diff --git a/Makefile b/Makefile index f0533a70a..653c083ce 100644 --- a/Makefile +++ b/Makefile @@ -139,6 +139,11 @@ ADDLIB = # Use DEFINE=-Dxxx to set any tunable macro. Anything declared here will appear # in the build options reported by "haproxy -vv". Use SILENT_DEFINE if you do # not want to pollute the report with complex defines. +# The following settings might be of interest when SSL is enabled : +# LISTEN_DEFAULT_CIPHERS is a cipher suite string used to set the default SSL +# ciphers on "bind" lines instead of using OpenSSL's defaults. +# CONNECT_DEFAULT_CIPHERS is a cipher suite string used to set the default +# SSL ciphers on "server" lines instead of using OpenSSL's defaults. DEFINE = SILENT_DEFINE = diff --git a/include/common/defaults.h b/include/common/defaults.h index b49044e50..3a67d3353 100644 --- a/include/common/defaults.h +++ b/include/common/defaults.h @@ -188,4 +188,14 @@ #define HCHK_DESC_LEN 128 #endif +/* ciphers used as defaults on connect */ +#ifndef CONNECT_DEFAULT_CIPHERS +#define CONNECT_DEFAULT_CIPHERS NULL +#endif + +/* ciphers used as defaults on listeners */ +#ifndef LISTEN_DEFAULT_CIPHERS +#define LISTEN_DEFAULT_CIPHERS NULL +#endif + #endif /* _COMMON_DEFAULTS_H */ diff --git a/include/types/global.h b/include/types/global.h index 3efe933e5..d7c6cfd47 100644 --- a/include/types/global.h +++ b/include/types/global.h @@ -76,6 +76,8 @@ struct global { int maxconn, hardmaxconn; #ifdef USE_OPENSSL int maxsslconn; + char *listen_default_ciphers; + char *connect_default_ciphers; #endif struct freq_ctr conn_per_sec; int cps_lim, cps_max; diff --git a/src/cfgparse.c b/src/cfgparse.c index 88c630032..9d47dae20 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -4313,6 +4313,9 @@ stats_error_parsing: #ifdef USE_OPENSSL newsrv->use_ssl = 1; cur_arg += 1; + + if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers) + newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers); #else /* USE_OPENSSL */ Alert("parsing [%s:%d]: '%s' option not implemented.\n", file, linenum, args[cur_arg]); @@ -4324,6 +4327,9 @@ stats_error_parsing: #ifdef USE_OPENSSL newsrv->check.use_ssl = 1; cur_arg += 1; + + if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers) + newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers); #else /* USE_OPENSSL */ Alert("parsing [%s:%d]: '%s' option not implemented.\n", file, linenum, args[cur_arg]); @@ -4340,6 +4346,7 @@ stats_error_parsing: goto out; } + free(newsrv->ssl_ctx.ciphers); newsrv->ssl_ctx.ciphers = strdup(args[cur_arg + 1]); cur_arg += 2; diff --git a/src/haproxy.c b/src/haproxy.c index d2f5d45e8..1cad8e4cc 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -125,8 +125,16 @@ struct global global = { .sslcachesize = 20000, #endif }, -#if defined (USE_OPENSSL) && defined(DEFAULT_MAXSSLCONN) +#ifdef USE_OPENSSL +#ifdef DEFAULT_MAXSSLCONN .maxsslconn = DEFAULT_MAXSSLCONN, +#endif +#ifdef LISTEN_DEFAULT_CIPHERS + .listen_default_ciphers = LISTEN_DEFAULT_CIPHERS, +#endif +#ifdef CONNECT_DEFAULT_CIPHERS + .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS, +#endif #endif /* others NULL OK */ }; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index af90018a5..055bc6fe5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1138,6 +1138,7 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct return ERR_ALERT | ERR_FATAL; } + free(conf->ciphers); conf->ciphers = strdup(args[cur_arg + 1]); return 0; } @@ -1340,6 +1341,10 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin struct listener *l; conf->is_ssl = 1; + + if (global.listen_default_ciphers && !conf->ciphers) + conf->ciphers = strdup(global.listen_default_ciphers); + list_for_each_entry(l, &conf->listeners, by_bind) l->xprt = &ssl_sock;