From: Emmanuel Hocdet <manu@gandi.net>
Date: Wed, 9 Aug 2017 09:24:25 +0000 (+0200)
Subject: MINOR: ssl: allow to start without certificate if strict-sni is set
X-Git-Tag: v1.8-dev3~196
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa0d6372922882f58b54f851dfd7ca1f5a71b26d;p=thirdparty%2Fhaproxy.git

MINOR: ssl: allow to start without certificate if strict-sni is set

With strict-sni, ssl connection will fail if no certificate match. Have no
certificate in bind line, fail on all ssl connections. It's ok with the
behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is
never used. When 'strict-sni' is set, default_ctx is never used. Allow to start
without certificate only in this case.

Use case is to start haproxy with ssl before customer start to use certificates.
Typically with 'crt' on a empty directory and 'strict-sni' parameters.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d81dd70cb5..8d38f28595 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
 		return 0;
 	}
 	if (!bind_conf->default_ctx) {
-		Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
-		      px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
-		return -1;
+		if (bind_conf->strict_sni && !bind_conf->generate_certs) {
+			Warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d], ssl connections will fail (use 'crt').\n",
+				px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
+		}
+		else {
+			Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
+			      px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
+			return -1;
+		}
 	}
 
 	alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0);