It was reported by Przemyslaw Bromber that using the "generate-certificates"
option combined with AWS-LC would crash HAProxy when a request is done with a
SNI longer than 64 bytes.
The problem is that the certificate is generated with a CN greater than 64
bytes which results in ssl_sock_do_create_cert() returning NULL. This
NULL value being passed to SSL_set_SSL_CTX.
With OpenSSL, passing a NULL SSL_CTX does not seem to be an issue as it
would just ignore it.
With AWS_LC, passing a NULL seems to crash the function. This was
reported to upstream AWS-LC and fixed in patch
7487ad1dcd8
https://github.com/aws/aws-lc/pull/2946.
This must be backported in every branches.
ssl_ctx = (SSL_CTX *)lru->data;
if (!ssl_ctx && lru) {
ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
+ if (!ssl_ctx)
+ goto error;
lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free);
}
SSL_set_SSL_CTX(ssl, ssl_ctx);
}
else {
ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
+ if (!ssl_ctx)
+ goto error;
SSL_set_SSL_CTX(ssl, ssl_ctx);
/* No LRU cache, this CTX will be released as soon as the session dies */
SSL_CTX_free(ssl_ctx);
return 1;
}
+error:
return 0;
}
int ssl_sock_generate_certificate_from_conn(struct bind_conf *bind_conf, SSL *ssl)
projects / thirdparty / haproxy.git / commitdiff
