BUG/MINOR: ssl: SSL_CERT_DIR environment variable doesn't affect haproxy

The documentation of @system-ca specifies that one can overwrite the
value provided by the SSL Library using SSL_CERT_DIR.

However it seems like X509_get_default_cert_dir() is not affected by
this environment variable, and X509_get_default_cert_dir_env() need to
be used in order to get the variable name, and get the value manually.

This could be backported in every stable branches. Note that older
branches don't have the memprintf in ssl_sock.c.

diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h
index 35f1cdc535cb31d504ee5305f6397995f3ba9e2f..1faa6c14c0f0112fd3154634408cb1de557f214a 100644 (file)
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@@ -80,6 +80,7 @@ void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e);
 int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf, int append);
 int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type);
 int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror);
+const char *ha_default_cert_dir();
 
 extern struct cert_exts cert_exts[];
 extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err);

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 7753fb718ca72de0e5a35d8edffe877ce359d432..6a60d64f73586464df808ad0c7511f9322630a51 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1490,6 +1490,25 @@ end:
        return retval;
 }
 
+/*
+ * return the default verify cert directory.
+ *
+ * It might provided by the SSL library or set in an environment variable
+ *  (commonly SSL_CERT_DIR)
+ */
+const char *ha_default_cert_dir()
+{
+        const char *dir = NULL;
+        const char *certdir_varname = X509_get_default_cert_dir_env();
+
+        if (certdir_varname)
+                dir = getenv(certdir_varname);
+        if (dir == NULL)
+                dir = X509_get_default_cert_dir();
+
+        return dir;
+}
+
 /*
  * Try to load a ca-file from disk into the ca-file cache.
  *  <shuterror> allows you to to stop emitting the errors.
@@ -1519,7 +1538,7 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_
                }
 
                if (strcmp(path, "@system-ca") == 0) {
-                       dir = X509_get_default_cert_dir();
+                       dir = ha_default_cert_dir();
                        if (!dir) {
                                if (!shuterror)
                                        ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n");

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7a75d7c5bfd445b4ed4d4058f309d73207e5d770..b566c85a3708cfa222c2bb32dd0c2b25cf064338 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -8554,7 +8554,7 @@ static void ssl_register_build_options()
 #if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
        memprintf(&ptr, "%s\nSSL library FIPS mode : %s", ptr, FIPS_mode() ? "yes" : "no");
 #endif
-       memprintf(&ptr, "%s\nSSL library default verify directory : %s", ptr, X509_get_default_cert_dir());
+       memprintf(&ptr, "%s\nSSL library default verify directory : %s", ptr, ha_default_cert_dir());
        memprintf(&ptr, "%s\nSSL library supports :", ptr);
        for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
                if (methodVersions[i].option)