From: Willy Tarreau <w@1wt.eu>
Date: Tue, 7 Jul 2015 16:04:38 +0000 (+0200)
Subject: MINOR: ssl: make self-generated certs also work with raw IPv6 addresses
X-Git-Tag: v1.6-dev3~31
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f67214554cfb3117effab1f0b705d027354f4b36;p=thirdparty%2Fhaproxy.git

MINOR: ssl: make self-generated certs also work with raw IPv6 addresses

The current method of retrieving the incoming connection's destination
address to hash it is not compatible with IPv6 nor the proxy protocol
because it directly tries to get an IPv4 address from the socket. Instead
we must ask the connection. This is only used when no SNI is provided.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index dcbef4c574..aa7bb1bd8d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1188,18 +1188,20 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s)
 
 	servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
 	if (!servername) {
-		struct sockaddr to;
-		int             fd;
-
-		if (s->generate_certs &&
-		    (fd = SSL_get_fd(ssl)) != -1 &&
-		    tcp_get_dst(fd, &to, sizeof(to), 0) != -1) {
-			unsigned int serial = ssl_sock_generated_cert_serial(&to, sizeof(to));
-			SSL_CTX *ctx = ssl_sock_get_generated_cert(serial, s->ca_sign_cert);
-			if (ctx) {
-				/* switch ctx */
-				SSL_set_SSL_CTX(ssl, ctx);
-				return SSL_TLSEXT_ERR_OK;
+		if (s->generate_certs) {
+			struct connection *conn = (struct connection *)SSL_get_app_data(ssl);
+			unsigned int serial;
+			SSL_CTX *ctx;
+
+			conn_get_to_addr(conn);
+			if (conn->flags & CO_FL_ADDR_TO_SET) {
+				serial = ssl_sock_generated_cert_serial(&conn->addr.to, get_addr_len(&conn->addr.to));
+				ctx = ssl_sock_get_generated_cert(serial, s->ca_sign_cert);
+				if (ctx) {
+					/* switch ctx */
+					SSL_set_SSL_CTX(ssl, ctx);
+					return SSL_TLSEXT_ERR_OK;
+				}
 			}
 		}