]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7c8cd58)
MINOR: server: Make 'default-server' support 'verifyhost' setting.
authorFrédéric Lécaille <flecaille@haproxy.com>
Mon, 13 Mar 2017 14:52:01 +0000 (15:52 +0100)
committerWilly Tarreau <w@1wt.eu>
Mon, 27 Mar 2017 12:37:01 +0000 (14:37 +0200)
This patch makes 'default-server' directive support 'verifyhost' setting.
Note: there was a little memory leak when several 'verifyhost' arguments were
supplied on the same 'server' line.

src/server.c patch | blob | blame | history
src/ssl_sock.c patch | blob | blame | history

diff --git a/src/server.c b/src/server.c
index b69d1d1d025ba21772caebb78997f3a819269831..5819b754bb00613e0ad3aaaa806777992a1ded23 100644 (file)
--- a/src/server.c
+++ b/src/server.c
@@ -1298,6 +1298,8 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 #if defined(USE_OPENSSL)
                        /* SSL config. */
                        newsrv->ssl_ctx.verify = curproxy->defsrv.ssl_ctx.verify;
+                       if (curproxy->defsrv.ssl_ctx.verify_host != NULL)
+                               newsrv->ssl_ctx.verify_host = strdup(curproxy->defsrv.ssl_ctx.verify_host);
 #endif
 
                        cur_arg = 3;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5285e244cf2306ea742bb75fe639b115dc809324..34860fe4e9104d21fcf52c53be2b61322b459552 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6792,6 +6792,7 @@ static int srv_parse_verifyhost(char **args, int *cur_arg, struct proxy *px, str
                return ERR_ALERT | ERR_FATAL;
        }
 
+       free(newsrv->ssl_ctx.verify_host);
        newsrv->ssl_ctx.verify_host = strdup(args[*cur_arg + 1]);
 
        return 0;
@@ -7518,7 +7519,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
        { "tlsv12",                  srv_parse_tlsv12,            0, 1 }, /* enable TLSv12 */
        { "tls-tickets",             srv_parse_tls_tickets,       0, 1 }, /* enable session resumption tickets */
        { "verify",                  srv_parse_verify,            1, 1 }, /* set SSL verify method */
-       { "verifyhost",              srv_parse_verifyhost,        1, 0 }, /* require that SSL cert verifies for hostname */
+       { "verifyhost",              srv_parse_verifyhost,        1, 1 }, /* require that SSL cert verifies for hostname */
        { NULL, NULL, 0, 0 },
 }};
 
Mirror of https://github.com/haproxy/haproxy.git