MINOR: ssl: allow to change the client-sigalgs on server lines

This patch introduces the "client-sigalgs" keyword for the server line,
which allows to configure the list of server signature algorithms
negociated during the handshake. Also available as
"ssl-default-server-client-sigalgs" in the global section.

src/cfgparse-ssl.c

@@ -355,7 +355,7 @@ static int ssl_parse_global_client_sigalgs(char **args, int section_type, struct
 {
 	char **target;
 
-	target = &global_ssl.listen_default_client_sigalgs;
+	target = (args[0][12] == 'b') ? &global_ssl.listen_default_client_sigalgs : &global_ssl.connect_default_client_sigalgs;
 
 	if (too_many_args(1, args, err, NULL))
 		return -1;
@@ -1661,6 +1661,14 @@ static int ssl_sock_init_srv(struct server *s)
 	}
 #endif
 
+#if defined(SSL_CTX_set1_client_sigalgs_list)
+	if (global_ssl.connect_default_client_sigalgs && !s->ssl_ctx.client_sigalgs) {
+		s->ssl_ctx.client_sigalgs = strdup(global_ssl.connect_default_client_sigalgs);
+		if (!s->ssl_ctx.client_sigalgs)
+			return 1;
+	}
+#endif
+
 	return 0;
 }
 
@@ -1716,6 +1724,30 @@ static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, s
 }
 #endif
 
+/* parse the "client-sigalgs" server keyword */
+static int srv_parse_client_sigalgs(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+#ifndef SSL_CTX_set1_client_sigalgs_list
+	memprintf(err, "'%s' : library does not support setting signature algorithms", args[*cur_arg]);
+	return ERR_ALERT | ERR_FATAL;
+#else
+	char *arg;
+
+	arg = args[*cur_arg + 1];
+	if (!*arg) {
+		memprintf(err, "'%s' : missing signature algorithm list", args[*cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+	newsrv->ssl_ctx.client_sigalgs = strdup(arg);
+	if (!newsrv->ssl_ctx.client_sigalgs) {
+		memprintf(err, "out of memory");
+		return ERR_ALERT | ERR_FATAL;
+	}
+	return 0;
+#endif
+}
+
+
 /* parse the "crl-file" server keyword */
 static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
@@ -2216,6 +2248,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 	{ "ciphersuites",            srv_parse_ciphersuites,       1, 1, 1 }, /* select the cipher suite */
 #endif
+	{ "client-sigalgs",          srv_parse_client_sigalgs,     1, 1, 1 }, /* signature algorithms */
 	{ "crl-file",                srv_parse_crl_file,           1, 1, 1 }, /* set certificate revocation list file use on server cert verify */
 	{ "crt",                     srv_parse_crt,                1, 1, 1 }, /* set client certificate */
 	{ "force-sslv3",             srv_parse_tls_method_options, 0, 1, 1 }, /* force SSLv3 */
@@ -2294,6 +2327,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
 #endif
 #if defined(SSL_CTX_set1_client_sigalgs_list)
 	{ CFG_GLOBAL, "ssl-default-bind-client-sigalgs", ssl_parse_global_client_sigalgs },
+	{ CFG_GLOBAL, "ssl-default-server-client-sigalgs", ssl_parse_global_client_sigalgs },
 #endif
 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 	{ CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },

src/ssl_sock.c

@@ -5050,7 +5050,9 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 #if defined(SSL_CTX_set1_sigalgs_list)
 	const char *conf_sigalgs = NULL;
 #endif
-
+#if defined(SSL_CTX_set1_client_sigalgs_list)
+	const char *conf_client_sigalgs = NULL;
+#endif
 
 	if (conf_ssl_methods->flags && (conf_ssl_methods->min || conf_ssl_methods->max))
 		ha_warning("no-sslv3/no-tlsv1x are ignored for this server. "
@@ -5199,6 +5201,16 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 		}
 	}
 #endif
+#if defined(SSL_CTX_set1_client_sigalgs_list)
+	conf_client_sigalgs = srv->ssl_ctx.client_sigalgs;
+	if (conf_client_sigalgs) {
+		if (!SSL_CTX_set1_client_sigalgs_list(ctx, conf_client_sigalgs)) {
+			ha_alert("Proxy '%s': unable to set SSL Client Signature Algorithm list to '%s' for server '%s'.\n",
+			         curproxy->id, conf_client_sigalgs, srv->id);
+			cfgerr++;
+		}
+	}
+#endif
 
 	return cfgerr;
 }