From: Willy Tarreau <w@1wt.eu>
Date: Tue, 4 Sep 2012 06:03:39 +0000 (+0200)
Subject: BUG: ssl: mark the connection as waiting for an SSL connection during the handshake
X-Git-Tag: v1.5-dev12~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0573747da08f13547473db286631d54d36a4db9f;p=thirdparty%2Fhaproxy.git

BUG: ssl: mark the connection as waiting for an SSL connection during the handshake

The WAIT_L6_CONN was designed especially to ensure that the connection
was not marked ready before the SSL layer was OK, but we forgot to set
the flag, resulting in a rejected handshake when ssl was combined with
accept-proxy because accept-proxy would validate the connection alone
and the SSL handshake would then believe in a client-initiated reneg
and kill it.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f5d054e74b..cfe788d273 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -86,7 +86,7 @@ static int ssl_sock_init(struct connection *conn)
 		SSL_set_fd(conn->data_ctx, conn->t.sock.fd);
 
 		/* leave init state and start handshake */
-		conn->flags |= CO_FL_SSL_WAIT_HS;
+		conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
 		return 0;
 	}
 	else if (target_client(&conn->target)) {
@@ -105,7 +105,7 @@ static int ssl_sock_init(struct connection *conn)
 		SSL_set_app_data(conn->data_ctx, conn);
 
 		/* leave init state and start handshake */
-		conn->flags |= CO_FL_SSL_WAIT_HS;
+		conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
 		return 0;
 	}
 	/* don't know how to handle such a target */