From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 19 Apr 2024 12:18:32 +0000 (+0200)
Subject: MAJOR: ssl: use the msg callback mecanism for backend connections
X-Git-Tag: v3.0-dev8~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1494cd71379b556ef9fa37f487d0083f33b2e2d0;p=thirdparty%2Fhaproxy.git

MAJOR: ssl: use the msg callback mecanism for backend connections

Backend SSL connections never used the ssl_sock_msg_callbacks() which
prevent the use of keylog on the server side.

The impact should be minimum, though it add a major callback system for
protocol analysis, which is the same used on frontend connections.

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_msg_callback.html

The patch add a call to SSL_CTX_set_msg_callback() in
ssl_sock_prepare_srv_ssl_ctx() the same way it's done for bind lines in
ssl_sock_prepare_ctx().
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c44c9e7e38..e629ca2d84 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5144,6 +5144,9 @@ static int ssl_sock_prepare_srv_ssl_ctx(const struct server *srv, SSL_CTX *ctx)
 		cfgerr++;
 	}
 
+#ifdef SSL_CTRL_SET_MSG_CALLBACK
+	SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
+#endif
 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 	if (srv->ssl_ctx.ciphersuites &&
 		!SSL_CTX_set_ciphersuites(ctx, srv->ssl_ctx.ciphersuites)) {