From: William Lallemand Date: Wed, 21 Jan 2026 06:03:03 +0000 (+0100) Subject: BUG/MEDIUM: ssl: fix error path on generate-certificates X-Git-Tag: v3.4-dev3~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fbc98ebcdaefd4c024b33194640350ba0c348567;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl: fix error path on generate-certificates It was reported by Przemyslaw Bromber that using the "generate-certificates" option combined with AWS-LC would crash HAProxy when a request is done with a SNI longer than 64 bytes. The problem is that the certificate is generated with a CN greater than 64 bytes which results in ssl_sock_do_create_cert() returning NULL. This NULL value being passed to SSL_set_SSL_CTX. With OpenSSL, passing a NULL SSL_CTX does not seem to be an issue as it would just ignore it. With AWS_LC, passing a NULL seems to crash the function. This was reported to upstream AWS-LC and fixed in patch 7487ad1dcd8 https://github.com/aws/aws-lc/pull/2946. This must be backported in every branches. --- diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c index 1fb84784f..ccb5d1b0d 100644 --- a/src/ssl_gencert.c +++ b/src/ssl_gencert.c @@ -352,6 +352,8 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind ssl_ctx = (SSL_CTX *)lru->data; if (!ssl_ctx && lru) { ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl); + if (!ssl_ctx) + goto error; lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free); } SSL_set_SSL_CTX(ssl, ssl_ctx); @@ -360,11 +362,14 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind } else { ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl); + if (!ssl_ctx) + goto error; SSL_set_SSL_CTX(ssl, ssl_ctx); /* No LRU cache, this CTX will be released as soon as the session dies */ SSL_CTX_free(ssl_ctx); return 1; } +error: return 0; } int ssl_sock_generate_certificate_from_conn(struct bind_conf *bind_conf, SSL *ssl)