MINOR: config: add global directives to set default SSL ciphers

The ability to globally override the default client and server cipher
suites has been requested multiple times since the introduction of SSL.
This commit adds two new keywords to the global section for this :
  - ssl-default-bind-ciphers
  - ssl-default-server-ciphers

It is still possible to preset them at build time by setting the macros
LISTEN_DEFAULT_CIPHERS and CONNECT_DEFAULT_CIPHERS.

doc/configuration.txt

@@ -629,6 +629,23 @@ stats bind-process [ all | odd | even | <number 1-32>[-<number 1-32>] ] ...
   warning will automatically be disabled when this setting is used, whatever
   the number of processes used.
 
+ssl-default-bind-ciphers <ciphers>
+  This setting is only available when support for OpenSSL was built in. It sets
+  the default string describing the list of cipher algorithms ("cipher suite")
+  that are negociated during the SSL/TLS handshake for all "bind" lines which
+  do not explicitly define theirs. The format of the string is defined in
+  "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
+  as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
+  "bind" keyword for more information.
+
+ssl-default-server-ciphers <ciphers>
+  This setting is only available when support for OpenSSL was built in. It
+  sets the default string describing the list of cipher algorithms that are
+  negociated during the SSL/TLS handshake with the server, for all "server"
+  lines which do not explicitly define theirs. The format of the string is
+  defined in "man 1 ciphers". Please check the "server" keyword for more
+  information.
+
 ssl-server-verify [none|required]
   The default behavior for SSL verify on servers side. If specified to 'none',
   servers certificates are not verified. The default is 'required' except if

src/cfgparse.c

@@ -881,6 +881,36 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm)
 		Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
 		err_code |= ERR_ALERT | ERR_FATAL;
 		goto out;
+#endif
+	}
+	else if (!strcmp(args[0], "ssl-default-bind-ciphers")) {
+#ifdef USE_OPENSSL
+		if (*(args[1]) == 0) {
+			Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+		free(global.listen_default_ciphers);
+		global.listen_default_ciphers = strdup(args[1]);
+#else
+		Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+		err_code |= ERR_ALERT | ERR_FATAL;
+		goto out;
+#endif
+	}
+	else if (!strcmp(args[0], "ssl-default-server-ciphers")) {
+#ifdef USE_OPENSSL
+		if (*(args[1]) == 0) {
+			Alert("parsing [%s:%d] : '%s' expects a cipher suite as an argument.\n", file, linenum, args[0]);
+			err_code |= ERR_ALERT | ERR_FATAL;
+			goto out;
+		}
+		free(global.connect_default_ciphers);
+		global.connect_default_ciphers = strdup(args[1]);
+#else
+		Alert("parsing [%s:%d] : '%s' is not implemented.\n", file, linenum, args[0]);
+		err_code |= ERR_ALERT | ERR_FATAL;
+		goto out;
 #endif
 	}
 	else if (!strcmp(args[0], "ssl-server-verify")) {

src/haproxy.c

@@ -161,12 +161,6 @@ struct global global = {
 #ifdef DEFAULT_MAXSSLCONN
 	.maxsslconn = DEFAULT_MAXSSLCONN,
 #endif
-#ifdef LISTEN_DEFAULT_CIPHERS
-	.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS,
-#endif
-#ifdef CONNECT_DEFAULT_CIPHERS
-	.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
-#endif
 #endif
 	/* others NULL OK */
 };

src/ssl_sock.c

@@ -3628,6 +3628,17 @@ static void __ssl_sock_init(void)
 {
 	STACK_OF(SSL_COMP)* cm;
 
+#ifdef LISTEN_DEFAULT_CIPHERS
+	global.listen_default_ciphers = LISTEN_DEFAULT_CIPHERS;
+#endif
+#ifdef CONNECT_DEFAULT_CIPHERS
+	global.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS;
+#endif
+	if (global.listen_default_ciphers)
+		global.listen_default_ciphers = strdup(global.listen_default_ciphers);
+	if (global.connect_default_ciphers)
+		global.connect_default_ciphers = strdup(global.connect_default_ciphers);
+
 	SSL_library_init();
 	cm = SSL_COMP_get_compression_methods();
 	sk_SSL_COMP_zero(cm);