BUG: ssl: mark the connection as waiting for an SSL connection during the handshake

The WAIT_L6_CONN was designed especially to ensure that the connection
was not marked ready before the SSL layer was OK, but we forgot to set
the flag, resulting in a rejected handshake when ssl was combined with
accept-proxy because accept-proxy would validate the connection alone
and the SSL handshake would then believe in a client-initiated reneg
and kill it.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f5d054e74b473675694d982d35bbf7cbfc947c3c..cfe788d27366ce099af82de3ec81d65585d868df 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -86,7 +86,7 @@ static int ssl_sock_init(struct connection *conn)
                SSL_set_fd(conn->data_ctx, conn->t.sock.fd);
 
                /* leave init state and start handshake */
-               conn->flags |= CO_FL_SSL_WAIT_HS;
+               conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
                return 0;
        }
        else if (target_client(&conn->target)) {
@@ -105,7 +105,7 @@ static int ssl_sock_init(struct connection *conn)
                SSL_set_app_data(conn->data_ctx, conn);
 
                /* leave init state and start handshake */
-               conn->flags |= CO_FL_SSL_WAIT_HS;
+               conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
                return 0;
        }
        /* don't know how to handle such a target */