gamzinav/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MEDIUM: config: Deprecate tune.ssl.capture-cipherlist-size

Browse Source 
Deprecate tune.ssl.capture-cipherlist-size in favor of
tune.ssl.capture-buffer-size which better describes the purpose of the
setting.
This commit is contained in:
Marcin Deranek 2021-07-13 19:04:24 +02:00 committed by Willy Tarreau
parent da0264a968
commit 310a260e4a
22 changed files with 55 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/h2spec.config vendored
View File

@ -1,7 +1,7 @@
global
log stdout local0
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
defaults
mode http

29
doc/configuration.txt
View File

@ -1110,7 +1110,8 @@ The following keywords are supported in the "global" section :
- tune.ssl.maxrecord
- tune.ssl.default-dh-param
- tune.ssl.ssl-ctx-cache-size
- tune.ssl.capture-cipherlist-size
- tune.ssl.capture-buffer-size
- tune.ssl.capture-cipherlist-size (deprecated)
- tune.vars.global-max-size
- tune.vars.proc-max-size
- tune.vars.reqres-max-size
@ -2805,7 +2806,8 @@ tune.ssl.ssl-ctx-cache-size <number>
dynamically is expensive, they are cached. The default cache size is set to
1000 entries.
tune.ssl.capture-cipherlist-size <number>
tune.ssl.capture-buffer-size <number>
tune.ssl.capture-cipherlist-size <number> (deprecated)
Sets the maximum size of the buffer used for capturing client hello cipher
list, extensions list, elliptic curves list and elliptic curve point
formats. If the value is 0 (default value) the capture is disabled,
@ -18905,7 +18907,7 @@ ssl_fc_cipher : string
ssl_fc_cipherlist_bin([<filter_option>]) : binary
Returns the binary form of the client hello cipher list. The maximum
returned value length is limited by the shared capture buffer size
controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output
@ -18924,16 +18926,15 @@ ssl_fc_cipherlist_bin([<filter_option>]) : binary
ssl_fc_cipherlist_hex([<filter_option>]) : string
Returns the binary form of the client hello cipher list encoded as
hexadecimal. The maximum returned value length is limited by the shared
capture buffer size controlled by "tune.ssl.capture-cipherlist-size"
setting. Setting <filter_option> allows to filter returned data. Accepted
values:
capture buffer size controlled by "tune.ssl.capture-buffer-size" setting.
Setting <filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output
ssl_fc_cipherlist_str([<filter_option>]) : string
Returns the decoded text form of the client hello cipher list. The maximum
returned value length is limited by the shared capture buffer size
controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of ciphers (default)
1 : exclude GREASE (RFC8701) values from the output
@ -18943,13 +18944,13 @@ ssl_fc_cipherlist_str([<filter_option>]) : string
ssl_fc_cipherlist_xxh : integer
Returns a xxh64 of the cipher list. This hash can return only if the value
"tune.ssl.capture-cipherlist-size" is set greater than 0, however the hash
take into account all the data of the cipher list.
"tune.ssl.capture-buffer-size" is set greater than 0, however the hash take
into account all the data of the cipher list.
ssl_fc_ecformats_bin : binary
Return the binary form of the client hello supported elliptic curve point
formats. The maximum returned value length is limited by the shared capture
buffer size controlled by "tune.ssl.capture-cipherlist-size" setting.
buffer size controlled by "tune.ssl.capture-buffer-size" setting.
Example:
http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\
@ -18965,7 +18966,7 @@ ssl_fc_ecformats_bin : binary
ssl_fc_eclist_bin([<filter_option>]) : binary
Returns the binary form of the client hello supported elliptic curves. The
maximum returned value length is limited by the shared capture buffer size
controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of supported elliptic curves (default)
1 : exclude GREASE (RFC8701) values from the output
@ -18984,7 +18985,7 @@ ssl_fc_eclist_bin([<filter_option>]) : binary
ssl_fc_extlist_bin([<filter_option>]) : binary
Returns the binary form of the client hello extension list. The maximum
returned value length is limited by the shared capture buffer size
controlled by "tune.ssl.capture-cipherlist-size" setting. Setting
controlled by "tune.ssl.capture-buffer-size" setting. Setting
<filter_option> allows to filter returned data. Accepted values:
0 : return the full list of extensions (default)
1 : exclude GREASE (RFC8701) values from the output
@ -19111,8 +19112,8 @@ ssl_fc_protocol : string
ssl_fc_protocol_hello_id : integer
The version of the TLS protocol by which the client wishes to communicate
during the session as indicated in client hello message. This value can
return only if the value "tune.ssl.capture-cipherlist-size" is set greater
than 0.
return only if the value "tune.ssl.capture-buffer-size" is set greater than
0.
Example:
http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\

2
include/haproxy/ssl_sock-t.h
View File

@ -276,7 +276,7 @@ struct global_ssl {
unsigned int max_record; /* SSL max record size */
unsigned int default_dh_param; /* SSL maximum DH parameter size */
int ctx_cache; /* max number of entries in the ssl_ctx cache. */
int capture_cipherlist; /* Size of the cipherlist buffer. */
int capture_buffer_size; /* Size of the capture buffer. */
int keylog; /* activate keylog */
int extra_files; /* which files not defined in the configuration file are we looking for */
int extra_files_noext; /* whether we remove the extension when looking up a extra file */

2
reg-tests/ssl/add_ssl_crt-list.vtc
View File

@ -24,7 +24,7 @@ server s1 -repeat 2 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin

2
reg-tests/ssl/del_ssl_crt-list.vtc
View File

@ -22,7 +22,7 @@ server s1 -repeat 2 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin

2
reg-tests/ssl/new_del_ssl_cafile.vtc
View File

@ -22,7 +22,7 @@ server s1 -repeat 2 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}

2
reg-tests/ssl/new_del_ssl_crlfile.vtc
View File

@ -22,7 +22,7 @@ server s1 -repeat 3 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}

2
reg-tests/ssl/set_ssl_cafile.vtc
View File

@ -28,7 +28,7 @@ server s1 -repeat 4 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults

2
reg-tests/ssl/set_ssl_cert.vtc
View File

@ -33,7 +33,7 @@ server s1 -repeat 9 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}

2
reg-tests/ssl/set_ssl_cert_bundle.vtc
View File

@ -28,7 +28,7 @@ server s1 -repeat 9 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}

2
reg-tests/ssl/set_ssl_cert_noext.vtc
View File

@ -25,7 +25,7 @@ server s1 -repeat 3 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
ssl-load-extra-del-ext
stats socket "${tmpdir}/h1/stats" level admin

2
reg-tests/ssl/set_ssl_crlfile.vtc
View File

@ -31,7 +31,7 @@ server s1 -repeat 4 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults

2
reg-tests/ssl/set_ssl_server_cert.vtc
View File

@ -17,7 +17,7 @@ server s1 -repeat 4 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
nbthread 1

2
reg-tests/ssl/show_ssl_ocspresponse.vtc
View File

@ -27,7 +27,7 @@ feature ignore_unknown_macro
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults

2
reg-tests/ssl/ssl_client_samples.vtc
View File

@ -13,7 +13,7 @@ server s1 -repeat 3 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
crt-base ${testdir}
defaults

2
reg-tests/ssl/ssl_default_server.vtc
View File

@ -23,7 +23,7 @@ server s1 -repeat 7 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
crt-base ${testdir}
ca-base ${testdir}

2
reg-tests/ssl/ssl_errors.vtc
View File

@ -106,7 +106,7 @@ syslog Slg_logconnerror -level info {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
stats socket "${tmpdir}/h1/stats" level admin
defaults

2
reg-tests/ssl/ssl_frontend_samples.vtc
View File

@ -12,7 +12,7 @@ server s1 -repeat 3 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
crt-base ${testdir}
defaults

2
reg-tests/ssl/ssl_server_samples.vtc
View File

@ -13,7 +13,7 @@ server s1 -repeat 3 {
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
crt-base ${testdir}
stats socket "${tmpdir}/h1/stats" level admin

2
reg-tests/ssl/wrong_ctx_storage.vtc
View File

@ -25,7 +25,7 @@ feature ignore_unknown_macro
haproxy h1 -conf {
global
tune.ssl.default-dh-param 2048
tune.ssl.capture-cipherlist-size 1
tune.ssl.capture-buffer-size 1
listen frt
mode http

20
src/cfgparse-ssl.c
View File

@ -272,8 +272,13 @@ static int ssl_parse_global_int(char **args, int section_type, struct proxy *cur
target = &global_ssl.ctx_cache;
else if (strcmp(args[0], "maxsslconn") == 0)
target = &global.maxsslconn;
else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0)
target = &global_ssl.capture_cipherlist;
else if (strcmp(args[0], "tune.ssl.capture-buffer-size") == 0)
target = &global_ssl.capture_buffer_size;
else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0) {
target = &global_ssl.capture_buffer_size;
ha_warning("parsing [%s:%d]: '%s' is deprecated and will be removed in version 2.7. Please use 'tune.ssl.capture-buffer-size' instead.\n",
file, line, args[0]);
}
else {
memprintf(err, "'%s' keyword not unhandled (please report this bug).", args[0]);
return -1;
@ -295,9 +300,9 @@ static int ssl_parse_global_int(char **args, int section_type, struct proxy *cur
return 0;
}
static int ssl_parse_global_capture_cipherlist(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
static int ssl_parse_global_capture_buffer(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line,
char **err)
{
int ret;
@ -310,7 +315,7 @@ static int ssl_parse_global_capture_cipherlist(char **args, int section_type, st
return -1;
}
pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_cipherlist, MEM_F_SHARED);
pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_buffer_size, MEM_F_SHARED);
if (!pool_head_ssl_capture) {
memprintf(err, "Out of memory error.");
return -1;
@ -1946,7 +1951,8 @@ static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "tune.ssl.lifetime", ssl_parse_global_lifetime },
{ CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int },
{ CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int },
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_buffer },
{ CFG_GLOBAL, "tune.ssl.capture-buffer-size", ssl_parse_global_capture_buffer },
{ CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog },
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },

16
src/ssl_sock.c
View File

@ -124,7 +124,7 @@ struct global_ssl global_ssl = {
#endif
.default_dh_param = SSL_DEFAULT_DH_PARAM,
.ctx_cache = DEFAULT_SSL_CTX_CACHE,
.capture_cipherlist = 0,
.capture_buffer_size = 0,
.extra_files = SSL_GF_ALL,
.extra_files_noext = 0,
#ifdef HAVE_SSL_KEYLOG
@ -556,7 +556,7 @@ static int ssl_sock_register_msg_callbacks(void)
if (!ssl_sock_register_msg_callback(ssl_sock_parse_heartbeat))
return ERR_ABORT;
#endif
if (global_ssl.capture_cipherlist > 0) {
if (global_ssl.capture_buffer_size > 0) {
if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello))
return ERR_ABORT;
}
@ -1795,7 +1795,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
capture->xxh64 = XXH64(msg, rec_len, 0);
/* Capture the ciphersuite. */
capture->ciphersuite_len = MIN(global_ssl.capture_cipherlist, rec_len);
capture->ciphersuite_len = MIN(global_ssl.capture_buffer_size, rec_len);
capture->ciphersuite_offset = 0;
memcpy(capture->data, msg, capture->ciphersuite_len);
msg += rec_len;
@ -1827,7 +1827,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
/* Parse each extension */
while (msg + 4 < extensions_end) {
/* Add 2 bytes of extension_id */
if (global_ssl.capture_cipherlist >= offset + 2) {
if (global_ssl.capture_buffer_size >= offset + 2) {
capture->data[offset++] = msg[0];
capture->data[offset++] = msg[1];
capture->extensions_len += 2;
@ -1880,8 +1880,8 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
if (ec_start) {
rec_len = ec_len;
if (offset + rec_len > global_ssl.capture_cipherlist)
rec_len = global_ssl.capture_cipherlist - offset;
if (offset + rec_len > global_ssl.capture_buffer_size)
rec_len = global_ssl.capture_buffer_size - offset;
memcpy(capture->data + offset, ec_start, rec_len);
capture->ec_offset = offset;
capture->ec_len = rec_len;
@ -1889,8 +1889,8 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int
}
if (ec_formats_start) {
rec_len = ec_formats_len;
if (offset + rec_len > global_ssl.capture_cipherlist)
rec_len = global_ssl.capture_cipherlist - offset;
if (offset + rec_len > global_ssl.capture_buffer_size)
rec_len = global_ssl.capture_buffer_size - offset;
memcpy(capture->data + offset, ec_formats_start, rec_len);
capture->ec_formats_offset = offset;
capture->ec_formats_len = rec_len;