Since the commit
f6b37c67 ["BUG/MEDIUM: ssl: in bind line, ssl-options after
'crt' are ignored."], the certificates generation is broken.
To generate a certificate, we retrieved the private key of the default
certificate using the SSL object. But since the commit
f6b37c67, the SSL object
is created with a dummy certificate (initial_ctx).
So to fix the bug, we use directly the default certificate in the bind_conf
structure. We use SSL_CTX_get0_privatekey function to do so. Because this
function does not exist for OpenSSL < 1.0.2 and for LibreSSL, it has been added
in openssl-compat.h with the right #ifdef.
}
#endif
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L) || defined(LIBRESSL_VERSION_NUMBER)
+/*
+ * Functions introduced in OpenSSL 1.0.2 and not yet present in LibreSSL
+ */
+EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
+{
+ if (ctx->cert != NULL)
+ return ctx->cert->key->privatekey;
+ else
+ return NULL;
+}
+#endif
+
#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
/*
* Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
unsigned int i;
int key_type;
- /* Get the private key of the defautl certificate and use it */
- if (!(pkey = SSL_get_privatekey(ssl)))
+ /* Get the private key of the default certificate and use it */
+ if (!(pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx)))
goto mkcert_error;
/* Create the certificate */
projects / thirdparty / haproxy.git / commitdiff
