From: Emmanuel Hocdet <manu@gandi.net>
Date: Fri, 31 May 2013 10:47:44 +0000 (+0200)
Subject: BUG: ssl: fix crt-list for clients not supporting SNI
X-Git-Tag: v1.5-dev19~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=79274e2c4054e9170e570ce1f7d4a9a9725a5811;p=thirdparty%2Fhaproxy.git

BUG: ssl: fix crt-list for clients not supporting SNI

I left a mistake in my previous patch bringing the crt-list feature,
it breaks clients with no SNI support.

Also remove the useless wildp = NULL as per a previous discussion.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index a99fe3f921..8a39dade31 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -197,7 +197,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s)
 	if (!servername) {
 		return (s->strict_sni ?
 			SSL_TLSEXT_ERR_ALERT_FATAL :
-			SSL_TLSEXT_ERR_ALERT_WARNING);
+			SSL_TLSEXT_ERR_NOACK);
 	}
 
 	for (i = 0; i < trash.size; i++) {
@@ -218,7 +218,6 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s)
 			node = n;
 			break;
 		}
-		wildp = NULL; /* never match a wildcard after matching a neg */
 	}
 	if (!node && wildp) {
 		/* lookup in wildcards names */