From: William Lallemand Date: Thu, 21 Nov 2019 15:30:34 +0000 (+0100) Subject: MEDIUM: ssl/cli: apply SSL configuration on SSL_CTX during commit X-Git-Tag: v2.1.0~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ef0c2a5699c5c7fe559fb357594cb23fcd160bf;p=thirdparty%2Fhaproxy.git MEDIUM: ssl/cli: apply SSL configuration on SSL_CTX during commit Apply the configuration of the ssl_bind_conf on the generated SSL_CTX. It's a little bit hacky at the moment because the ssl_sock_prepare_ctx() function was made for the configuration parsing, not for being using at runtime. Only the 'verify' bind keyword seems to cause a file access so we prevent it before calling the function. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 9c0962ca4e..27b9e097dd 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -10061,6 +10061,7 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) struct ckch_store *old_ckchs, *new_ckchs = NULL; struct ckch_inst *ckchi, *ckchis; struct buffer *trash = alloc_trash_chunk(); + struct sni_ctx *sc0, *sc0s; if (trash == NULL) goto error; @@ -10103,6 +10104,7 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) /* walk through the old ckch_inst and creates new ckch_inst using the updated ckchs */ list_for_each_entry_from(ckchi, &old_ckchs->ckch_inst, by_ckchs) { struct ckch_inst *new_inst; + int verify = 0; /* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */ if (y >= 10) { @@ -10111,6 +10113,15 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) goto yield; } + /* prevent ssl_sock_prepare_ctx() to do file access which is only for verify (crl/ca file) */ + verify = (ckchi->ssl_conf && ckchi->ssl_conf->verify) ? ckchi->ssl_conf->verify : ckchi->bind_conf->ssl_conf.verify; + if (verify & SSL_VERIFY_PEER) { + memprintf(&err, "%sCan't commit a certificate which use the 'verify' bind SSL option [%s:%d]\n", err ? err : "", ckchi->bind_conf->file, ckchi->bind_conf->line); + errcode |= ERR_FATAL | ERR_ABORT; + goto error; + } + + if (new_ckchs->multi) errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, NULL, 0, &new_inst, &err); else @@ -10123,6 +10134,17 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) if (ckchi->is_default) new_inst->is_default = 1; + /* we need to initialize the SSL_CTX generated */ + /* TODO: the prepare_ctx function need to be reworked to be safer there */ + list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) { + if (!sc0->order) { /* we initiliazed only the first SSL_CTX because it's the same in the other sni_ctx's */ + errcode |= ssl_sock_prepare_ctx(ckchi->bind_conf, ckchi->ssl_conf, sc0->ctx, &err); + if (errcode & ERR_CODE) + goto error; + } + } + + /* display one dot per new instance */ chunk_appendf(trash, "."); /* link the new ckch_inst to the duplicate */ @@ -10149,7 +10171,6 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) /* delete the old sni_ctx, the old ckch_insts and the ckch_store */ list_for_each_entry_safe(ckchi, ckchis, &old_ckchs->ckch_inst, by_ckchs) { - struct sni_ctx *sc0, *sc0s; HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock); list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) {