From 51aa815ed0a53798ef56899daf5fd21bb8ceef81 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Sat, 20 Jun 2015 16:05:29 +0200 Subject: haproxy-devel, dont send the root CA cert to clients when using ssl-offloading, its not needed. -cipher example and HSTS textual addition -another try to include lua for haproxy1.6dev package binary --- config/haproxy-devel/pkg/haproxy.inc | 17 +++++++++++------ config/haproxy-devel/www/haproxy_listeners_edit.php | 3 ++- config/haproxy-devel/www/haproxy_pool_edit.php | 2 +- pkg_config.10.xml | 4 ++-- 4 files changed, 16 insertions(+), 10 deletions(-) diff --git a/config/haproxy-devel/pkg/haproxy.inc b/config/haproxy-devel/pkg/haproxy.inc index 6e07625f..eceef783 100644 --- a/config/haproxy-devel/pkg/haproxy.inc +++ b/config/haproxy-devel/pkg/haproxy.inc @@ -957,18 +957,23 @@ function haproxy_write_certificate_crl($filename, $crlid, $append = false) { unset($crl); } -function haproxy_write_certificate_fullchain($filename, $certid, $append = false) { +function haproxy_write_certificate_fullchain($filename, $certid, $append = false, $skiproot = true) { $cert = haproxy_lookup_cert($certid); $certcontent = base64_decode($cert['crt']); if (isset($cert['prv'])) $certcontent .= "\r\n".base64_decode($cert['prv']); - $certchaincontent = ca_chain($cert); - if ($certchaincontent != "") { - $certcontent .= "\r\n" . $certchaincontent; + $ca = $cert; + while(!empty($ca['caref'])) { + $ca = lookup_ca($ca['caref']); + if ($ca) { + if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt']))) + break; + $certcontent .= "\r\n" . base64_decode($ca['crt']); + } else + break; } - unset($certchaincontent); $flags = $append ? FILE_APPEND : 0; file_put_contents($filename, $certcontent, $flags); unset($certcontent); @@ -1155,7 +1160,7 @@ function haproxy_writeconf($configpath) { if ($frontend['sslocsp'] == 'yes') { if (!empty(haproxy_getocspurl($filename))) { haproxy_write_certificate_issuer($filename . ".issuer", $frontend['ssloffloadcert']); - touch($filename . ".ocsp"); + touch($filename . ".ocsp");//create initial empty file. this will trigger updates, and inform haproxy it 'should' be using ocsp } } diff --git a/config/haproxy-devel/www/haproxy_listeners_edit.php b/config/haproxy-devel/www/haproxy_listeners_edit.php index 5b726d08..6998e099 100644 --- a/config/haproxy-devel/www/haproxy_listeners_edit.php +++ b/config/haproxy-devel/www/haproxy_listeners_edit.php @@ -811,7 +811,8 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); />
NOTE: Paste additional ssl options(without commas) to include on ssl listening options.
- some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets + some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
+ Example: no-sslv3 ciphers EECDH+aRSA+AES:TLSv1+kRSA+AES:TLSv1+kRSA+3DES diff --git a/config/haproxy-devel/www/haproxy_pool_edit.php b/config/haproxy-devel/www/haproxy_pool_edit.php index 5e38b12d..0824e45c 100644 --- a/config/haproxy-devel/www/haproxy_pool_edit.php +++ b/config/haproxy-devel/www/haproxy_pool_edit.php @@ -961,7 +961,7 @@ set by the 'retries' parameter. Advanced - Strict-Transport-Security + HSTS Strict-Transport-Security When configured enables "HTTP Strict Transport Security" leave empty to disable. (only used on 'http' frontends)
WARNING! the domain will only work over https with a valid certificate!
diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 25b1bd45..e43023ca 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -172,7 +172,7 @@ Supports ACLs for smart backend switching.]]> http://haproxy.1wt.eu/ Services - 0.24 + 0.25 Release 2.2 https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.xml @@ -186,7 +186,7 @@ haproxy-devel net/haproxy-devel - WITH_OPENSSL_PORT=yes;haproxy_UNSET_FORCE=DPCRE;haproxy_SET_FORCE=OPENSSL SPCRE + WITH_OPENSSL_PORT=yes;haproxy_UNSET_FORCE=DPCRE;haproxy_SET_FORCE=OPENSSL SPCRE LUA Apache with mod_security-dev -- cgit v1.2.3