Prevent unused ssl_crtd helpers being run

The conditions for when to start ssl_crtd helpers was ignoring the
generate-host-certificates=off option. Meaning most ssl-bump installs
were running them needlessly.

diff --git a/src/ssl/helper.cc b/src/ssl/helper.cc
index 4eeeca42272b6f2774f88b5cd8693fdf4b45c8b9..30892d5aa8fce5c3dc6223ec08c332952aee0621 100644 (file)
--- a/src/ssl/helper.cc
+++ b/src/ssl/helper.cc
@@ -41,12 +41,13 @@ void Ssl::Helper::Init()
 {
     assert(ssl_crtd == NULL);
 
-    // we need to start ssl_crtd only if some port(s) need to bump SSL
+    // we need to start ssl_crtd only if some port(s) need to bump SSL *and* generate certificates
+    // TODO: generate host certificates for SNI enabled accel ports
     bool found = false;
     for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next)
-        found = s->flags.tunnelSslBumping;
+        found = s->flags.tunnelSslBumping && s->generateHostCertificates;
     for (AnyP::PortCfgPointer s = HttpsPortList; !found && s != NULL; s = s->next)
-        found = s->flags.tunnelSslBumping;
+        found = s->flags.tunnelSslBumping && s->generateHostCertificates;
     if (!found)
         return;