BUG/MINOR: ssl/cli: sni_ctx' mustn't always be used as filters

Since commit 244b070 ("MINOR: ssl/cli: support crt-list filters"),
HAProxy generates a list of filters based on the sni_ctx in memory.
However it's not always relevant, sometimes no filters were configured
and the CN/SAN in the new certificate are not the same.

This patch fixes the issue by using a flag filters in the ckch_inst, so
we are able to know if there were filters or not. In the late case it
uses the CN/SAN of the new certificate to generate the sni_ctx.

note: filters are still only used in the crt-list atm.

diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index 716be8936c3f8f21f2de003d307df9ab4346a629..b0104486d4f41be839f112f319a1584087779db2 100644 (file)
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -129,6 +129,7 @@ struct ckch_inst {
        struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
        struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
        struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
+       unsigned int filters:1; /* using sni filters ? */
        unsigned int is_default:1;      /* This instance is used as the default ctx for this bind_conf */
        /* space for more flag there */
        struct list sni_ctx; /* list of sni_ctx using this ckch_inst */

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index eeae7c4f45f045dcbe801866473a4ace079ec326..ef3091e3c3319098ac36df341e5a2882461a9148 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4188,6 +4188,7 @@ static int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *c
        ckch_inst->bind_conf = bind_conf;
        ckch_inst->ssl_conf = ssl_conf;
        ckch_inst->ckch_store = ckchs;
+       ckch_inst->filters = !!fcount;
 end:
 
        if (names)
@@ -4377,6 +4378,7 @@ static int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs,
        ckch_inst->bind_conf = bind_conf;
        ckch_inst->ssl_conf = ssl_conf;
        ckch_inst->ckch_store = ckchs;
+       ckch_inst->filters = !!fcount;
 
        *ckchi = ckch_inst;
        return errcode;
@@ -11006,10 +11008,11 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
                                                appctx->ctx.ssl.next_ckchi = ckchi;
                                                goto yield;
                                        }
-
-                                       errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
-                                       if (errcode & ERR_CODE)
-                                               goto error;
+                                       if (ckchi->filters) {
+                                               errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
+                                               if (errcode & ERR_CODE)
+                                                       goto error;
+                                       }
 
                                        if (new_ckchs->multi)
                                                errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);