BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates

Bug reported by John Leach: no-sslv3 does not work using some certificates.

It appears that ssl ctx is not updated with configured options if the
CommonName of the certificate's subject is not found.

It applies only on the first cerificate of a configured bind line.

There is no security impact, because only invalid nameless certficates
are concerned.

This fix must be backported to 1.5

diff --git a/Makefile b/Makefile
index 0d1d13a2e2065b2dc571e03cec2959ab9bd7fa85..ee7473cedab8fe434decf38253b8eefa9576dab6 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -540,7 +540,7 @@ ifneq ($(USE_OPENSSL),)
 # in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib.
 BUILD_OPTIONS   += $(call ignore_implicit,USE_OPENSSL)
 OPTIONS_CFLAGS  += -DUSE_OPENSSL $(if $(SSL_INC),-I$(SSL_INC))
-OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
+OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto -ldl
 OPTIONS_OBJS  += src/ssl_sock.o src/shctx.o
 ifneq ($(USE_PRIVATE_CACHE),)
 OPTIONS_CFLAGS  += -DUSE_PRIVATE_CACHE

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9f4b061e95b51e4d5b3f1063ac5f8282fbdf45af..fbf8f9a624fcfc3526b771e52c317a0e5bd4e041 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1957,10 +1957,15 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px)
        if (!bind_conf || !bind_conf->is_ssl)
                return 0;
 
+       if (bind_conf->default_ctx)
+               err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px);
+
        node = ebmb_first(&bind_conf->sni_ctx);
        while (node) {
                sni = ebmb_entry(node, struct sni_ctx, name);
-               if (!sni->order) /* only initialize the CTX on its first occurrence */
+               if (!sni->order && sni->ctx != bind_conf->default_ctx)
+                       /* only initialize the CTX on its first occurrence and
+                          if it is not the default_ctx */
                        err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
                node = ebmb_next(node);
        }
@@ -1968,7 +1973,9 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px)
        node = ebmb_first(&bind_conf->sni_w_ctx);
        while (node) {
                sni = ebmb_entry(node, struct sni_ctx, name);
-               if (!sni->order) /* only initialize the CTX on its first occurrence */
+               if (!sni->order && sni->ctx != bind_conf->default_ctx)
+                       /* only initialize the CTX on its first occurrence and
+                          if it is not the default_ctx */
                        err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
                node = ebmb_next(node);
        }