From: William Lallemand <wlallemand@haproxy.org>
Date: Fri, 22 Apr 2022 12:48:45 +0000 (+0200)
Subject: MEDIUM: httpclient/ssl: verify required
X-Git-Tag: v2.6-dev7~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cf5cb0b524b3a8a1b3ef54ca87eff1a4a28e7838;p=thirdparty%2Fhaproxy.git

MEDIUM: httpclient/ssl: verify required

The httpclient HTTPS requests now enable the "verify required" option.
To achieve this, the "@system-ca" ca-file is configured in the
httpclient ssl server. Which means all the system CAs will be loaded at
haproxy startup.
---

diff --git a/src/http_client.c b/src/http_client.c
index 0e9621713d..60d05e6cb8 100644
--- a/src/http_client.c
+++ b/src/http_client.c
@@ -15,6 +15,7 @@
 #include <haproxy/api.h>
 #include <haproxy/applet.h>
 #include <haproxy/cli.h>
+#include <haproxy/ssl_ckch.h>
 #include <haproxy/dynbuf.h>
 #include <haproxy/cfgparse.h>
 #include <haproxy/conn_stream.h>
@@ -1039,7 +1040,11 @@ static int httpclient_precheck()
 	if (!httpclient_srv_ssl->id)
 		goto err;
 
-	httpclient_srv_ssl->ssl_ctx.verify = SSL_SOCK_VERIFY_NONE;
+	httpclient_srv_ssl->ssl_ctx.verify = SSL_SOCK_VERIFY_REQUIRED;
+	httpclient_srv_ssl->ssl_ctx.ca_file = strdup("@system-ca");
+	if (!ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT))
+		goto err;
+
 #endif
 
 	/* add the proxy in the proxy list only if everything is successful */