From 310a260e4a1cec902746a5e8d85dbe6a9bf6d0c6 Mon Sep 17 00:00:00 2001 From: Marcin Deranek Date: Tue, 13 Jul 2021 19:04:24 +0200 Subject: [PATCH] MEDIUM: config: Deprecate tune.ssl.capture-cipherlist-size Deprecate tune.ssl.capture-cipherlist-size in favor of tune.ssl.capture-buffer-size which better describes the purpose of the setting. --- .github/h2spec.config | 2 +- doc/configuration.txt | 29 +++++++++++++------------ include/haproxy/ssl_sock-t.h | 2 +- reg-tests/ssl/add_ssl_crt-list.vtc | 2 +- reg-tests/ssl/del_ssl_crt-list.vtc | 2 +- reg-tests/ssl/new_del_ssl_cafile.vtc | 2 +- reg-tests/ssl/new_del_ssl_crlfile.vtc | 2 +- reg-tests/ssl/set_ssl_cafile.vtc | 2 +- reg-tests/ssl/set_ssl_cert.vtc | 2 +- reg-tests/ssl/set_ssl_cert_bundle.vtc | 2 +- reg-tests/ssl/set_ssl_cert_noext.vtc | 2 +- reg-tests/ssl/set_ssl_crlfile.vtc | 2 +- reg-tests/ssl/set_ssl_server_cert.vtc | 2 +- reg-tests/ssl/show_ssl_ocspresponse.vtc | 2 +- reg-tests/ssl/ssl_client_samples.vtc | 2 +- reg-tests/ssl/ssl_default_server.vtc | 2 +- reg-tests/ssl/ssl_errors.vtc | 2 +- reg-tests/ssl/ssl_frontend_samples.vtc | 2 +- reg-tests/ssl/ssl_server_samples.vtc | 2 +- reg-tests/ssl/wrong_ctx_storage.vtc | 2 +- src/cfgparse-ssl.c | 20 +++++++++++------ src/ssl_sock.c | 16 +++++++------- 22 files changed, 55 insertions(+), 48 deletions(-) diff --git a/.github/h2spec.config b/.github/h2spec.config index a7b34ce80..745a637e1 100644 --- a/.github/h2spec.config +++ b/.github/h2spec.config @@ -1,7 +1,7 @@ global log stdout local0 tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 defaults mode http diff --git a/doc/configuration.txt b/doc/configuration.txt index 9c1e2b229..bac18ab35 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -1110,7 +1110,8 @@ The following keywords are supported in the "global" section : - tune.ssl.maxrecord - tune.ssl.default-dh-param - tune.ssl.ssl-ctx-cache-size - - tune.ssl.capture-cipherlist-size + - tune.ssl.capture-buffer-size + - tune.ssl.capture-cipherlist-size (deprecated) - tune.vars.global-max-size - tune.vars.proc-max-size - tune.vars.reqres-max-size @@ -2805,7 +2806,8 @@ tune.ssl.ssl-ctx-cache-size dynamically is expensive, they are cached. The default cache size is set to 1000 entries. -tune.ssl.capture-cipherlist-size +tune.ssl.capture-buffer-size +tune.ssl.capture-cipherlist-size (deprecated) Sets the maximum size of the buffer used for capturing client hello cipher list, extensions list, elliptic curves list and elliptic curve point formats. If the value is 0 (default value) the capture is disabled, @@ -18905,7 +18907,7 @@ ssl_fc_cipher : string ssl_fc_cipherlist_bin([]) : binary Returns the binary form of the client hello cipher list. The maximum returned value length is limited by the shared capture buffer size - controlled by "tune.ssl.capture-cipherlist-size" setting. Setting + controlled by "tune.ssl.capture-buffer-size" setting. Setting allows to filter returned data. Accepted values: 0 : return the full list of ciphers (default) 1 : exclude GREASE (RFC8701) values from the output @@ -18924,16 +18926,15 @@ ssl_fc_cipherlist_bin([]) : binary ssl_fc_cipherlist_hex([]) : string Returns the binary form of the client hello cipher list encoded as hexadecimal. The maximum returned value length is limited by the shared - capture buffer size controlled by "tune.ssl.capture-cipherlist-size" - setting. Setting allows to filter returned data. Accepted - values: + capture buffer size controlled by "tune.ssl.capture-buffer-size" setting. + Setting allows to filter returned data. Accepted values: 0 : return the full list of ciphers (default) 1 : exclude GREASE (RFC8701) values from the output ssl_fc_cipherlist_str([]) : string Returns the decoded text form of the client hello cipher list. The maximum returned value length is limited by the shared capture buffer size - controlled by "tune.ssl.capture-cipherlist-size" setting. Setting + controlled by "tune.ssl.capture-buffer-size" setting. Setting allows to filter returned data. Accepted values: 0 : return the full list of ciphers (default) 1 : exclude GREASE (RFC8701) values from the output @@ -18943,13 +18944,13 @@ ssl_fc_cipherlist_str([]) : string ssl_fc_cipherlist_xxh : integer Returns a xxh64 of the cipher list. This hash can return only if the value - "tune.ssl.capture-cipherlist-size" is set greater than 0, however the hash - take into account all the data of the cipher list. + "tune.ssl.capture-buffer-size" is set greater than 0, however the hash take + into account all the data of the cipher list. ssl_fc_ecformats_bin : binary Return the binary form of the client hello supported elliptic curve point formats. The maximum returned value length is limited by the shared capture - buffer size controlled by "tune.ssl.capture-cipherlist-size" setting. + buffer size controlled by "tune.ssl.capture-buffer-size" setting. Example: http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\ @@ -18965,7 +18966,7 @@ ssl_fc_ecformats_bin : binary ssl_fc_eclist_bin([]) : binary Returns the binary form of the client hello supported elliptic curves. The maximum returned value length is limited by the shared capture buffer size - controlled by "tune.ssl.capture-cipherlist-size" setting. Setting + controlled by "tune.ssl.capture-buffer-size" setting. Setting allows to filter returned data. Accepted values: 0 : return the full list of supported elliptic curves (default) 1 : exclude GREASE (RFC8701) values from the output @@ -18984,7 +18985,7 @@ ssl_fc_eclist_bin([]) : binary ssl_fc_extlist_bin([]) : binary Returns the binary form of the client hello extension list. The maximum returned value length is limited by the shared capture buffer size - controlled by "tune.ssl.capture-cipherlist-size" setting. Setting + controlled by "tune.ssl.capture-buffer-size" setting. Setting allows to filter returned data. Accepted values: 0 : return the full list of extensions (default) 1 : exclude GREASE (RFC8701) values from the output @@ -19111,8 +19112,8 @@ ssl_fc_protocol : string ssl_fc_protocol_hello_id : integer The version of the TLS protocol by which the client wishes to communicate during the session as indicated in client hello message. This value can - return only if the value "tune.ssl.capture-cipherlist-size" is set greater - than 0. + return only if the value "tune.ssl.capture-buffer-size" is set greater than + 0. Example: http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],\ diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index 321d7b7ed..f3ed90982 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -276,7 +276,7 @@ struct global_ssl { unsigned int max_record; /* SSL max record size */ unsigned int default_dh_param; /* SSL maximum DH parameter size */ int ctx_cache; /* max number of entries in the ssl_ctx cache. */ - int capture_cipherlist; /* Size of the cipherlist buffer. */ + int capture_buffer_size; /* Size of the capture buffer. */ int keylog; /* activate keylog */ int extra_files; /* which files not defined in the configuration file are we looking for */ int extra_files_noext; /* whether we remove the extension when looking up a extra file */ diff --git a/reg-tests/ssl/add_ssl_crt-list.vtc b/reg-tests/ssl/add_ssl_crt-list.vtc index 7aae2338a..d3f8d7599 100644 --- a/reg-tests/ssl/add_ssl_crt-list.vtc +++ b/reg-tests/ssl/add_ssl_crt-list.vtc @@ -24,7 +24,7 @@ server s1 -repeat 2 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 crt-base ${testdir} stats socket "${tmpdir}/h1/stats" level admin diff --git a/reg-tests/ssl/del_ssl_crt-list.vtc b/reg-tests/ssl/del_ssl_crt-list.vtc index 4bf89f9cc..4815e2de7 100644 --- a/reg-tests/ssl/del_ssl_crt-list.vtc +++ b/reg-tests/ssl/del_ssl_crt-list.vtc @@ -22,7 +22,7 @@ server s1 -repeat 2 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 crt-base ${testdir} stats socket "${tmpdir}/h1/stats" level admin diff --git a/reg-tests/ssl/new_del_ssl_cafile.vtc b/reg-tests/ssl/new_del_ssl_cafile.vtc index 1b5bef1a4..b6cbc2064 100644 --- a/reg-tests/ssl/new_del_ssl_cafile.vtc +++ b/reg-tests/ssl/new_del_ssl_cafile.vtc @@ -22,7 +22,7 @@ server s1 -repeat 2 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin crt-base ${testdir} diff --git a/reg-tests/ssl/new_del_ssl_crlfile.vtc b/reg-tests/ssl/new_del_ssl_crlfile.vtc index 54bbdc239..7330163c0 100644 --- a/reg-tests/ssl/new_del_ssl_crlfile.vtc +++ b/reg-tests/ssl/new_del_ssl_crlfile.vtc @@ -22,7 +22,7 @@ server s1 -repeat 3 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin crt-base ${testdir} diff --git a/reg-tests/ssl/set_ssl_cafile.vtc b/reg-tests/ssl/set_ssl_cafile.vtc index 72ce3e6dc..0b5c3bac6 100644 --- a/reg-tests/ssl/set_ssl_cafile.vtc +++ b/reg-tests/ssl/set_ssl_cafile.vtc @@ -28,7 +28,7 @@ server s1 -repeat 4 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin defaults diff --git a/reg-tests/ssl/set_ssl_cert.vtc b/reg-tests/ssl/set_ssl_cert.vtc index 85684bc3e..6938b20d9 100644 --- a/reg-tests/ssl/set_ssl_cert.vtc +++ b/reg-tests/ssl/set_ssl_cert.vtc @@ -33,7 +33,7 @@ server s1 -repeat 9 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin crt-base ${testdir} diff --git a/reg-tests/ssl/set_ssl_cert_bundle.vtc b/reg-tests/ssl/set_ssl_cert_bundle.vtc index 218f7bfb4..11abdafdd 100644 --- a/reg-tests/ssl/set_ssl_cert_bundle.vtc +++ b/reg-tests/ssl/set_ssl_cert_bundle.vtc @@ -28,7 +28,7 @@ server s1 -repeat 9 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin crt-base ${testdir} diff --git a/reg-tests/ssl/set_ssl_cert_noext.vtc b/reg-tests/ssl/set_ssl_cert_noext.vtc index b7bafa8a3..0947fe012 100644 --- a/reg-tests/ssl/set_ssl_cert_noext.vtc +++ b/reg-tests/ssl/set_ssl_cert_noext.vtc @@ -25,7 +25,7 @@ server s1 -repeat 3 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 ssl-load-extra-del-ext stats socket "${tmpdir}/h1/stats" level admin diff --git a/reg-tests/ssl/set_ssl_crlfile.vtc b/reg-tests/ssl/set_ssl_crlfile.vtc index f6d97ce6b..ce83ff771 100644 --- a/reg-tests/ssl/set_ssl_crlfile.vtc +++ b/reg-tests/ssl/set_ssl_crlfile.vtc @@ -31,7 +31,7 @@ server s1 -repeat 4 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin defaults diff --git a/reg-tests/ssl/set_ssl_server_cert.vtc b/reg-tests/ssl/set_ssl_server_cert.vtc index 3fccaa65c..880e7b0c9 100644 --- a/reg-tests/ssl/set_ssl_server_cert.vtc +++ b/reg-tests/ssl/set_ssl_server_cert.vtc @@ -17,7 +17,7 @@ server s1 -repeat 4 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin nbthread 1 diff --git a/reg-tests/ssl/show_ssl_ocspresponse.vtc b/reg-tests/ssl/show_ssl_ocspresponse.vtc index 387f36a2f..d2a934576 100644 --- a/reg-tests/ssl/show_ssl_ocspresponse.vtc +++ b/reg-tests/ssl/show_ssl_ocspresponse.vtc @@ -27,7 +27,7 @@ feature ignore_unknown_macro haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin defaults diff --git a/reg-tests/ssl/ssl_client_samples.vtc b/reg-tests/ssl/ssl_client_samples.vtc index 83662be6d..2b6fd5b0b 100644 --- a/reg-tests/ssl/ssl_client_samples.vtc +++ b/reg-tests/ssl/ssl_client_samples.vtc @@ -13,7 +13,7 @@ server s1 -repeat 3 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 crt-base ${testdir} defaults diff --git a/reg-tests/ssl/ssl_default_server.vtc b/reg-tests/ssl/ssl_default_server.vtc index 607225d51..32179b1f6 100644 --- a/reg-tests/ssl/ssl_default_server.vtc +++ b/reg-tests/ssl/ssl_default_server.vtc @@ -23,7 +23,7 @@ server s1 -repeat 7 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin crt-base ${testdir} ca-base ${testdir} diff --git a/reg-tests/ssl/ssl_errors.vtc b/reg-tests/ssl/ssl_errors.vtc index 0d652d4a0..d8fea4321 100644 --- a/reg-tests/ssl/ssl_errors.vtc +++ b/reg-tests/ssl/ssl_errors.vtc @@ -106,7 +106,7 @@ syslog Slg_logconnerror -level info { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 stats socket "${tmpdir}/h1/stats" level admin defaults diff --git a/reg-tests/ssl/ssl_frontend_samples.vtc b/reg-tests/ssl/ssl_frontend_samples.vtc index bca085674..92eec6ac1 100644 --- a/reg-tests/ssl/ssl_frontend_samples.vtc +++ b/reg-tests/ssl/ssl_frontend_samples.vtc @@ -12,7 +12,7 @@ server s1 -repeat 3 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 crt-base ${testdir} defaults diff --git a/reg-tests/ssl/ssl_server_samples.vtc b/reg-tests/ssl/ssl_server_samples.vtc index 136ccafa4..17b1bc438 100644 --- a/reg-tests/ssl/ssl_server_samples.vtc +++ b/reg-tests/ssl/ssl_server_samples.vtc @@ -13,7 +13,7 @@ server s1 -repeat 3 { haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 crt-base ${testdir} stats socket "${tmpdir}/h1/stats" level admin diff --git a/reg-tests/ssl/wrong_ctx_storage.vtc b/reg-tests/ssl/wrong_ctx_storage.vtc index 7dc7528a5..c6cb19ad5 100644 --- a/reg-tests/ssl/wrong_ctx_storage.vtc +++ b/reg-tests/ssl/wrong_ctx_storage.vtc @@ -25,7 +25,7 @@ feature ignore_unknown_macro haproxy h1 -conf { global tune.ssl.default-dh-param 2048 - tune.ssl.capture-cipherlist-size 1 + tune.ssl.capture-buffer-size 1 listen frt mode http diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 6df5911eb..0ca8cab31 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -272,8 +272,13 @@ static int ssl_parse_global_int(char **args, int section_type, struct proxy *cur target = &global_ssl.ctx_cache; else if (strcmp(args[0], "maxsslconn") == 0) target = &global.maxsslconn; - else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0) - target = &global_ssl.capture_cipherlist; + else if (strcmp(args[0], "tune.ssl.capture-buffer-size") == 0) + target = &global_ssl.capture_buffer_size; + else if (strcmp(args[0], "tune.ssl.capture-cipherlist-size") == 0) { + target = &global_ssl.capture_buffer_size; + ha_warning("parsing [%s:%d]: '%s' is deprecated and will be removed in version 2.7. Please use 'tune.ssl.capture-buffer-size' instead.\n", + file, line, args[0]); + } else { memprintf(err, "'%s' keyword not unhandled (please report this bug).", args[0]); return -1; @@ -295,9 +300,9 @@ static int ssl_parse_global_int(char **args, int section_type, struct proxy *cur return 0; } -static int ssl_parse_global_capture_cipherlist(char **args, int section_type, struct proxy *curpx, - const struct proxy *defpx, const char *file, int line, - char **err) +static int ssl_parse_global_capture_buffer(char **args, int section_type, struct proxy *curpx, + const struct proxy *defpx, const char *file, int line, + char **err) { int ret; @@ -310,7 +315,7 @@ static int ssl_parse_global_capture_cipherlist(char **args, int section_type, st return -1; } - pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_cipherlist, MEM_F_SHARED); + pool_head_ssl_capture = create_pool("ssl-capture", sizeof(struct ssl_capture) + global_ssl.capture_buffer_size, MEM_F_SHARED); if (!pool_head_ssl_capture) { memprintf(err, "Out of memory error."); return -1; @@ -1946,7 +1951,8 @@ static struct cfg_kw_list cfg_kws = {ILH, { { CFG_GLOBAL, "tune.ssl.lifetime", ssl_parse_global_lifetime }, { CFG_GLOBAL, "tune.ssl.maxrecord", ssl_parse_global_int }, { CFG_GLOBAL, "tune.ssl.ssl-ctx-cache-size", ssl_parse_global_int }, - { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist }, + { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_buffer }, + { CFG_GLOBAL, "tune.ssl.capture-buffer-size", ssl_parse_global_capture_buffer }, { CFG_GLOBAL, "tune.ssl.keylog", ssl_parse_global_keylog }, { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers }, { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers }, diff --git a/src/ssl_sock.c b/src/ssl_sock.c index b8914a78d..ae30c2cb4 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -124,7 +124,7 @@ struct global_ssl global_ssl = { #endif .default_dh_param = SSL_DEFAULT_DH_PARAM, .ctx_cache = DEFAULT_SSL_CTX_CACHE, - .capture_cipherlist = 0, + .capture_buffer_size = 0, .extra_files = SSL_GF_ALL, .extra_files_noext = 0, #ifdef HAVE_SSL_KEYLOG @@ -556,7 +556,7 @@ static int ssl_sock_register_msg_callbacks(void) if (!ssl_sock_register_msg_callback(ssl_sock_parse_heartbeat)) return ERR_ABORT; #endif - if (global_ssl.capture_cipherlist > 0) { + if (global_ssl.capture_buffer_size > 0) { if (!ssl_sock_register_msg_callback(ssl_sock_parse_clienthello)) return ERR_ABORT; } @@ -1795,7 +1795,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int capture->xxh64 = XXH64(msg, rec_len, 0); /* Capture the ciphersuite. */ - capture->ciphersuite_len = MIN(global_ssl.capture_cipherlist, rec_len); + capture->ciphersuite_len = MIN(global_ssl.capture_buffer_size, rec_len); capture->ciphersuite_offset = 0; memcpy(capture->data, msg, capture->ciphersuite_len); msg += rec_len; @@ -1827,7 +1827,7 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int /* Parse each extension */ while (msg + 4 < extensions_end) { /* Add 2 bytes of extension_id */ - if (global_ssl.capture_cipherlist >= offset + 2) { + if (global_ssl.capture_buffer_size >= offset + 2) { capture->data[offset++] = msg[0]; capture->data[offset++] = msg[1]; capture->extensions_len += 2; @@ -1880,8 +1880,8 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int if (ec_start) { rec_len = ec_len; - if (offset + rec_len > global_ssl.capture_cipherlist) - rec_len = global_ssl.capture_cipherlist - offset; + if (offset + rec_len > global_ssl.capture_buffer_size) + rec_len = global_ssl.capture_buffer_size - offset; memcpy(capture->data + offset, ec_start, rec_len); capture->ec_offset = offset; capture->ec_len = rec_len; @@ -1889,8 +1889,8 @@ static void ssl_sock_parse_clienthello(struct connection *conn, int write_p, int } if (ec_formats_start) { rec_len = ec_formats_len; - if (offset + rec_len > global_ssl.capture_cipherlist) - rec_len = global_ssl.capture_cipherlist - offset; + if (offset + rec_len > global_ssl.capture_buffer_size) + rec_len = global_ssl.capture_buffer_size - offset; memcpy(capture->data + offset, ec_formats_start, rec_len); capture->ec_formats_offset = offset; capture->ec_formats_len = rec_len;