From: Frédéric Lécaille Date: Mon, 13 Mar 2017 14:52:01 +0000 (+0100) Subject: MINOR: server: Make 'default-server' support 'verifyhost' setting. X-Git-Tag: v1.8-dev1~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=273f321404210c6c49f295ee00249d8c4cae21ae;p=thirdparty%2Fhaproxy.git MINOR: server: Make 'default-server' support 'verifyhost' setting. This patch makes 'default-server' directive support 'verifyhost' setting. Note: there was a little memory leak when several 'verifyhost' arguments were supplied on the same 'server' line. --- diff --git a/src/server.c b/src/server.c index b69d1d1d02..5819b754bb 100644 --- a/src/server.c +++ b/src/server.c @@ -1298,6 +1298,8 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr #if defined(USE_OPENSSL) /* SSL config. */ newsrv->ssl_ctx.verify = curproxy->defsrv.ssl_ctx.verify; + if (curproxy->defsrv.ssl_ctx.verify_host != NULL) + newsrv->ssl_ctx.verify_host = strdup(curproxy->defsrv.ssl_ctx.verify_host); #endif cur_arg = 3; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 5285e244cf..34860fe4e9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -6792,6 +6792,7 @@ static int srv_parse_verifyhost(char **args, int *cur_arg, struct proxy *px, str return ERR_ALERT | ERR_FATAL; } + free(newsrv->ssl_ctx.verify_host); newsrv->ssl_ctx.verify_host = strdup(args[*cur_arg + 1]); return 0; @@ -7518,7 +7519,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { "tlsv12", srv_parse_tlsv12, 0, 1 }, /* enable TLSv12 */ { "tls-tickets", srv_parse_tls_tickets, 0, 1 }, /* enable session resumption tickets */ { "verify", srv_parse_verify, 1, 1 }, /* set SSL verify method */ - { "verifyhost", srv_parse_verifyhost, 1, 0 }, /* require that SSL cert verifies for hostname */ + { "verifyhost", srv_parse_verifyhost, 1, 1 }, /* require that SSL cert verifies for hostname */ { NULL, NULL, 0, 0 }, }};