git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Remi Tricot-Le Breton <rlebreton@haproxy.com>
	Wed, 29 Sep 2021 16:56:52 +0000 (18:56 +0200)
committer	William Lallemand <wlallemand@haproxy.org>
	Thu, 30 Sep 2021 09:04:35 +0000 (11:04 +0200)
commit	1fe0fad88b2093fc2d052f974332fe9aff7607f3
tree	84757fb21d9a0322284ad39baaeb7adaa494d983	tree \| snapshot
parent	61944f7a73b1762771b15c95d3e74780d0cdc4cd	commit \| diff

MINOR: ssl: Rename ssl_bc_hsk_err to ssl_bc_err

The ssl_bc_hsk_err sample fetch will need to raise more errors than only
handshake related ones hence its renaming to a more generic ssl_bc_err.
This patch is required because some handshake failures that should have
been caught by this fetch (verify error on the server side for instance)
were missed. This is caused by a change in TLS1.3 in which the
'Finished' state on the client is reached before its certificate is sent
(and verified) on the server side (see the "Protocol Overview" part of
RFC 8446).
This means that the SSL_do_handshake call is finished long before the
server can verify and potentially reject the client certificate.

The ssl_bc_hsk_err will then need to be expanded to catch other types of
errors.

This change is also applied to the frontend fetches (ssl_fc_hsk_err
becomes ssl_fc_err) and to their string counterparts.

doc/configuration.txt		diff \| blob \| blame \| history
include/haproxy/ssl_sock-t.h		diff \| blob \| blame \| history
reg-tests/ssl/ssl_errors.vtc		diff \| blob \| blame \| history
src/log.c		diff \| blob \| blame \| history
src/ssl_sample.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history