From: William Lallemand <wlallemand@haproxy.org>
Date: Fri, 4 Dec 2020 14:45:02 +0000 (+0100)
Subject: MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1
X-Git-Tag: v2.4-dev3~50
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b7fdfdfd92b9fdc6a3f742643760d6415fdc6f6b;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1

Since HAProxy 2.3, OpenSSL 1.1.1 is a requirement for using a
multi-certificate bundle in the configuration. This patch emits a fatal
error when HAProxy tries to load a bundle with an older version of
HAProxy.

This problem was encountered by an user in issue #990.

This must be backported in 2.3.
---

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index ba09799978..5002c0b573 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -602,6 +602,13 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 
 					entry_dup = NULL; /* the entry was used, we need a new one next round */
 				}
+#if HA_OPENSSL_VERSION_NUMBER < 0x10101000L
+				if (found) {
+					memprintf(err, "%sCan't load '%s'. Loading a multi certificates bundle requires OpenSSL >= 1.1.1\n",
+						  err && *err ? *err : "", crt_path);
+					cfgerr |= ERR_ALERT | ERR_FATAL;
+				}
+#endif
 			}
 			if (!found) {
 				memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b7d3b92b43..e1de595fd2 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3543,7 +3543,13 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
 					}
 				}
 			}
-
+#if HA_OPENSSL_VERSION_NUMBER < 0x10101000L
+			if (found) {
+				memprintf(err, "%sCan't load '%s'. Loading a multi certificates bundle requires OpenSSL >= 1.1.1\n",
+				          err && *err ? *err : "", path);
+				cfgerr |= ERR_ALERT | ERR_FATAL;
+			}
+#endif
 		}
 	}
 	if (!found) {