From 625291d0f04d731db7e9eae7605ba5110676e48c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 6 Oct 2020 23:32:56 +0200
Subject: [PATCH 1/2] net/haproxy: add support for TLSv1.3, closes #790

---
 .../OPNsense/HAProxy/forms/dialogFrontend.xml | 20 ++++++-
 .../OPNsense/HAProxy/forms/generalTuning.xml  | 20 ++++++-
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 52 +++++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 22 +++++++-
 4 files changed, 111 insertions(+), 3 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 32e200eb9..754bd8b03 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -98,11 +98,29 @@
         <sortable>true</sortable>
         <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
     </field>
+    <field>
+        <id>frontend.ssl_minVersion</id>
+        <label>Minimum SSL Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option enforces use of the specified version (or higher) on SSL connections.]]></help>
+    </field>
+    <field>
+        <id>frontend.ssl_maxVersion</id>
+        <label>Maximum SSL Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option enforces use of the specified version (or lower) on SSL connections.]]></help>
+    </field>
     <field>
         <id>frontend.ssl_cipherList</id>
         <label>Cipher List</label>
         <type>text</type>
-        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
+        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake up to TLSv1.2.]]></help>
+    </field>
+    <field>
+        <id>frontend.ssl_cipherSuites</id>
+        <label>Cipher Suites</label>
+        <type>text</type>
+        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for TLSv1.3.]]></help>
     </field>
     <field>
         <id>frontend.ssl_hstsEnabled</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index a5abb322c..33081d576 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -93,10 +93,28 @@
         <allownew>true</allownew>
         <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
     </field>
+    <field>
+        <id>haproxy.general.tuning.ssl_minVersion</id>
+        <label>Minimum SSL Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option enforces use of the specified version (or higher) on SSL connections.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.ssl_maxVersion</id>
+        <label>Maximum SSL Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option enforces use of the specified version (or lower) on SSL connections.]]></help>
+    </field>
     <field>
         <id>haproxy.general.tuning.ssl_cipherList</id>
         <label>Cipher List</label>
         <type>text</type>
-        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
+        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake up to TLSv1.2.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.ssl_cipherSuites</id>
+        <label>Cipher Suites</label>
+        <type>text</type>
+        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for TLSv1.3.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 914f3b74d..87f42e7f9 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -136,18 +136,44 @@
                         <no-tlsv10>no-tlsv10</no-tlsv10>
                         <no-tlsv11>no-tlsv11</no-tlsv11>
                         <no-tlsv12>no-tlsv12</no-tlsv12>
+                        <no-tlsv13>no-tlsv13</no-tlsv13>
                         <no-tls-tickets>no-tls-tickets</no-tls-tickets>
                         <force-sslv3>force-sslv3</force-sslv3>
                         <force-tlsv10>force-tlsv10</force-tlsv10>
                         <force-tlsv11>force-tlsv11</force-tlsv11>
                         <force-tlsv12>force-tlsv12</force-tlsv12>
+                        <force-tlsv13>force-tlsv13</force-tlsv13>
                         <strict-sni>strict-sni</strict-sni>
                     </OptionValues>
                 </ssl_bindOptions>
+                <ssl_minVersion type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <SSLv3>SSLv3</SSLv3>
+                        <TLSv1.0>TLSv1.0</TLSv1.0>
+                        <TLSv1.1>TLSv1.1</TLSv1.1>
+                        <TLSv1.2>TLSv1.2</TLSv1.2>
+                        <TLSv1.3>TLSv1.3</TLSv1.3>
+                    </OptionValues>
+                </ssl_minVersion>
+                <ssl_maxVersion type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <SSLv3>SSLv3</SSLv3>
+                        <TLSv1.0>TLSv1.0</TLSv1.0>
+                        <TLSv1.1>TLSv1.1</TLSv1.1>
+                        <TLSv1.2>TLSv1.2</TLSv1.2>
+                        <TLSv1.3>TLSv1.3</TLSv1.3>
+                    </OptionValues>
+                </ssl_maxVersion>
                 <ssl_cipherList type="TextField">
                     <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherList>
+                <ssl_cipherSuites type="TextField">
+                    <default>TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</default>
+                    <Required>N</Required>
+                </ssl_cipherSuites>
             </tuning>
             <defaults>
                 <maxConnections type="IntegerField">
@@ -442,18 +468,44 @@
                         <no-tlsv10>no-tlsv10</no-tlsv10>
                         <no-tlsv11>no-tlsv11</no-tlsv11>
                         <no-tlsv12>no-tlsv12</no-tlsv12>
+                        <no-tlsv13>no-tlsv13</no-tlsv13>
                         <no-tls-tickets>no-tls-tickets</no-tls-tickets>
                         <force-sslv3>force-sslv3</force-sslv3>
                         <force-tlsv10>force-tlsv10</force-tlsv10>
                         <force-tlsv11>force-tlsv11</force-tlsv11>
                         <force-tlsv12>force-tlsv12</force-tlsv12>
+                        <force-tlsv13>force-tlsv13</force-tlsv13>
                         <strict-sni>strict-sni</strict-sni>
                     </OptionValues>
                 </ssl_bindOptions>
+                <ssl_minVersion type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <SSLv3>SSLv3</SSLv3>
+                        <TLSv1.0>TLSv1.0</TLSv1.0>
+                        <TLSv1.1>TLSv1.1</TLSv1.1>
+                        <TLSv1.2>TLSv1.2</TLSv1.2>
+                        <TLSv1.3>TLSv1.3</TLSv1.3>
+                    </OptionValues>
+                </ssl_minVersion>
+                <ssl_maxVersion type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <SSLv3>SSLv3</SSLv3>
+                        <TLSv1.0>TLSv1.0</TLSv1.0>
+                        <TLSv1.1>TLSv1.1</TLSv1.1>
+                        <TLSv1.2>TLSv1.2</TLSv1.2>
+                        <TLSv1.3>TLSv1.3</TLSv1.3>
+                    </OptionValues>
+                </ssl_maxVersion>
                 <ssl_cipherList type="TextField">
                     <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherList>
+                <ssl_cipherSuites type="TextField">
+                    <default>TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</default>
+                    <Required>N</Required>
+                </ssl_cipherSuites>
                 <ssl_hstsEnabled type="BooleanField">
                     <default>1</default>
                     <Required>Y</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 10dd9c495..1796018a4 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -869,16 +869,27 @@ global
 {% endif %}
 {# # ssl default settings #}
 {% if OPNsense.HAProxy.general.tuning.ssl_defaultsEnabled|default("") == '1' %}
+{%   set bindopts = [] %}
 {%   if OPNsense.HAProxy.general.tuning.ssl_bindOptions|default("") != "" %}
-{%     set bindopts = [] %}
 {%     for bindopt in OPNsense.HAProxy.general.tuning.ssl_bindOptions.split(",") %}
 {%       do bindopts.append(bindopt) %}
 {%     endfor %}
+{%   endif %}
+{%   if OPNsense.HAProxy.general.tuning.ssl_minVersion|default("") != "" %}
+{%     do bindopts.append('ssl-min-ver ' ~ OPNsense.HAProxy.general.tuning.ssl_minVersion) %}
+{%   endif %}
+{%   if OPNsense.HAProxy.general.tuning.ssl_maxVersion|default("") != "" %}
+{%     do bindopts.append('ssl-max-ver ' ~ OPNsense.HAProxy.general.tuning.ssl_maxVersion) %}
+{%   endif %}
+{%   if (bindopts is defined and bindopts|default("") != "" )%}
     ssl-default-bind-options {{ bindopts|join(' ') }}
 {%   endif %}
 {%   if OPNsense.HAProxy.general.tuning.ssl_cipherList|default("") != "" %}
     ssl-default-bind-ciphers {{ OPNsense.HAProxy.general.tuning.ssl_cipherList }}
 {%   endif %}
+{%   if OPNsense.HAProxy.general.tuning.ssl_cipherSuites|default("") != "" %}
+    ssl-default-bind-ciphersuites {{ OPNsense.HAProxy.general.tuning.ssl_cipherSuites }}
+{%   endif %}
 {% endif %}
 {# # pass-through options #}
 {% if OPNsense.HAProxy.general.tuning.customOptions|default("") != "" %}
@@ -1064,9 +1075,18 @@ frontend {{frontend.name}}
 {%               do ssl_options.append(bindopt) %}
 {%             endfor %}
 {%           endif %}
+{%           if frontend.ssl_minVersion|default("") != "" %}
+{%             do ssl_options.append('ssl-min-ver ' ~ frontend.ssl_minVersion) %}
+{%           endif %}
+{%           if frontend.ssl_maxVersion|default("") != "" %}
+{%             do ssl_options.append('ssl-max-ver ' ~ frontend.ssl_maxVersion) %}
+{%           endif %}
 {%           if frontend.ssl_cipherList|default("") != "" %}
 {%             do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
 {%           endif %}
+{%           if frontend.ssl_cipherSuites|default("") != "" %}
+{%             do ssl_options.append('ciphersuites ' ~ frontend.ssl_cipherSuites) %}
+{%           endif %}
 {#           # HSTS #}
 {%           if frontend.ssl_hstsEnabled|default("") == '1' and frontend.mode == 'http' %}
 {%             set hsts_options = [] %}

From ff730a64033bd909a1372241cf1a0b5908e807c2 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 6 Oct 2020 23:47:31 +0200
Subject: [PATCH 2/2] net/haproxy: bump version, update changelog

---
 net/haproxy/Makefile  | 2 +-
 net/haproxy/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index a27f03962..65767a88a 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		2.24
+PLUGIN_VERSION=		2.25
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy20
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index be9ec9837..0f76d393a 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+2.25
+
+Added:
+* add support for TLSv1.3 (#790)
+
 2.24
 
 Added: