MEDIUM: httpclient: hard-error when SSL is configured

The hard_error_ssl flag is set when the configuration is explicitely
done for the ssl in the httpclient.

If no configuration was made, the features are simply disabled and no
alert is emitted.

diff --git a/src/http_client.c b/src/http_client.c
index 25011e94f77a1cfcb95e8c456c9a27a9e1049fb2..a3d87caf3c21c5f9e7449e47e464bb1db75dba60 100644 (file)
--- a/src/http_client.c
+++ b/src/http_client.c
@@ -42,7 +42,10 @@
 
 static struct proxy *httpclient_proxy;
 static struct server *httpclient_srv_raw;
+
 #ifdef USE_OPENSSL
+/* if the httpclient is not configured, error are ignored and features are limited */
+static int hard_error_ssl = 0;
 static struct server *httpclient_srv_ssl;
 static int httpclient_ssl_verify = SSL_SOCK_VERIFY_REQUIRED;
 #endif
@@ -1155,10 +1158,18 @@ static int httpclient_precheck()
        if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) {
                httpclient_srv_ssl->ssl_ctx.ca_file = strdup("@system-ca");
                if (!ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT)) {
-                       ha_warning("httpclient: cannot initialize SSL verify with 'ca-file \"%s\"'. Disabling SSL.\n", httpclient_srv_ssl->ssl_ctx.ca_file);
-                       ha_free(&httpclient_srv_ssl->ssl_ctx.ca_file);
-                       srv_drop(httpclient_srv_ssl);
-                       httpclient_srv_ssl = NULL;
+                       /* if we failed to load the ca-file, only quits in
+                        * error with hard_error, otherwise just disable the
+                        * feature. */
+                       if (hard_error_ssl) {
+                               memprintf(&errmsg, "cannot initialize SSL verify with 'ca-file \"%s\"'.", httpclient_srv_ssl->ssl_ctx.ca_file);
+                               err_code |= ERR_ALERT | ERR_FATAL;
+                               goto err;
+                       } else {
+                               ha_free(&httpclient_srv_ssl->ssl_ctx.ca_file);
+                               srv_drop(httpclient_srv_ssl);
+                               httpclient_srv_ssl = NULL;
+                       }
                }
        }
 
@@ -1273,6 +1284,9 @@ static int httpclient_parse_global_verify(char **args, int section_type, struct
        if (too_many_args(1, args, err, NULL))
                return -1;
 
+       /* any configuration should set the hard_error flag */
+       hard_error_ssl = 1;
+
        if (strcmp(args[1],"none") == 0)
                httpclient_ssl_verify = SSL_SOCK_VERIFY_NONE;
        else if (strcmp(args[1],"required") == 0)