BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init

The code which is supposed to apply the bind_conf configuration on the
SSL_CTX was not called correctly. Indeed it was called with the previous
SSL_CTX so the new ones were left with default settings. For example the
ciphers were not changed.

This patch fixes #429.

Must be backported in 2.1.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7698eec7fbb2b1b8a5545abc322881a15e29cc23..67e086dff245556ce26d644538bfb8ce90a33503 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -10617,8 +10617,8 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
                                                new_inst->is_default = 1;
 
                                        /* we need to initialize the SSL_CTX generated */
-                                       /* TODO: the prepare_ctx function need to be reworked to be safer there */
-                                       list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) {
+                                       /* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
+                                       list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) {
                                                if (!sc0->order) { /* we initiliazed only the first SSL_CTX because it's the same in the other sni_ctx's */
                                                        errcode |= ssl_sock_prepare_ctx(ckchi->bind_conf, ckchi->ssl_conf, sc0->ctx, &err);
                                                        if (errcode & ERR_CODE)