dnsdist: Fix handling of IP-only TLS certificates

To properly handle SNI with OpenSSL, we have to keep track of the TLS
names supported by the different certificates associated to a frontend.
Since IP-only names are not involved in SNI negotiations, we are currently
skipping them when creating the TLS SNI map. Unfortunately this causes
an issue when we have a single certificate that only contains IPs,
the default context not being properly set.
This commit ensures the default context is properly set in that case.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index 926f1c75b0850a8a089b21470b97ec3d95752f03..684b35bbbfa494220cccde122c2b31ce5c64dca7 100644 (file)
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -1249,7 +1249,12 @@ std::pair<pdns::libssl::ServerContext, std::vector<std::string>> libssl_init_ser
 
       addCertificateAndKey(ctx);
       auto names = get_names_from_last_certificate(*ctx);
-      mergeNewCertificateAndKey(serverContext, ctx, names, addCertificateAndKey);
+      if (!names.empty()) {
+        mergeNewCertificateAndKey(serverContext, ctx, names, addCertificateAndKey);
+      }
+      else if (!serverContext.d_defaultContext) {
+        serverContext.d_defaultContext = ctx;
+      }
 #else
       throw std::runtime_error("PKCS12 files are not supported by your openssl version");
 #endif /* HAVE_SSL_CTX_USE_CERT_AND_KEY */
@@ -1267,7 +1272,12 @@ std::pair<pdns::libssl::ServerContext, std::vector<std::string>> libssl_init_ser
 
       addCertificateAndKey(ctx);
       auto names = get_names_from_last_certificate(*ctx);
-      mergeNewCertificateAndKey(serverContext, ctx, names, addCertificateAndKey);
+      if (!names.empty()) {
+        mergeNewCertificateAndKey(serverContext, ctx, names, addCertificateAndKey);
+      }
+      else if (!serverContext.d_defaultContext) {
+        serverContext.d_defaultContext = ctx;
+      }
     }
 
     if (SSL_CTX_check_private_key(ctx.get()) != 1) {