MINOR: ssl: allow to start without certificate if strict-sni is set

With strict-sni, ssl connection will fail if no certificate match. Have no
certificate in bind line, fail on all ssl connections. It's ok with the
behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is
never used. When 'strict-sni' is set, default_ctx is never used. Allow to start
without certificate only in this case.

Use case is to start haproxy with ssl before customer start to use certificates.
Typically with 'crt' on a empty directory and 'strict-sni' parameters.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d81dd70cb5c5899d12ac540becce2953636f60ea..8d38f285957b093f9409cfb60da8b79056dd2f16 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
                return 0;
        }
        if (!bind_conf->default_ctx) {
-               Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
-                     px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
-               return -1;
+               if (bind_conf->strict_sni && !bind_conf->generate_certs) {
+                       Warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d], ssl connections will fail (use 'crt').\n",
+                               px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
+               }
+               else {
+                       Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
+                             px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
+                       return -1;
+               }
        }
 
        alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0);