From: William Lallemand Date: Wed, 4 May 2022 12:53:41 +0000 (+0200) Subject: MEDIUM: httpclient: hard-error when SSL is configured X-Git-Tag: v2.6-dev9~102 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6fce46a910e4f7158139748b6892fdeda7848b3a;p=thirdparty%2Fhaproxy.git MEDIUM: httpclient: hard-error when SSL is configured The hard_error_ssl flag is set when the configuration is explicitely done for the ssl in the httpclient. If no configuration was made, the features are simply disabled and no alert is emitted. --- diff --git a/src/http_client.c b/src/http_client.c index 25011e94f7..a3d87caf3c 100644 --- a/src/http_client.c +++ b/src/http_client.c @@ -42,7 +42,10 @@ static struct proxy *httpclient_proxy; static struct server *httpclient_srv_raw; + #ifdef USE_OPENSSL +/* if the httpclient is not configured, error are ignored and features are limited */ +static int hard_error_ssl = 0; static struct server *httpclient_srv_ssl; static int httpclient_ssl_verify = SSL_SOCK_VERIFY_REQUIRED; #endif @@ -1155,10 +1158,18 @@ static int httpclient_precheck() if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) { httpclient_srv_ssl->ssl_ctx.ca_file = strdup("@system-ca"); if (!ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT)) { - ha_warning("httpclient: cannot initialize SSL verify with 'ca-file \"%s\"'. Disabling SSL.\n", httpclient_srv_ssl->ssl_ctx.ca_file); - ha_free(&httpclient_srv_ssl->ssl_ctx.ca_file); - srv_drop(httpclient_srv_ssl); - httpclient_srv_ssl = NULL; + /* if we failed to load the ca-file, only quits in + * error with hard_error, otherwise just disable the + * feature. */ + if (hard_error_ssl) { + memprintf(&errmsg, "cannot initialize SSL verify with 'ca-file \"%s\"'.", httpclient_srv_ssl->ssl_ctx.ca_file); + err_code |= ERR_ALERT | ERR_FATAL; + goto err; + } else { + ha_free(&httpclient_srv_ssl->ssl_ctx.ca_file); + srv_drop(httpclient_srv_ssl); + httpclient_srv_ssl = NULL; + } } } @@ -1273,6 +1284,9 @@ static int httpclient_parse_global_verify(char **args, int section_type, struct if (too_many_args(1, args, err, NULL)) return -1; + /* any configuration should set the hard_error flag */ + hard_error_ssl = 1; + if (strcmp(args[1],"none") == 0) httpclient_ssl_verify = SSL_SOCK_VERIFY_NONE; else if (strcmp(args[1],"required") == 0)