl_fc_alpn, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
MEDIUM: ssl: Add ssl_bc_alpn and ssl_bc_npn sample fetches. Add 2 new sample fetches, ssl_bc_alpn and ssl_bc_npn, that provides the ALPN and the NPN for an outgoing connection.
2018-11-22 12:18:29 -05:00
#endif
MINOR: ssl: adds fetchs and ACLs for ssl back connection. Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their docs: ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id, ssl_bc_session_id and ssl_bc_use_keysize.
2014-04-30 08:21:06 -04:00
{ "ssl_bc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
MEDIUM: ssl: Add ssl_bc_alpn and ssl_bc_npn sample fetches. Add 2 new sample fetches, ssl_bc_alpn and ssl_bc_npn, that provides the ALPN and the NPN for an outgoing connection.
2018-11-22 12:18:29 -05:00
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
{ "ssl_bc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
#endif
MINOR: ssl/sample: adds ssl_bc_is_resumed fetch keyword. Returns true when the back connection was made over an SSL/TLS transport layer and the newly created SSL session was resumed using a cached session or a TLS ticket.
2018-02-19 10:14:12 -05:00
{ "ssl_bc_is_resumed", smp_fetch_ssl_fc_is_resumed, 0, NULL, SMP_T_BOOL, SMP_USE_L5SRV },
MINOR: ssl: adds fetchs and ACLs for ssl back connection. Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their docs: ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id, ssl_bc_session_id and ssl_bc_use_keysize.
2014-04-30 08:21:06 -04:00
{ "ssl_bc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_STR, SMP_USE_L5SRV },
MINOR: ssl: convert to binary ssl_fc_unique_id and ssl_bc_unique_id. Previously ssl_fc_unique_id and ssl_bc_unique_id return a string encoded in base64 of the RFC 5929 TLS unique identifier. This patch modify those fetches to return directly the ID in the original binary format. The user can make the choice to encode in base64 using the converter. i.e. : ssl_fc_unique_id,base64
2014-04-30 12:49:19 -04:00
{ "ssl_bc_unique_id", smp_fetch_ssl_fc_unique_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
MAJOR: sample: converts uint and sint in 64 bits signed integer This patch removes the 32 bits unsigned integer and the 32 bit signed integer. It replaces these types by a unique type 64 bit signed. This makes easy the usage of integer and clarify signed and unsigned use. With the previous version, signed and unsigned are used ones in place of others, and sometimes the converter loose the sign. For example, divisions are processed with "unsigned", if one entry is negative, the result is wrong. Note that the integer pattern matching and dotted version pattern matching are already working with signed 64 bits integer values. There is one user-visible change : the "uint()" and "sint()" sample fetch functions which used to return a constant integer have been replaced with a new more natural, unified "int()" function. These functions were only introduced in the latest 1.6-dev2 so there's no impact on regular deployments.
2015-07-06 17:43:03 -04:00
{ "ssl_bc_use_keysize", smp_fetch_ssl_fc_use_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5SRV },
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#if OPENSSL_VERSION_NUMBER > 0x0090800fL
MINOR: ssl: adds fetchs and ACLs for ssl back connection. Adds ssl fetchs and ACLs for outgoinf SSL/Transport layer connection with their docs: ssl_bc, ssl_bc_alg_keysize, ssl_bc_cipher, ssl_bc_protocol, ssl_bc_unique_id, ssl_bc_session_id and ssl_bc_use_keysize.
2014-04-30 08:21:06 -04:00
{ "ssl_bc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
MINOR: ssl: add fetch 'ssl_fc_session_key' and 'ssl_bc_session_key' These fetches return the SSL master key of the front/back connection. This is useful to decrypt traffic encrypted with ephemeral ciphers.
2018-04-28 19:15:51 -04:00
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
{ "ssl_bc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV },
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#endif
MAJOR: sample: converts uint and sint in 64 bits signed integer This patch removes the 32 bits unsigned integer and the 32 bit signed integer. It replaces these types by a unique type 64 bit signed. This makes easy the usage of integer and clarify signed and unsigned use. With the previous version, signed and unsigned are used ones in place of others, and sometimes the converter loose the sign. For example, divisions are processed with "unsigned", if one entry is negative, the result is wrong. Note that the integer pattern matching and dotted version pattern matching are already working with signed 64 bits integer values. There is one user-visible change : the "uint()" and "sint()" sample fetch functions which used to return a constant integer have been replaced with a new more natural, unified "int()" function. These functions were only introduced in the latest 1.6-dev2 so there's no impact on regular deployments.
2015-07-06 17:43:03 -04:00
{ "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
{ "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
{ "ssl_c_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
MAJOR: sample: converts uint and sint in 64 bits signed integer This patch removes the 32 bits unsigned integer and the 32 bit signed integer. It replaces these types by a unique type 64 bit signed. This makes easy the usage of integer and clarify signed and unsigned use. With the previous version, signed and unsigned are used ones in place of others, and sometimes the converter loose the sign. For example, divisions are processed with "unsigned", if one entry is negative, the result is wrong. Note that the integer pattern matching and dotted version pattern matching are already working with signed 64 bits integer values. There is one user-visible change : the "uint()" and "sint()" sample fetch functions which used to return a constant integer have been replaced with a new more natural, unified "int()" function. These functions were only introduced in the latest 1.6-dev2 so there's no impact on regular deployments.
2015-07-06 17:43:03 -04:00
{ "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
{ "ssl_c_i_dn", smp_fetch_ssl_x_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_c_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_c_notafter", smp_fetch_ssl_x_notafter, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_c_notbefore", smp_fetch_ssl_x_notbefore, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_c_sig_alg", smp_fetch_ssl_x_sig_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_c_s_dn", smp_fetch_ssl_x_s_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_c_serial", smp_fetch_ssl_x_serial, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
{ "ssl_c_sha1", smp_fetch_ssl_x_sha1, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
MEDIUM: samples: use new flags to describe compatibility between fetches and their usages Samples fetches were relying on two flags SMP_CAP_REQ/SMP_CAP_RES to describe whether they were compatible with requests rules or with response rules. This was never reliable because we need a finer granularity (eg: an HTTP request method needs to parse an HTTP request, and is available past this point). Some fetches are also dependant on the context (eg: "hdr" uses request or response depending where it's involved, causing some abiguity). In order to solve this, we need to precisely indicate in fetches what they use, and their users will have to compare with what they have. So now we have a bunch of bits indicating where the sample is fetched in the processing chain, with a few variants indicating for some of them if it is permanent or volatile (eg: an HTTP status is stored into the transaction so it is permanent, despite being caught in the response contents). The fetches also have a second mask indicating their validity domain. This one is computed from a conversion table at registration time, so there is no need for doing it by hand. This validity domain consists in a bitmask with one bit set for each usage point in the processing chain. Some provisions were made for upcoming controls such as connection-based TCP rules which apply on top of the connection layer but before instantiating the session. Then everywhere a fetch is used, the bit for the control point is checked in the fetch's validity domain, and it becomes possible to finely ensure that a fetch will work or not. Note that we need these two separate bitfields because some fetches are usable both in request and response (eg: "hdr", "payload"). So the keyword will have a "use" field made of a combination of several SMP_USE_* values, which will be converted into a wider list of SMP_VAL_* flags. The knowledge of permanent vs dynamic information has disappeared for now, as it was never used. Later we'll probably reintroduce it differently when dealing with variables. Its only use at the moment could have been to avoid caching a dynamic rate measurement, but nothing is cached as of now.
2013-01-07 09:42:20 -05:00
{ "ssl_c_used", smp_fetch_ssl_c_used, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
MAJOR: sample: converts uint and sint in 64 bits signed integer This patch removes the 32 bits unsigned integer and the 32 bit signed integer. It replaces these types by a unique type 64 bit signed. This makes easy the usage of integer and clarify signed and unsigned use. With the previous version, signed and unsigned are used ones in place of others, and sometimes the converter loose the sign. For example, divisions are processed with "unsigned", if one entry is negative, the result is wrong. Note that the integer pattern matching and dotted version pattern matching are already working with signed 64 bits integer values. There is one user-visible change : the "uint()" and "sint()" sample fetch functions which used to return a constant integer have been replaced with a new more natural, unified "int()" function. These functions were only introduced in the latest 1.6-dev2 so there's no impact on regular deployments.
2015-07-06 17:43:03 -04:00
{ "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
{ "ssl_c_version", smp_fetch_ssl_x_version, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
MINOR: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs ssl_c_der : binary Returns the DER formatted certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form. ssl_f_der : binary Returns the DER formatted certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. When used for an ACL, the value(s) to match against can be passed in hexadecimal form.
2014-10-29 14:03:26 -04:00
{ "ssl_f_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
MINOR: ssl: merge client's and frontend's certificate functions.
2014-04-30 11:05:08 -04:00
{ "ssl_f_i_dn", smp_fetch_ssl_x_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_f_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_f_notafter", smp_fetch_ssl_x_notafter, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_f_notbefore", smp_fetch_ssl_x_notbefore, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_f_sig_alg", smp_fetch_ssl_x_sig_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_f_s_dn", smp_fetch_ssl_x_s_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_f_serial", smp_fetch_ssl_x_serial, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
MINOR: ssl: adds ssl_f_sha1 fetch to return frontend's certificate fingerprint ssl_f_sha1 is a binary binary fetch used to returns the SHA-1 fingerprint of the certificate presented by the frontend when the incoming connection was made over an SSL/TLS transport layer. This can be used to know which certificate was chosen using SNI.
2014-04-30 11:11:25 -04:00
{ "ssl_f_sha1", smp_fetch_ssl_x_sha1, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
MAJOR: sample: converts uint and sint in 64 bits signed integer This patch removes the 32 bits unsigned integer and the 32 bit signed integer. It replaces these types by a unique type 64 bit signed. This makes easy the usage of integer and clarify signed and unsigned use. With the previous version, signed and unsigned are used ones in place of others, and sometimes the converter loose the sign. For example, divisions are processed with "unsigned", if one entry is negative, the result is wrong. Note that the integer pattern matching and dotted version pattern matching are already working with signed 64 bits integer values. There is one user-visible change : the "uint()" and "sint()" sample fetch functions which used to return a constant integer have been replaced with a new more natural, unified "int()" function. These functions were only introduced in the latest 1.6-dev2 so there's no impact on regular deployments.
2015-07-06 17:43:03 -04:00
{ "ssl_f_version", smp_fetch_ssl_x_version, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
MEDIUM: samples: use new flags to describe compatibility between fetches and their usages Samples fetches were relying on two flags SMP_CAP_REQ/SMP_CAP_RES to describe whether they were compatible with requests rules or with response rules. This was never reliable because we need a finer granularity (eg: an HTTP request method needs to parse an HTTP request, and is available past this point). Some fetches are also dependant on the context (eg: "hdr" uses request or response depending where it's involved, causing some abiguity). In order to solve this, we need to precisely indicate in fetches what they use, and their users will have to compare with what they have. So now we have a bunch of bits indicating where the sample is fetched in the processing chain, with a few variants indicating for some of them if it is permanent or volatile (eg: an HTTP status is stored into the transaction so it is permanent, despite being caught in the response contents). The fetches also have a second mask indicating their validity domain. This one is computed from a conversion table at registration time, so there is no need for doing it by hand. This validity domain consists in a bitmask with one bit set for each usage point in the processing chain. Some provisions were made for upcoming controls such as connection-based TCP rules which apply on top of the connection layer but before instantiating the session. Then everywhere a fetch is used, the bit for the control point is checked in the fetch's validity domain, and it becomes possible to finely ensure that a fetch will work or not. Note that we need these two separate bitfields because some fetches are usable both in request and response (eg: "hdr", "payload"). So the keyword will have a "use" field made of a combination of several SMP_USE_* values, which will be converted into a wider list of SMP_VAL_* flags. The knowledge of permanent vs dynamic information has disappeared for now, as it was never used. Later we'll probably reintroduce it differently when dealing with variables. Its only use at the moment could have been to avoid caching a dynamic rate measurement, but nothing is cached as of now.
2013-01-07 09:42:20 -05:00
{ "ssl_fc", smp_fetch_ssl_fc, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
MAJOR: sample: converts uint and sint in 64 bits signed integer This patch removes the 32 bits unsigned integer and the 32 bit signed integer. It replaces these types by a unique type 64 bit signed. This makes easy the usage of integer and clarify signed and unsigned use. With the previous version, signed and unsigned are used ones in place of others, and sometimes the converter loose the sign. For example, divisions are processed with "unsigned", if one entry is negative, the result is wrong. Note that the integer pattern matching and dotted version pattern matching are already working with signed 64 bits integer values. There is one user-visible change : the "uint()" and "sint()" sample fetch functions which used to return a constant integer have been replaced with a new more natural, unified "int()" function. These functions were only introduced in the latest 1.6-dev2 so there's no impact on regular deployments.
2015-07-06 17:43:03 -04:00
{ "ssl_fc_alg_keysize", smp_fetch_ssl_fc_alg_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
{ "ssl_fc_cipher", smp_fetch_ssl_fc_cipher, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
MEDIUM: samples: use new flags to describe compatibility between fetches and their usages Samples fetches were relying on two flags SMP_CAP_REQ/SMP_CAP_RES to describe whether they were compatible with requests rules or with response rules. This was never reliable because we need a finer granularity (eg: an HTTP request method needs to parse an HTTP request, and is available past this point). Some fetches are also dependant on the context (eg: "hdr" uses request or response depending where it's involved, causing some abiguity). In order to solve this, we need to precisely indicate in fetches what they use, and their users will have to compare with what they have. So now we have a bunch of bits indicating where the sample is fetched in the processing chain, with a few variants indicating for some of them if it is permanent or volatile (eg: an HTTP status is stored into the transaction so it is permanent, despite being caught in the response contents). The fetches also have a second mask indicating their validity domain. This one is computed from a conversion table at registration time, so there is no need for doing it by hand. This validity domain consists in a bitmask with one bit set for each usage point in the processing chain. Some provisions were made for upcoming controls such as connection-based TCP rules which apply on top of the connection layer but before instantiating the session. Then everywhere a fetch is used, the bit for the control point is checked in the fetch's validity domain, and it becomes possible to finely ensure that a fetch will work or not. Note that we need these two separate bitfields because some fetches are usable both in request and response (eg: "hdr", "payload"). So the keyword will have a "use" field made of a combination of several SMP_USE_* values, which will be converted into a wider list of SMP_VAL_* flags. The knowledge of permanent vs dynamic information has disappeared for now, as it was never used. Later we'll probably reintroduce it differently when dealing with variables. Its only use at the moment could have been to avoid caching a dynamic rate measurement, but nothing is cached as of now.
2013-01-07 09:42:20 -05:00
{ "ssl_fc_has_crt", smp_fetch_ssl_fc_has_crt, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
MINOR: ssl/proto_http: Add keywords to take care of early data. Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true if early data were sent, and a new action, "wait-for-handshake", if used, the request won't be forwarded until the SSL handshake is done.
2017-10-02 05:51:03 -04:00
{ "ssl_fc_has_early", smp_fetch_ssl_fc_has_early, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
MEDIUM: samples: use new flags to describe compatibility between fetches and their usages Samples fetches were relying on two flags SMP_CAP_REQ/SMP_CAP_RES to describe whether they were compatible with requests rules or with response rules. This was never reliable because we need a finer granularity (eg: an HTTP request method needs to parse an HTTP request, and is available past this point). Some fetches are also dependant on the context (eg: "hdr" uses request or response depending where it's involved, causing some abiguity). In order to solve this, we need to precisely indicate in fetches what they use, and their users will have to compare with what they have. So now we have a bunch of bits indicating where the sample is fetched in the processing chain, with a few variants indicating for some of them if it is permanent or volatile (eg: an HTTP status is stored into the transaction so it is permanent, despite being caught in the response contents). The fetches also have a second mask indicating their validity domain. This one is computed from a conversion table at registration time, so there is no need for doing it by hand. This validity domain consists in a bitmask with one bit set for each usage point in the processing chain. Some provisions were made for upcoming controls such as connection-based TCP rules which apply on top of the connection layer but before instantiating the session. Then everywhere a fetch is used, the bit for the control point is checked in the fetch's validity domain, and it becomes possible to finely ensure that a fetch will work or not. Note that we need these two separate bitfields because some fetches are usable both in request and response (eg: "hdr", "payload"). So the keyword will have a "use" field made of a combination of several SMP_USE_* values, which will be converted into a wider list of SMP_VAL_* flags. The knowledge of permanent vs dynamic information has disappeared for now, as it was never used. Later we'll probably reintroduce it differently when dealing with variables. Its only use at the moment could have been to avoid caching a dynamic rate measurement, but nothing is cached as of now.
2013-01-07 09:42:20 -05:00
{ "ssl_fc_has_sni", smp_fetch_ssl_fc_has_sni, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
MINOR: Add sample fetch which identifies if the SSL session has been resumed Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
2015-05-17 20:28:57 -04:00
{ "ssl_fc_is_resumed", smp_fetch_ssl_fc_is_resumed, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI },
BUILD: ssl: Fix build with OpenSSL without NPN capability OpenSSL can be built without NEXTPROTONEG support by passing -no-npn to the configure script. This sets the OPENSSL_NO_NEXTPROTONEG flag in opensslconf.h Since NEXTPROTONEG is now considered deprecated, it is superseeded by ALPN (Application Layer Protocol Next), HAProxy should allow building withough NPN support.
2018-02-15 07:34:58 -05:00
#if defined(OPENSSL_NPN_NEGOTIATED) && !defined(OPENSSL_NO_NEXTPROTONEG)
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
{ "ssl_fc_npn", smp_fetch_ssl_fc_npn, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
MINOR: ssl: add support for the "alpn" bind keyword The ALPN extension is meant to replace the now deprecated NPN extension. This patch implements support for it. It requires a version of openssl with support for this extension. Patches are available here right now : http://html5labs.interopbridges.com/media/167447/alpn_patches.zip
2013-04-01 20:30:41 -04:00
#endif
MEDIUM: ssl: Use ALPN support as it will be available in OpenSSL 1.0.2 The current ALPN support is based on custom OpenSSL patches. These are however not the same as what has landed on OpenSSL: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691 This patch change the code so it supports ALPN as it will be part of OpenSSL.
2014-02-13 06:29:42 -05:00
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
{ "ssl_fc_alpn", smp_fetch_ssl_fc_alpn, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
MINOR: ssl: add 'ssl_npn' sample/acl to extract TLS/NPN information This may be used to distinguish between SPDY versions for example.
2012-10-15 07:19:06 -04:00
#endif
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
{ "ssl_fc_protocol", smp_fetch_ssl_fc_protocol, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#if OPENSSL_VERSION_NUMBER > 0x0090800fL
MINOR: ssl: convert to binary ssl_fc_unique_id and ssl_bc_unique_id. Previously ssl_fc_unique_id and ssl_bc_unique_id return a string encoded in base64 of the RFC 5929 TLS unique identifier. This patch modify those fetches to return directly the ID in the original binary format. The user can make the choice to encode in base64 using the converter. i.e. : ssl_fc_unique_id,base64
2014-04-30 12:49:19 -04:00
{ "ssl_fc_unique_id", smp_fetch_ssl_fc_unique_id, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#endif
MAJOR: sample: converts uint and sint in 64 bits signed integer This patch removes the 32 bits unsigned integer and the 32 bit signed integer. It replaces these types by a unique type 64 bit signed. This makes easy the usage of integer and clarify signed and unsigned use. With the previous version, signed and unsigned are used ones in place of others, and sometimes the converter loose the sign. For example, divisions are processed with "unsigned", if one entry is negative, the result is wrong. Note that the integer pattern matching and dotted version pattern matching are already working with signed 64 bits integer values. There is one user-visible change : the "uint()" and "sint()" sample fetch functions which used to return a constant integer have been replaced with a new more natural, unified "int()" function. These functions were only introduced in the latest 1.6-dev2 so there's no impact on regular deployments.
2015-07-06 17:43:03 -04:00
{ "ssl_fc_use_keysize", smp_fetch_ssl_fc_use_keysize, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#if OPENSSL_VERSION_NUMBER > 0x0090800fL
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
{ "ssl_fc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#endif
MINOR: ssl: add fetch 'ssl_fc_session_key' and 'ssl_bc_session_key' These fetches return the SSL master key of the front/back connection. This is useful to decrypt traffic encrypted with ephemeral ciphers.
2018-04-28 19:15:51 -04:00
#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_IS_BORINGSSL)
{ "ssl_fc_session_key", smp_fetch_ssl_fc_session_key, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
#endif
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
MEDIUM: sample: Remove types SMP_T_CSTR and SMP_T_CBIN, replace it by SMP_F_CONST flags The operations applied on types SMP_T_CSTR and SMP_T_STR are the same, but the check code and the declarations are double, because it must declare action for SMP_T_C* and SMP_T_*. The declared actions and checks are the same. this complexify the code. Only the "conv" functions can change from "C*" to "*" Now, if a function needs to modify input string, it can call the new function smp_dup(). This one duplicate data in a trash buffer.
2013-12-16 18:20:33 -05:00
{ "ssl_fc_sni", smp_fetch_ssl_fc_sni, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
MINOR: ssl: disable SSL sample fetches when unsupported Previously these fetches would return empty results when HAProxy was compiled without the requisite SSL support. This results in confusion and problem reports from people who unexpectedly encounter the behavior.
2018-04-28 19:15:48 -04:00
#endif
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
{ "ssl_fc_cipherlist_bin", smp_fetch_ssl_fc_cl_bin, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_fc_cipherlist_hex", smp_fetch_ssl_fc_cl_hex, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI },
{ "ssl_fc_cipherlist_str", smp_fetch_ssl_fc_cl_str, 0, NULL, SMP_T_STR, SMP_USE_L5CLI },
{ "ssl_fc_cipherlist_xxh", smp_fetch_ssl_fc_cl_xxh64, 0, NULL, SMP_T_SINT, SMP_USE_L5CLI },
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
{ NULL, NULL, 0, 0, 0 },
}};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
INITCALL1(STG_REGISTER, sample_register_fetches, &sample_fetch_keywords);
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
/* Note: must not be declared <const> as its list will be overwritten.
* Please take care of keeping this list alphabetically sorted.
*/
BUG/MEDIUM: prevent gcc from moving empty keywords lists into BSS Benoit Dolez reported a failure to start haproxy 1.5-dev19. The process would immediately report an internal error with missing fetches from some crap instead of ACL names. The cause is that some versions of gcc seem to trim static structs containing a variable array when moving them to BSS, and only keep the fixed size, which is just a list head for all ACL and sample fetch keywords. This was confirmed at least with gcc 3.4.6. And we can't move these structs to const because they contain a list element which is needed to link all of them together during the parsing. The bug indeed appeared with 1.5-dev19 because it's the first one to have some empty ACL keyword lists. One solution is to impose -fno-zero-initialized-in-bss to everyone but this is not really nice. Another solution consists in ensuring the struct is never empty so that it does not move there. The easy solution consists in having a non-null list head since it's not yet initialized. A new "ILH" list head type was thus created for this purpose : create an Initialized List Head so that gcc cannot move the struct to BSS. This fixes the issue for this version of gcc and does not create any burden for the declarations.
2013-06-21 17:16:39 -04:00
static struct acl_kw_list acl_kws = {ILH, {
MEDIUM: acl: Change the acl register struct This patch replace a lot of pointeur by pattern matching identifier. If the declared ACL use all the predefined pattern matching functions, the register function gets the functions provided by "pattern.c" and identified by the PAT_LATCH_*. In the case of the acl uses his own functions, they can be declared, and the acl registration doesn't change it.
2014-03-05 10:07:08 -05:00
{ "ssl_fc_sni_end", "ssl_fc_sni", PAT_MATCH_END },
{ "ssl_fc_sni_reg", "ssl_fc_sni", PAT_MATCH_REG },
MAJOR: acl: make all ACLs reference the fetch function via a sample. ACL fetch functions used to directly reference a fetch function. Now that all ACL fetches have their sample fetches equivalent, we can make ACLs reference a sample fetch keyword instead. In order to simplify the code, a sample keyword name may be NULL if it is the same as the ACL's, which is the most common case. A minor change appeared, http_auth always expects one argument though the ACL allowed it to be missing and reported as such afterwards, so fix the ACL to match this. This is not really a bug.
2013-01-11 09:49:37 -05:00
{ /* END */ },
MEDIUM: ssl: add sample fetches for is_ssl, ssl_has_sni, ssl_sni_* This allows SNI presence and value to be checked on incoming SSL connections. It is usable both for ACLs and stick tables.
2012-09-10 02:20:03 -04:00
}};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
INITCALL1(STG_REGISTER, acl_register_keywords, &acl_kws);
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
/* Note: must not be declared <const> as its list will be overwritten.
* Please take care of keeping this list alphabetically sorted, doing so helps
* all code contributors.
* Optional keywords are also declared with a NULL ->parse() function so that
* the config parser can report an appropriate error when a known keyword was
* not enabled.
*/
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
static struct ssl_bind_kw ssl_bind_kws[] = {
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
{ "allow-0rtt", ssl_bind_parse_allow_0rtt, 0 }, /* allow 0-RTT */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
{ "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */
{ "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */
{ "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
{ "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
#endif
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
{ "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
MINOR: ssl: add curve suite for ECDHE negotiation Add 'curves' parameter on 'bind' and for 'crt-list' to set curve suite. (ex: curves X25519:P-256)
2017-01-09 10:15:54 -05:00
{ "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
{ "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
MINOR: ssl: add "no-ca-names" parameter for bind This option prevent to send CA names in server hello message when ca-file is used. This parameter is also available in "crt-list".
2017-07-28 09:01:05 -04:00
{ "no-ca-names", ssl_bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
{ "npn", ssl_bind_parse_npn, 1 }, /* set NPN supported protocols */
MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list SSL/TLS version can be changed per certificat if and only if openssl lib support earlier callback on handshake and, of course, is implemented in haproxy. It's ok for BoringSSL. For Openssl, version 1.1.1 have such callback and could support it.
2017-05-18 06:46:50 -04:00
{ "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
{ "ssl-max-ver", ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
MAJOR: ssl: bind configuration per certificat crt-list is extend to support ssl configuration. You can now have such line in crt-list <file>: mycert.pem [npn h2,http/1.1] Support include "npn", "alpn", "verify", "ca_file", "crl_file", "ecdhe", "ciphers" configuration and ssl options. "crt-base" is also supported to fetch certificates.
2016-12-29 12:26:15 -05:00
{ "verify", ssl_bind_parse_verify, 1 }, /* set SSL verify method */
{ NULL, NULL, 0 },
};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
/* no initcall for ssl_bind_kws, these ones are parsed in the parser loop */
MINOR: listener: add a scope field in the bind keyword lists This scope is used to report what the keywords are used for (eg: TCP, UNIX, ...). It is now reported by bind_dump_kws().
2012-09-18 12:24:39 -04:00
static struct bind_kw_list bind_kws = { "SSL", { }, {
MEDIUM: ssl: Handle early data with OpenSSL 1.1.1 When compiled with Openssl >= 1.1.1, before attempting to do the handshake, try to read any early data. If any early data is present, then we'll create the session, read the data, and handle the request before we're doing the handshake. For this, we add a new connection flag, CO_FL_EARLY_SSL_HS, which is not part of the CO_FL_HANDSHAKE set, allowing to proceed with a session even before an SSL handshake is completed. As early data do have security implication, we let the origin server know the request comes from early data by adding the "Early-Data" header, as specified in this draft from the HTTP working group : https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-replay
2017-09-22 12:26:28 -04:00
{ "allow-0rtt", bind_parse_allow_0rtt, 0 }, /* Allow 0RTT */
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
{ "alpn", bind_parse_alpn, 1 }, /* set ALPN supported protocols */
{ "ca-file", bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */
{ "ca-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ignore on verify depth > 0 */
{ "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */
{ "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */
{ "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
{ "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
#endif
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
{ "crl-file", bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
{ "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */
{ "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
{ "crt-list", bind_parse_crt_list, 1 }, /* load a list of crt from this location */
{ "curves", bind_parse_curves, 1 }, /* set SSL curve suite */
{ "ecdhe", bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
{ "force-sslv3", bind_parse_tls_method_options, 0 }, /* force SSLv3 */
{ "force-tlsv10", bind_parse_tls_method_options, 0 }, /* force TLSv10 */
{ "force-tlsv11", bind_parse_tls_method_options, 0 }, /* force TLSv11 */
{ "force-tlsv12", bind_parse_tls_method_options, 0 }, /* force TLSv12 */
MINOR: ssl: support TLSv1.3 for bind and server This patch add 'no-tlsv13' and 'force-tlsv13' configuration. This is only useful with openssl-dev and boringssl.
2017-03-30 13:29:39 -04:00
{ "force-tlsv13", bind_parse_tls_method_options, 0 }, /* force TLSv13 */
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
{ "generate-certificates", bind_parse_generate_certs, 0 }, /* enable the server certificates generation */
MINOR: ssl: add "no-ca-names" parameter for bind This option prevent to send CA names in server hello message when ca-file is used. This parameter is also available in "crt-list".
2017-07-28 09:01:05 -04:00
{ "no-ca-names", bind_parse_no_ca_names, 0 }, /* do not send ca names to clients (ca_file related) */
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
{ "no-sslv3", bind_parse_tls_method_options, 0 }, /* disable SSLv3 */
{ "no-tlsv10", bind_parse_tls_method_options, 0 }, /* disable TLSv10 */
{ "no-tlsv11", bind_parse_tls_method_options, 0 }, /* disable TLSv11 */
{ "no-tlsv12", bind_parse_tls_method_options, 0 }, /* disable TLSv12 */
MINOR: ssl: support TLSv1.3 for bind and server This patch add 'no-tlsv13' and 'force-tlsv13' configuration. This is only useful with openssl-dev and boringssl.
2017-03-30 13:29:39 -04:00
{ "no-tlsv13", bind_parse_tls_method_options, 0 }, /* disable TLSv13 */
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
{ "no-tls-tickets", bind_parse_no_tls_tickets, 0 }, /* disable session resumption tickets */
{ "ssl", bind_parse_ssl, 0 }, /* enable SSL processing */
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
{ "ssl-min-ver", bind_parse_tls_method_minmax, 1 }, /* minimum version */
{ "ssl-max-ver", bind_parse_tls_method_minmax, 1 }, /* maximum version */
MEDIUM: ssl: ssl_methods implementation is reworked and factored for min/max tlsxx Plan is to add min-tlsxx max-tlsxx configuration, more consistent than no-tlsxx. This patch introduce internal min/max and replace force-tlsxx implementation. SSL method configuration is store in 'struct tls_version_filter'. SSL method configuration to openssl setting is abstract in 'methodVersions' table. With openssl < 1.1.0, SSL_CTX_set_ssl_version is used for force (min == max). With openssl >= 1.1.0, SSL_CTX_set_min/max_proto_version is used.
2017-03-30 13:19:37 -04:00
{ "strict-sni", bind_parse_strict_sni, 0 }, /* refuse negotiation if sni doesn't match a certificate */
{ "tls-ticket-keys", bind_parse_tls_ticket_keys, 1 }, /* set file to load TLS ticket keys from */
{ "verify", bind_parse_verify, 1 }, /* set SSL verify method */
{ "npn", bind_parse_npn, 1 }, /* set NPN supported protocols */
{ "prefer-client-ciphers", bind_parse_pcc, 0 }, /* prefer client ciphers */
MEDIUM: move bind SSL parsing to ssl_sock Registering new SSL bind keywords was not particularly handy as it required many #ifdef in cfgparse.c. Now the code has moved to ssl_sock.c which calls a register function for all the keywords. Error reporting was also improved by this move, because the called functions build an error message using memprintf(), which can span multiple lines if needed, and each of these errors will be displayed indented in the context of the bind line being processed. This is important when dealing with certificate directories which can report multiple errors.
2012-09-14 01:53:05 -04:00
{ NULL, NULL, 0 },
}};
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
INITCALL1(STG_REGISTER, bind_register_keywords, &bind_kws);
MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c All SSL-specific "server" keywords are now processed in ssl_sock.c. At the moment, there is no more "not implemented" hint when SSL is disabled, but keywords could be added in server.c if needed.
2012-10-10 17:04:25 -04:00
/* Note: must not be declared <const> as its list will be overwritten.
* Please take care of keeping this list alphabetically sorted, doing so helps
* all code contributors.
* Optional keywords are also declared with a NULL ->parse() function so that
* the config parser can report an appropriate error when a known keyword was
* not enabled.
*/
static struct srv_kw_list srv_kws = { "SSL", { }, {
MINOR: ssl: Handle sending early data to server. This adds a new keyword on the "server" line, "allow-0rtt", if set, we'll try to send early data to the server, as long as the client sent early data, as in case the server rejects the early data, we no longer have them, and can't resend them, so the only option we have is to send back a 425, and we need to be sure the client knows how to interpret it correctly.
2017-11-03 11:27:47 -04:00
{ "allow-0rtt", srv_parse_allow_0rtt, 0, 1 }, /* Allow using early data on this server */
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
{ "alpn", srv_parse_alpn, 1, 1 }, /* Set ALPN supported protocols */
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
{ "ca-file", srv_parse_ca_file, 1, 1 }, /* set CAfile to process verify server cert */
MEDIUM: checks: Add check-alpn. Add a way to configure the ALPN used by check, with a new "check-alpn" keyword. By default, the checks will use the server ALPN, but it may not be convenient, for instance because the server may use HTTP/2, while checks are unable to do HTTP/2 yet.
2018-12-21 13:47:01 -05:00
{ "check-alpn", srv_parse_alpn, 1, 1 }, /* Set ALPN used for checks */
MINOR: checks: Add a new keyword to specify a SNI when doing SSL checks. Add a new keyword, "check-sni", to be able to specify the SNI to be used when doing health checks over SSL.
2017-10-17 11:33:43 -04:00
{ "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
{ "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */
{ "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
{ "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */
#endif
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
{ "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */
{ "crt", srv_parse_crt, 1, 1 }, /* set client certificate */
{ "force-sslv3", srv_parse_tls_method_options, 0, 1 }, /* force SSLv3 */
{ "force-tlsv10", srv_parse_tls_method_options, 0, 1 }, /* force TLSv10 */
{ "force-tlsv11", srv_parse_tls_method_options, 0, 1 }, /* force TLSv11 */
{ "force-tlsv12", srv_parse_tls_method_options, 0, 1 }, /* force TLSv12 */
{ "force-tlsv13", srv_parse_tls_method_options, 0, 1 }, /* force TLSv13 */
{ "no-check-ssl", srv_parse_no_check_ssl, 0, 1 }, /* disable SSL for health checks */
{ "no-send-proxy-v2-ssl", srv_parse_no_send_proxy_ssl, 0, 1 }, /* do not send PROXY protocol header v2 with SSL info */
{ "no-send-proxy-v2-ssl-cn", srv_parse_no_send_proxy_cn, 0, 1 }, /* do not send PROXY protocol header v2 with CN */
{ "no-ssl", srv_parse_no_ssl, 0, 1 }, /* disable SSL processing */
{ "no-ssl-reuse", srv_parse_no_ssl_reuse, 0, 1 }, /* disable session reuse */
{ "no-sslv3", srv_parse_tls_method_options, 0, 0 }, /* disable SSLv3 */
{ "no-tlsv10", srv_parse_tls_method_options, 0, 0 }, /* disable TLSv10 */
{ "no-tlsv11", srv_parse_tls_method_options, 0, 0 }, /* disable TLSv11 */
{ "no-tlsv12", srv_parse_tls_method_options, 0, 0 }, /* disable TLSv12 */
{ "no-tlsv13", srv_parse_tls_method_options, 0, 0 }, /* disable TLSv13 */
{ "no-tls-tickets", srv_parse_no_tls_tickets, 0, 1 }, /* disable session resumption tickets */
MINOR: server: Add "alpn" and "npn" keywords. Add new keywords to "server" lines, alpn and npn. If set, when connecting through SSL, those alpn/npn will be negociated during the SSL handshake.
2018-11-20 17:33:50 -05:00
{ "npn", srv_parse_npn, 1, 1 }, /* Set NPN supported protocols */
MEDIUM: ssl: add ssl-min-ver and ssl-max-ver parameters for bind and server 'ssl-min-ver' and 'ssl-max-ver' with argument SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 limit the SSL negotiation version to a continuous range. ssl-min-ver and ssl-max-ver should be used in replacement of no-tls* and no-sslv3. Warning and documentation are set accordingly.
2017-03-31 09:02:54 -04:00
{ "send-proxy-v2-ssl", srv_parse_send_proxy_ssl, 0, 1 }, /* send PROXY protocol header v2 with SSL info */
{ "send-proxy-v2-ssl-cn", srv_parse_send_proxy_cn, 0, 1 }, /* send PROXY protocol header v2 with CN */
{ "sni", srv_parse_sni, 1, 1 }, /* send SNI extension */
{ "ssl", srv_parse_ssl, 0, 1 }, /* enable SSL processing */
{ "ssl-min-ver", srv_parse_tls_method_minmax, 1, 1 }, /* minimum version */
{ "ssl-max-ver", srv_parse_tls_method_minmax, 1, 1 }, /* maximum version */
{ "ssl-reuse", srv_parse_ssl_reuse, 0, 1 }, /* enable session reuse */
{ "tls-tickets", srv_parse_tls_tickets, 0, 1 }, /* enable session resumption tickets */
{ "verify", srv_parse_verify, 1, 1 }, /* set SSL verify method */
{ "verifyhost", srv_parse_verifyhost, 1, 1 }, /* require that SSL cert verifies for hostname */
MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c All SSL-specific "server" keywords are now processed in ssl_sock.c. At the moment, there is no more "not implemented" hint when SSL is disabled, but keywords could be added in server.c if needed.
2012-10-10 17:04:25 -04:00
{ NULL, NULL, 0, 0 },
}};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
INITCALL1(STG_REGISTER, srv_register_keywords, &srv_kws);
MINOR: ssl: add statement to force some ssl options in global. Adds global statements 'ssl-default-server-options' and 'ssl-default-bind-options' to force on 'server' and 'bind' lines some ssl options. Currently available options are 'no-sslv3', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', 'force-sslv3', 'force-tlsv10', 'force-tlsv11', 'force-tlsv12', and 'no-tls-tickets'. Example: global ssl-default-server-options no-sslv3 ssl-default-bind-options no-sslv3
2014-10-30 10:56:50 -04:00
static struct cfg_kw_list cfg_kws = {ILH, {
MINOR: cfgparse: move parsing of "ca-base" and "crt-base" to ssl_sock This removes 2 #ifdefs and makes the code much cleaner. The controls are still there and the two parsers have been merged into a single function ssl_parse_global_ca_crt_base(). It's worth noting that there's still a check to prevent a change when the value was already specified. This test seems useless and possibly counter-productive, it may have to be revisited later, but for now it was implemented identically.
2016-12-21 16:44:46 -05:00
{ CFG_GLOBAL, "ca-base", ssl_parse_global_ca_crt_base },
{ CFG_GLOBAL, "crt-base", ssl_parse_global_ca_crt_base },
MEDIUM: cfgparse: move maxsslconn parsing to ssl_sock This one simply reuses the existing integer parser. It implicitly adds a control against negative numbers.
2016-12-21 17:17:25 -05:00
{ CFG_GLOBAL, "maxsslconn", ssl_parse_global_int },
MINOR: ssl: add statement to force some ssl options in global. Adds global statements 'ssl-default-server-options' and 'ssl-default-bind-options' to force on 'server' and 'bind' lines some ssl options. Currently available options are 'no-sslv3', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', 'force-sslv3', 'force-tlsv10', 'force-tlsv11', 'force-tlsv12', and 'no-tls-tickets'. Example: global ssl-default-server-options no-sslv3 ssl-default-bind-options no-sslv3
2014-10-30 10:56:50 -04:00
{ CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options },
{ CFG_GLOBAL, "ssl-default-server-options", ssl_parse_default_server_options },
MEDIUM: cfgparse: move ssl-dh-param-file parsing to ssl_sock This one was missing an arg count check which was added in the operation.
2016-12-21 17:28:13 -05:00
#ifndef OPENSSL_NO_DH
{ CFG_GLOBAL, "ssl-dh-param-file", ssl_parse_global_dh_param_file },
#endif
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
{ CFG_GLOBAL, "ssl-mode-async", ssl_parse_global_ssl_async },
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#ifndef OPENSSL_NO_ENGINE
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
{ CFG_GLOBAL, "ssl-engine", ssl_parse_global_ssl_engine },
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#endif
MEDIUM: cfgparse: move all tune.ssl.* keywords to ssl_sock The following keywords were still parsed in cfgparse and were moved to ssl_sock to remove some #ifdefs : "tune.ssl.cachesize", "tune.ssl.default-dh-param", "tune.ssl.force-private-cache", "tune.ssl.lifetime", "tune.ssl.maxrecord", "tune.ssl.ssl-ctx-cache-size". It's worth mentionning that some of them used to have incorrect sign checks possibly resulting in some negative values being used. All of them are now checked for being positive.
2016-12-21 17:13:03 -05:00
{ CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int },
#ifndef OPENSSL_NO_DH
{ CFG_GLOBAL, "tune.ssl.default-dh-param", ssl_parse_global_default_dh },
#endif
{ CFG_GLOBAL, "tune.ssl.force-private-cache", ssl_parse_global_private_cache },
{ CFG_GLOBAL, "tune.ssl.lifetime", ssl_parse_global_lifetime },
{ CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int },
{ CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int },
MEDIUM: ssl: add new sample-fetch which captures the cipherlist This new sample-fetches captures the cipher list offer by the client SSL connection during the client-hello phase. This is useful for fingerprint the SSL connection.
2017-02-25 06:45:22 -05:00
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
MINOR: cfgparse: move parsing of ssl-default-{bind,server}-ciphers to ssl_sock These ones are pretty similar, just an strdup. Contrary to ca-base and crt-base they support being changed.
2016-12-21 17:23:19 -05:00
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
{ CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },
{ CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites },
#endif
MINOR: ssl: add statement to force some ssl options in global. Adds global statements 'ssl-default-server-options' and 'ssl-default-bind-options' to force on 'server' and 'bind' lines some ssl options. Currently available options are 'no-sslv3', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', 'force-sslv3', 'force-tlsv10', 'force-tlsv11', 'force-tlsv12', and 'no-tls-tickets'. Example: global ssl-default-server-options no-sslv3 ssl-default-bind-options no-sslv3
2014-10-30 10:56:50 -04:00
{ 0, NULL, NULL },
}};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws);
REORG: connection: rename the data layer the "transport layer" While working on the changes required to make the health checks use the new connections, it started to become obvious that some naming was not logical at all in the connections. Specifically, it is not logical to call the "data layer" the layer which is in charge for all the handshake and which does not yet provide a data layer once established until a session has allocated all the required buffers. In fact, it's more a transport layer, which makes much more sense. The transport layer offers a medium on which data can transit, and it offers the functions to move these data when the upper layer requests this. And it is the upper layer which iterates over the transport layer's functions to move data which should be called the data layer. The use case where it's obvious is with embryonic sessions : an incoming SSL connection is accepted. Only the connection is allocated, not the buffers nor stream interface, etc... The connection handles the SSL handshake by itself. Once this handshake is complete, we can't use the data functions because the buffers and stream interface are not there yet. Hence we have to first call a specific function to complete the session initialization, after which we'll be able to use the data functions. This clearly proves that SSL here is only a transport layer and that the stream interface constitutes the data layer. A similar change will be performed to rename app_cb => data, but the two could not be in the same commit for obvious reasons.
2012-10-02 18:19:48 -04:00
/* transport-layer operations for SSL sockets */
CLEANUP: connection: unexport raw_sock and ssl_sock This way we're sure not to reuse them by accident.
2016-12-22 15:08:52 -05:00
static struct xprt_ops ssl_sock = {
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
.snd_buf = ssl_sock_from_buf,
.rcv_buf = ssl_sock_to_buf,
MINOR: connections/mux: Add a new "subscribe" method. Add a new "subscribe" method for connection, conn_stream and mux, so that upper layer can subscribe to them, to be called when the event happens. Right now, the only event implemented is "SUB_CAN_SEND", where the upper layer can register to be called back when it is possible to send data. The connection and conn_stream got a new "send_wait_list" entry, which required to move a few struct members around to maintain an efficient cache alignment (and actually this slightly improved performance).
2018-07-17 12:46:31 -04:00
.subscribe = conn_subscribe,
MINOR: connections: Introduce an unsubscribe method. As we don't know how subscriptions are handled, we can't just assume we can use LIST_DEL() to unsubscribe, so introduce a new method to mux and connections to do so.
2018-09-28 11:57:58 -04:00
.unsubscribe = conn_unsubscribe,
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
.rcv_pipe = NULL,
.snd_pipe = NULL,
.shutr = NULL,
.shutw = ssl_sock_shutw,
.close = ssl_sock_close,
.init = ssl_sock_init,
MEDIUM: ssl_sock: implement ssl_sock_prepare_bind_conf() Instead of hard-coding all SSL preparation in cfgparse.c, we now register this new function as the transport layer's prepare_bind_conf() and call it only when definied. This removes some non-obvious SSL-specific code from cfgparse.c as well as a #ifdef.
2016-12-21 17:38:39 -05:00
.prepare_bind_conf = ssl_sock_prepare_bind_conf,
MINOR: ssl_sock: implement ssl_sock_destroy_bind_conf() Instead of hard-coding all SSL destruction in cfgparse.c and haproxy.c, we now register this new function as the transport layer's destroy_bind_conf() and call it only when defined. This removes some non-obvious SSL-specific code and #ifdefs from cfgparse.c and haproxy.c
2016-12-22 11:30:54 -05:00
.destroy_bind_conf = ssl_sock_destroy_bind_conf,
MINOR: ssl_sock: implement and use prepare_srv()/destroy_srv() Now we can simply check the transport layer at run time and decide whether or not to initialize or destroy these entries. This removes other ifdefs and includes from cfgparse.c, haproxy.c and hlua.c.
2016-12-22 15:16:08 -05:00
.prepare_srv = ssl_sock_prepare_srv_ctx,
.destroy_srv = ssl_sock_free_srv_ctx,
MINOR: ssl: add a get_alpn() method to ssl_sock This is used to retrieve the TLS ALPN information from a connection. We also support a fallback to NPN if ALPN doesn't find anything or is not available on the existing implementation. It happens that depending on the library version, either one or the other is available. NPN was present in openssl 1.0.1 (very common) while ALPN is in 1.0.2 and onwards (still uncommon at the time of writing). Clients are used to send either one or the other to ensure a smooth transition.
2016-12-04 12:44:29 -05:00
.get_alpn = ssl_sock_get_alpn,
MINOR: connection: add names for transport and data layers This makes debugging easier and avoids having to put ugly checks against certain well-known internal struct pointers.
2016-11-24 10:58:12 -05:00
.name = "SSL",
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
};
MINOR: ssl/proto_http: Add keywords to take care of early data. Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true if early data were sent, and a new action, "wait-for-handshake", if used, the request won't be forwarded until the SSL handshake is done.
2017-10-02 05:51:03 -04:00
enum act_return ssl_action_wait_for_hs(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
struct connection *conn;
MINOR: early data: Don't rely on CO_FL_EARLY_DATA to wake up streams. Instead of looking for CO_FL_EARLY_DATA to know if we have to try to wake up a stream, because it is waiting for a SSL handshake, instead add a new conn_stream flag, CS_FL_WAIT_FOR_HS. This way we don't have to rely on CO_FL_EARLY_DATA, and we will only wake streams that are actually waiting.
2017-11-27 12:41:32 -05:00
struct conn_stream *cs;
MINOR: ssl/proto_http: Add keywords to take care of early data. Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true if early data were sent, and a new action, "wait-for-handshake", if used, the request won't be forwarded until the SSL handshake is done.
2017-10-02 05:51:03 -04:00
conn = objt_conn(sess->origin);
MINOR: early data: Don't rely on CO_FL_EARLY_DATA to wake up streams. Instead of looking for CO_FL_EARLY_DATA to know if we have to try to wake up a stream, because it is waiting for a SSL handshake, instead add a new conn_stream flag, CS_FL_WAIT_FOR_HS. This way we don't have to rely on CO_FL_EARLY_DATA, and we will only wake streams that are actually waiting.
2017-11-27 12:41:32 -05:00
cs = objt_cs(s->si[0].end);
MINOR: ssl/proto_http: Add keywords to take care of early data. Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true if early data were sent, and a new action, "wait-for-handshake", if used, the request won't be forwarded until the SSL handshake is done.
2017-10-02 05:51:03 -04:00
MINOR: early data: Don't rely on CO_FL_EARLY_DATA to wake up streams. Instead of looking for CO_FL_EARLY_DATA to know if we have to try to wake up a stream, because it is waiting for a SSL handshake, instead add a new conn_stream flag, CS_FL_WAIT_FOR_HS. This way we don't have to rely on CO_FL_EARLY_DATA, and we will only wake streams that are actually waiting.
2017-11-27 12:41:32 -05:00
if (conn && cs) {
MINOR: ssl/proto_http: Add keywords to take care of early data. Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true if early data were sent, and a new action, "wait-for-handshake", if used, the request won't be forwarded until the SSL handshake is done.
2017-10-02 05:51:03 -04:00
if (conn->flags & (CO_FL_EARLY_SSL_HS | CO_FL_SSL_WAIT_HS)) {
MINOR: early data: Don't rely on CO_FL_EARLY_DATA to wake up streams. Instead of looking for CO_FL_EARLY_DATA to know if we have to try to wake up a stream, because it is waiting for a SSL handshake, instead add a new conn_stream flag, CS_FL_WAIT_FOR_HS. This way we don't have to rely on CO_FL_EARLY_DATA, and we will only wake streams that are actually waiting.
2017-11-27 12:41:32 -05:00
cs->flags |= CS_FL_WAIT_FOR_HS;
MINOR: ssl/proto_http: Add keywords to take care of early data. Add a new sample fetch, "ssl_fc_has_early", a boolean that will be true if early data were sent, and a new action, "wait-for-handshake", if used, the request won't be forwarded until the SSL handshake is done.
2017-10-02 05:51:03 -04:00
s->req.flags |= CF_READ_NULL;
return ACT_RET_YIELD;
}
}
return (ACT_RET_CONT);
}
static enum act_parse_ret ssl_parse_wait_for_hs(const char **args, int *orig_arg, struct proxy *px, struct act_rule *rule, char **err)
{
rule->action_ptr = ssl_action_wait_for_hs;
return ACT_RET_PRS_OK;
}
static struct action_kw_list http_req_actions = {ILH, {
{ "wait-for-handshake", ssl_parse_wait_for_hs },
{ /* END */ }
}};
MEDIUM: init: convert all trivial registration calls to initcalls This switches explicit calls to various trivial registration methods for keywords, muxes or protocols from constructors to INITCALL1 at stage STG_REGISTER. All these calls have in common to consume a single pointer and return void. Doing this removes 26 constructors. The following calls were addressed : - acl_register_keywords - bind_register_keywords - cfg_register_keywords - cli_register_kw - flt_register_keywords - http_req_keywords_register - http_res_keywords_register - protocol_register - register_mux_proto - sample_register_convs - sample_register_fetches - srv_register_keywords - tcp_req_conn_keywords_register - tcp_req_cont_keywords_register - tcp_req_sess_keywords_register - tcp_res_cont_keywords_register - flt_register_keywords
2018-11-25 13:14:37 -05:00
INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions);
BUILD: check for libressl to be able to build against it [wt: might be worth backporting it to 1.6]
2015-11-06 14:02:41 -05:00
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
static void ssl_sock_sctl_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
{
if (ptr) {
chunk_destroy(ptr);
free(ptr);
}
}
#endif
BUG/MINOR: ssl: fix cipherlist captures with sustainable SSL calls Use SSL_set_ex_data/SSL_get_ex_data standard API call to store capture. We need to avoid internal structures/undocumented calls usage to try to control the beast and limit painful compatibilities.
2017-03-07 12:34:58 -05:00
static void ssl_sock_capture_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
{
CLEANUP: pools: rename all pool functions and pointers to remove this "2" During the migration to the second version of the pools, the new functions and pool pointers were all called "pool_something2()" and "pool2_something". Now there's no more pool v1 code and it's a real pain to still have to deal with this. Let's clean this up now by removing the "2" everywhere, and by renaming the pool heads "pool_head_something".
2017-11-24 11:34:44 -05:00
pool_free(pool_head_ssl_capture, ptr);
BUG/MINOR: ssl: fix cipherlist captures with sustainable SSL calls Use SSL_set_ex_data/SSL_get_ex_data standard API call to store capture. We need to avoid internal structures/undocumented calls usage to try to control the beast and limit painful compatibilities.
2017-03-07 12:34:58 -05:00
}
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
__attribute__((constructor))
MEDIUM: ssl: move "server" keyword SSL options parsing to ssl_sock.c All SSL-specific "server" keywords are now processed in ssl_sock.c. At the moment, there is no more "not implemented" hint when SSL is disabled, but keywords could be added in server.c if needed.
2012-10-10 17:04:25 -04:00
static void __ssl_sock_init(void)
{
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
STACK_OF(SSL_COMP)* cm;
CLEANUP: ssl: move most ssl-specific global settings to ssl_sock.c Historically a lot of SSL global settings were stored into the global struct, but we've reached a point where there are 3 ifdefs in it just for this, and others in haproxy.c to initialize it. This patch moves all the private fields to a new struct "global_ssl" stored in ssl_sock.c. This includes : char *crt_base; char *ca_base; char *listen_default_ciphers; char *connect_default_ciphers; int listen_default_ssloptions; int connect_default_ssloptions; int tune.sslprivatecache; /* Force to use a private session cache even if nbproc > 1 */ unsigned int tune.ssllifetime; /* SSL session lifetime in seconds */ unsigned int tune.ssl_max_record; /* SSL max record size */ unsigned int tune.ssl_default_dh_param; /* SSL maximum DH parameter size */ int tune.ssl_ctx_cache; /* max number of entries in the ssl_ctx cache. */ The "tune" part was removed (useless here) and the occasional "ssl" prefixes were removed as well. Thus for example instead of global.tune.ssl_default_dh_param we now have : global_ssl.default_dh_param A few initializers were present in the constructor, they could be brought back to the structure declaration. A few other entries had to stay in global for now. They concern memory calculationn (used in haproxy.c) and stats (used in stats.c). The code is already much cleaner now, especially for global.h and haproxy.c which become readable.
2016-12-22 17:12:01 -05:00
if (global_ssl.listen_default_ciphers)
global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers);
if (global_ssl.connect_default_ciphers)
global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers);
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 OpenSSL released support for TLSv1.3. It also added a separate function SSL_CTX_set_ciphersuites that is used to set the ciphers used in the TLS 1.3 handshake. This change adds support for that new configuration option by adding a ciphersuites configuration variable that works essentially the same as the existing ciphers setting. Note that it should likely be backported to 1.8 in order to ease usage of the now released openssl-1.1.1.
2018-09-14 05:14:21 -04:00
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
if (global_ssl.listen_default_ciphersuites)
global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
if (global_ssl.connect_default_ciphersuites)
global_ssl.connect_default_ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
#endif
MINOR: config: add global directives to set default SSL ciphers The ability to globally override the default client and server cipher suites has been requested multiple times since the introduction of SSL. This commit adds two new keywords to the global section for this : - ssl-default-bind-ciphers - ssl-default-server-ciphers It is still possible to preset them at build time by setting the macros LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS.
2014-02-13 05:36:41 -05:00
MINOR: connection: add a minimal transport layer registration system There are still a lot of #ifdef USE_OPENSSL in the code (still 43 occurences) because we never know if we can directly access ssl_sock or not. This patch attacks the problem differently by providing a way for transport layers to register themselves and for users to retrieve the pointer. Unregistered transport layers will point to NULL so it will be easy to check if SSL is registered or not. The mechanism is very inexpensive as it relies on a two-entries array of pointers, so the performance will not be affected.
2016-12-22 14:25:26 -05:00
xprt_register(XPRT_SSL, &ssl_sock);
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
#if OPENSSL_VERSION_NUMBER < 0x10100000L
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
SSL_library_init();
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
#endif
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
cm = SSL_COMP_get_compression_methods();
sk_SSL_COMP_zero(cm);
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
#if defined(USE_THREAD) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
ssl_locking_init();
#endif
BUILD: check for libressl to be able to build against it [wt: might be worth backporting it to 1.6]
2015-11-06 14:02:41 -05:00
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
MEDIUM: ssl: Certificate Transparency support Adds ability to include Signed Certificate Timestamp List in TLS extension. File containing SCTL must be present at the same path of the certificate file, suffixed with '.sctl'. This requires OpenSSL 1.0.2 or later.
2015-03-07 17:03:59 -05:00
sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func);
#endif
BUG/MAJOR: ssl: OpenSSL context is stored in non-reserved memory slot We never saw unexplicated crash with SSL, so I suppose that we are luck, or the slot 0 is always reserved. Anyway the usage of the macro SSL_get_app_data() and SSL_set_app_data() seem wrong. This patch change the deprecated functions SSL_get_app_data() and SSL_set_app_data() by the new functions SSL_get_ex_data() and SSL_set_ex_data(), and it reserves the slot in the SSL memory space. For information, this is the two declaration which seems wrong or incomplete in the OpenSSL ssl.h file. We can see the usage of the slot 0 whoch is hardcoded, but never reserved. #define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg)) #define SSL_get_app_data(s) (SSL_get_ex_data(s,0)) This patch must be backported at least in 1.8, maybe in other versions.
2018-06-17 15:37:05 -04:00
ssl_app_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
BUG/MAJOR: ssl: Random crash with cipherlist capture The cipher list capture struct is stored in the SSL memory space, but the slot is reserved in the SSL_CTX memory space. This causes ramdom crashes. This patch should be backported to 1.8
2018-06-17 15:33:01 -04:00
ssl_capture_ptr_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_capture_free_func);
MINOR: ssl: add ssl_sock_get_pkey_algo function ssl_sock_get_pkey_algo can be used to report pkey algorithm to log and ppv2 (RSA2048, EC256,...). Extract pkey information is not free in ssl api (lock/alloc/free): haproxy can use the pkey information computed in load_certificate. Store and use this information in a SSL ex_data when available, compute it if not (SSL multicert bundled and generated cert).
2017-10-31 10:46:07 -04:00
ssl_pkey_info_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#ifndef OPENSSL_NO_ENGINE
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
ENGINE_load_builtin_engines();
MAJOR: ssl: add openssl async mode support ssl-mode-async is a global configuration parameter which enables asynchronous processing in OPENSSL for all SSL connections haproxy handles. With SSL_MODE_ASYNC set, TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. Currently async mode only supports one async-capable engine. This is the latest version of the patchset which includes Emeric's updates : - improved async fd cleaning when openssl reports an fd to delete - prevent conn_fd_handler from calling SSL_{read,write,handshake} until the async fd is ready, as these operations are very slow and waste CPU - postpone of SSL_free to ensure the async operation can complete and does not cause a dereference a released SSL. - proper removal of async fd from the fdtab and removal of the unused async flag.
2017-01-13 20:42:15 -05:00
hap_register_post_check(ssl_check_async_engine_count);
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#endif
CLEANUP: ssl: move tlskeys_finalize_config() to a post_check callback tlskeys_finalize_config() was the only reason for haproxy.c to still require ifdef and includes for ssl_sock. This one fits perfectly well in the late initializers so it was changed to be registered with hap_register_post_check().
2016-12-22 16:46:15 -05:00
#if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
hap_register_post_check(tlskeys_finalize_config);
#endif
MINOR: global: report information about the cost of SSL connections An SSL connection takes some memory when it exists and during handshakes. We measured up to 16kB for an established endpoint, and up to 76 extra kB during a handshake. The SSL layer stores these values into the global struct during initialization. If other SSL libs are used, it's easy to change these values. Anyway they'll only be used as gross estimates in order to guess the max number of SSL conns that can be established when memory is constrained and the limit is not set.
2015-01-15 15:34:39 -05:00
MINOR: initcall: apply initcall to all register_build_opts() calls Most register_build_opts() calls use static strings. These ones were replaced with a trivial REGISTER_BUILD_OPTS() statement adding the string and its call to the STG_REGISTER section. A dedicated section could be made for this if needed, but there are very few such calls for this to be worth it. The calls made with computed strings however, like those which retrieve OpenSSL's version or zlib's version, were moved to a dedicated function to guarantee they are called late in the process. For example, the SSL call probably requires that SSL_library_init() has been called first.
2018-11-26 04:19:54 -05:00
global.ssl_session_max_cost = SSL_SESSION_MAX_COST;
global.ssl_handshake_max_cost = SSL_HANDSHAKE_MAX_COST;
#ifndef OPENSSL_NO_DH
ssl_dh_ptr_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
hap_register_post_deinit(ssl_free_dh);
#endif
#ifndef OPENSSL_NO_ENGINE
hap_register_post_deinit(ssl_free_engines);
#endif
/* Load SSL string for the verbose & debug mode. */
ERR_load_SSL_strings();
}
/* Compute and register the version string */
static void ssl_register_build_options()
{
char *ptr = NULL;
int i;
CLEANUP: ssl: use the build options list to report the SSL details This removes 7 #ifdef from haproxy.c. The message indicating that openssl is *not* enabled is not there anymore.
2016-12-21 13:23:20 -05:00
memprintf(&ptr, "Built with OpenSSL version : "
#ifdef OPENSSL_IS_BORINGSSL
MINOR: ssl: show methods supported by openssl TLS v1.3 incoming, SSLv3 will disappears: it could be useful to list all methods supported by haproxy/openssl (with -vvv).
2017-03-24 10:20:03 -04:00
"BoringSSL");
CLEANUP: ssl: use the build options list to report the SSL details This removes 7 #ifdef from haproxy.c. The message indicating that openssl is *not* enabled is not there anymore.
2016-12-21 13:23:20 -05:00
#else /* OPENSSL_IS_BORINGSSL */
OPENSSL_VERSION_TEXT
"\nRunning on OpenSSL version : %s%s",
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
OpenSSL_version(OPENSSL_VERSION),
((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : "");
CLEANUP: ssl: use the build options list to report the SSL details This removes 7 #ifdef from haproxy.c. The message indicating that openssl is *not* enabled is not there anymore.
2016-12-21 13:23:20 -05:00
#endif
memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : "
#if OPENSSL_VERSION_NUMBER < 0x00907000L
"no (library version too old)"
#elif defined(OPENSSL_NO_TLSEXT)
"no (disabled via OPENSSL_NO_TLSEXT)"
#else
"yes"
#endif
"", ptr);
memprintf(&ptr, "%s\nOpenSSL library supports SNI : "
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
"yes"
#else
#ifdef OPENSSL_NO_TLSEXT
"no (because of OPENSSL_NO_TLSEXT)"
#else
"no (version might be too old, 0.9.8f min needed)"
#endif
MINOR: ssl: show methods supported by openssl TLS v1.3 incoming, SSLv3 will disappears: it could be useful to list all methods supported by haproxy/openssl (with -vvv).
2017-03-24 10:20:03 -04:00
#endif
"", ptr);
MINOR: ssl: remove an unecessary SSL_OP_NO_* dependancy Use methodVersions table to display "OpenSSL library supports".
2017-07-12 08:25:38 -04:00
memprintf(&ptr, "%s\nOpenSSL library supports :", ptr);
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
if (methodVersions[i].option)
memprintf(&ptr, "%s %s", ptr, methodVersions[i].name);
CLEANUP: ssl: use the build options list to report the SSL details This removes 7 #ifdef from haproxy.c. The message indicating that openssl is *not* enabled is not there anymore.
2016-12-21 13:23:20 -05:00
hap_register_build_opts(ptr, 1);
MINOR: initcall: apply initcall to all register_build_opts() calls Most register_build_opts() calls use static strings. These ones were replaced with a trivial REGISTER_BUILD_OPTS() statement adding the string and its call to the STG_REGISTER section. A dedicated section could be made for this if needed, but there are very few such calls for this to be worth it. The calls made with computed strings however, like those which retrieve OpenSSL's version or zlib's version, were moved to a dedicated function to guarantee they are called late in the process. For example, the SSL call probably requires that SSL_library_init() has been called first.
2018-11-26 04:19:54 -05:00
}
CLEANUP: ssl: use the build options list to report the SSL details This removes 7 #ifdef from haproxy.c. The message indicating that openssl is *not* enabled is not there anymore.
2016-12-21 13:23:20 -05:00
MINOR: initcall: apply initcall to all register_build_opts() calls Most register_build_opts() calls use static strings. These ones were replaced with a trivial REGISTER_BUILD_OPTS() statement adding the string and its call to the STG_REGISTER section. A dedicated section could be made for this if needed, but there are very few such calls for this to be worth it. The calls made with computed strings however, like those which retrieve OpenSSL's version or zlib's version, were moved to a dedicated function to guarantee they are called late in the process. For example, the SSL call probably requires that SSL_library_init() has been called first.
2018-11-26 04:19:54 -05:00
INITCALL0(STG_REGISTER, ssl_register_build_options);
BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten Herv Commowick reported that the logic used to avoid complaining about ssl-default-dh-param not being set when static DH params are present in the certificate file was clearly wrong when more than one sni_ctx is used. This patch stores whether static DH params are being used for each SSL_CTX individually, and does not overwrite the value of tune.ssl.default-dh-param.
2015-05-28 10:23:00 -04:00
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#ifndef OPENSSL_NO_ENGINE
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
void ssl_free_engines(void) {
struct ssl_engine_list *wl, *wlb;
/* free up engine list */
list_for_each_entry_safe(wl, wlb, &openssl_engines, list) {
ENGINE_finish(wl->e);
ENGINE_free(wl->e);
LIST_DEL(&wl->list);
free(wl);
}
}
BUILD: ssl: fix build with OPENSSL_NO_ENGINE Build is broken with openssl library without support of engin (like boringssl). Add OPENSSL_NO_ENGINE flag to fix that.
2017-05-29 08:36:20 -04:00
#endif
MEDIUM: ssl: Add options to forge SSL certificates With this patch, it is possible to configure HAProxy to forge the SSL certificate sent to a client using the SNI servername. We do it in the SNI callback. To enable this feature, you must pass following BIND options: * ca-sign-file <FILE> : This is the PEM file containing the CA certitifacte and the CA private key to create and sign server's certificates. * (optionally) ca-sign-pass <PASS>: This is the CA private key passphrase, if any. * generate-certificates: Enable the dynamic generation of certificates for a listener. Because generating certificates is expensive, there is a LRU cache to store them. Its size can be customized by setting the global parameter 'tune.ssl.ssl-ctx-cache-size'.
2015-06-09 11:29:50 -04:00
MINOR: ssl: add a destructor to free allocated SSL ressources Using valgrind or another memory leak tracking tool is easier when the memory internally allocated by OpenSSL is cleanly released at shutdown.
2015-05-28 10:39:47 -04:00
#ifndef OPENSSL_NO_DH
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
void ssl_free_dh(void) {
if (local_dh_1024) {
DH_free(local_dh_1024);
local_dh_1024 = NULL;
}
if (local_dh_2048) {
DH_free(local_dh_2048);
local_dh_2048 = NULL;
}
if (local_dh_4096) {
DH_free(local_dh_4096);
local_dh_4096 = NULL;
}
MEDIUM: ssl: add the possibility to use a global DH parameters file This patch adds the ssl-dh-param-file global setting. It sets the default DH parameters that will be used during the SSL/TLS handshake when ephemeral Diffie-Hellman (DHE) key exchange is used, for all "bind" lines which do not explicitely define theirs.
2015-05-29 09:53:22 -04:00
if (global_dh) {
DH_free(global_dh);
global_dh = NULL;
}
MEDIUM: ssl: add basic support for OpenSSL crypto engine This patch adds the global 'ssl-engine' keyword. First arg is an engine identifier followed by a list of default_algorithms the engine will operate. If the openssl version is too old, an error is reported when the option is used.
2017-01-20 20:10:18 -05:00
}
#endif
__attribute__((destructor))
static void __ssl_sock_deinit(void)
{
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
if (ssl_ctx_lru_tree) {
lru64_destroy(ssl_ctx_lru_tree);
BUILD: threads: Rename SPIN/RWLOCK macros using HA_ prefix This remove any name conflicts, especially on Solaris.
2017-11-07 04:42:54 -05:00
HA_RWLOCK_DESTROY(&ssl_ctx_lru_rwlock);
MAJOR: threads/ssl: Make SSL part thread-safe First, OpenSSL is now initialized to be thread-safe. This is done by setting 2 callbacks. The first one is ssl_locking_function. It handles the locks and unlocks. The second one is ssl_id_function. It returns the current thread id. During the init step, we create as much as R/W locks as needed, ie the number returned by CRYPTO_num_locks function. Next, The reusable SSL session in the server context is now thread-local. Shctx is now also initialized if HAProxy is started with several threads. And finally, a global lock has been added to protect the LRU cache used to store generated certificates. The function ssl_sock_get_generated_cert is now deprecated because the retrieved certificate can be removed by another threads in same time. Instead, a new function has been added, ssl_sock_assign_generated_cert. It must be used to search a certificate in the cache and set it immediatly if found.
2017-06-15 10:37:39 -04:00
}
MINOR: ssl: add a destructor to free allocated SSL ressources Using valgrind or another memory leak tracking tool is easier when the memory internally allocated by OpenSSL is cleanly released at shutdown.
2015-05-28 10:39:47 -04:00
#endif
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
MINOR: ssl: add a destructor to free allocated SSL ressources Using valgrind or another memory leak tracking tool is easier when the memory internally allocated by OpenSSL is cleanly released at shutdown.
2015-05-28 10:39:47 -04:00
ERR_remove_state(0);
ERR_free_strings();
EVP_cleanup();
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
#endif
MINOR: ssl: add a destructor to free allocated SSL ressources Using valgrind or another memory leak tracking tool is easier when the memory internally allocated by OpenSSL is cleanly released at shutdown.
2015-05-28 10:39:47 -04:00
BUILD: ssl: Fix compilation without deprecated OpenSSL 1.1 APIs Removing deprecated APIs is an optional part of OpenWrt's build system to save some space on embedded devices. Also added compatibility for LibreSSL. Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-14 11:47:02 -05:00
#if ((OPENSSL_VERSION_NUMBER >= 0x00907000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L)) || defined(LIBRESSL_VERSION_NUMBER)
MINOR: ssl: add a destructor to free allocated SSL ressources Using valgrind or another memory leak tracking tool is easier when the memory internally allocated by OpenSSL is cleanly released at shutdown.
2015-05-28 10:39:47 -04:00
CRYPTO_cleanup_all_ex_data();
#endif
}
MEDIUM: ssl: add new files ssl_sock.[ch] to provide the SSL data layer This data layer supports socket-to-buffer and buffer-to-socket operations. No sock-to-pipe nor pipe-to-sock functions are provided, since splicing does not provide any benefit with data transformation. At best it could save a memcpy() and avoid keeping a buffer allocated but that does not seem very useful. An init function and a close function are provided because the SSL context needs to be allocated/freed. A data-layer shutw() function is also provided because upon successful shutdown, we want to store the SSL context in the cache in order to reuse it for future connections and avoid a new key generation. The handshake function is directly called from the connection handler. At this point it is not certain whether this will remain this way or if a new ->handshake callback will be added to the data layer so that the connection handler doesn't care about SSL. The sock-to-buf and buf-to-sock functions are all capable of enabling the SSL handshake at any time. This also implies polling in the opposite direction to what was expected. The upper layers must take that into account (it is OK right now with the stream interface).
2012-05-18 09:47:34 -04:00
/*
* Local variables:
* c-indent-level: 8
* c-basic-offset: 8
* End:
*/
Reference in a new issue Copy permalink