From: William Lallemand Date: Wed, 4 Dec 2019 14:33:01 +0000 (+0100) Subject: BUG/MINOR: ssl/cli: don't overwrite the filters variable X-Git-Tag: v2.2-dev1~216 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=920b0352389be2f615494e6c2b1327b11bfd1dda;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl/cli: don't overwrite the filters variable When a crt-list line using an already used ckch_store does not contain filters, it will overwrite the ckchs->filters variable with 0. This problem will generate all sni_ctx of this ckch_store without filters. Filters generation mustn't be allowed in any case. Must be backported in 2.1. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index e0d3f10143..57e97fd2c0 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3858,7 +3858,7 @@ static int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *c /* at least one of the instances is using filters during the config * parsing, that's ok to inherit this during loading on CLI */ - ckchs->filters = !!fcount; + ckchs->filters |= !!fcount; /* Process each ckch and update keytypes for each CN/SAN * for example, if CN/SAN www.a.com is associated with @@ -4102,7 +4102,7 @@ static int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, /* at least one of the instances is using filters during the config * parsing, that's ok to inherit this during loading on CLI */ - ckchs->filters = !!fcount; + ckchs->filters |= !!fcount; ctx = SSL_CTX_new(SSLv23_server_method()); if (!ctx) {