From: Emeric Brun <ebrun@haproxy.com>
Date: Thu, 30 Oct 2014 18:25:24 +0000 (+0100)
Subject: BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates
X-Git-Tag: v1.6-dev1~282
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bed994;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates

Bug reported by John Leach: no-sslv3 does not work using some certificates.

It appears that ssl ctx is not updated with configured options if the
CommonName of the certificate's subject is not found.

It applies only on the first cerificate of a configured bind line.

There is no security impact, because only invalid nameless certficates
are concerned.

This fix must be backported to 1.5
---

diff --git a/Makefile b/Makefile
index 0d1d13a2e2..ee7473ceda 100644
--- a/Makefile
+++ b/Makefile
@@ -540,7 +540,7 @@ ifneq ($(USE_OPENSSL),)
 # in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib.
 BUILD_OPTIONS   += $(call ignore_implicit,USE_OPENSSL)
 OPTIONS_CFLAGS  += -DUSE_OPENSSL $(if $(SSL_INC),-I$(SSL_INC))
-OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
+OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto -ldl
 OPTIONS_OBJS  += src/ssl_sock.o src/shctx.o
 ifneq ($(USE_PRIVATE_CACHE),)
 OPTIONS_CFLAGS  += -DUSE_PRIVATE_CACHE
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9f4b061e95..fbf8f9a624 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1957,10 +1957,15 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px)
 	if (!bind_conf || !bind_conf->is_ssl)
 		return 0;
 
+	if (bind_conf->default_ctx)
+		err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px);
+
 	node = ebmb_first(&bind_conf->sni_ctx);
 	while (node) {
 		sni = ebmb_entry(node, struct sni_ctx, name);
-		if (!sni->order) /* only initialize the CTX on its first occurrence */
+		if (!sni->order && sni->ctx != bind_conf->default_ctx)
+			/* only initialize the CTX on its first occurrence and
+			   if it is not the default_ctx */
 			err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
 		node = ebmb_next(node);
 	}
@@ -1968,7 +1973,9 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px)
 	node = ebmb_first(&bind_conf->sni_w_ctx);
 	while (node) {
 		sni = ebmb_entry(node, struct sni_ctx, name);
-		if (!sni->order) /* only initialize the CTX on its first occurrence */
+		if (!sni->order && sni->ctx != bind_conf->default_ctx)
+			/* only initialize the CTX on its first occurrence and
+			   if it is not the default_ctx */
 			err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
 		node = ebmb_next(node);
 	}