BUG/MEDIUM: ssl: apply ssl-f-use on every "ssl" bind

This patch introduces a change of behavior in the configuration parsing.

Previously the "ssl-f-use" lines were only applied on "ssl" bind lines
that does not have any "crt" configured.
Since there is no warning and you could mix bind lines with and without
crt, this is really confusing.

This patch applies the "ssl-f-use" lines on every "ssl" bind lines.

This was discussed in ticket #3082.

Must be backported in 3.2.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index adfd0e672d46526aeef4ad251ff4be590cc60ed1..79569422749d3d545474906cc8c014d54e4d06a0 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -12205,8 +12205,9 @@ ssl-f-use [<sslbindconf> ...]*
   Assignate a certificate <crtname> to a crt-list created automatically with the
   frontend name and prefixed by @ (ex: '@frontend1').
 
-  This implicit crt-list will be assigned to every "ssl" bind lines in a
-  frontend that does not already have the "crt" or the "crt-list" line.
+  This implicit crt-list will be assigned to every "ssl" bind lines in the
+  current frontend.
+
   crt-list commands from the stats socket are effective with this crt-list, so
   one could replace, remove or add certificates and SSL options to it.
 

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index e1bb7096e435ed0fedb07ac00ea3fbe8cfcb44db..1f3e0d966c48bcd1e5e626990b296be282a59fe3 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -2442,14 +2442,12 @@ static int post_section_frontend_crt_init()
                        goto error;
                }
 
-               /* look for "ssl" bind lines without any crt nor crt-line */
+               /* look for "ssl" bind lines */
                list_for_each_entry(b, &curproxy->conf.bind, by_fe) {
                        if (b->options & BC_O_USE_SSL) {
-                               if (eb_is_empty(&b->sni_ctx) && eb_is_empty(&b->sni_w_ctx)) {
-                                       err_code |= ssl_sock_load_cert_list_file(crtlist_name, 0, b, curproxy, &err);
-                                       if (err_code & ERR_CODE)
-                                               goto error;
-                               }
+                               err_code |= ssl_sock_load_cert_list_file(crtlist_name, 0, b, curproxy, &err);
+                               if (err_code & ERR_CODE)
+                                       goto error;
                        }
                }
        }