git.ipfire.org Git - thirdparty/haproxy.git/commit

author	William Lallemand <wlallemand@haproxy.org>
	Tue, 28 Dec 2021 17:47:17 +0000 (18:47 +0100)
committer	William Lallemand <wlallemand@haproxy.org>
	Wed, 29 Dec 2021 13:42:16 +0000 (14:42 +0100)
commit	2c776f1c30c85be11c9ba8ca8d9a7d62690d1a32
tree	11bbd4d1945e9cc84f7888203fd0480f9b78f144	tree
parent	654726db5ab1160ad5dc8d356e2965e69c163dcf	commit \| diff

BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server

This bug was introduced by d817dc73 ("MEDIUM: ssl: Load client
certificates in a ckch for backend servers") in which the creation of
the SSL_CTX for a server was moved to the configuration parser when
using a "crt" keyword instead of being done in ssl_sock_prepare_srv_ctx().

The patch 0498fa40 ("BUG/MINOR: ssl: Default-server configuration ignored by
server") made it worse by setting the same SSL_CTX for every servers
using a default-server. Resulting in any SSL option on a server applied
to every server in its backend.

This patch fixes the issue by reintroducing a string which store the
path of certificate inside the server structure, and loading the
certificate in ssl_sock_prepare_srv_ctx() again.

This is a quick fix to backport, a cleaner way can be achieve by always
creating the SSL_CTX in ssl_sock_prepare_srv_ctx() and splitting
properly the ssl_sock_load_srv_cert() function.

This patch fixes issue #1488.

Must be backported as far as 2.4.

include/haproxy/server-t.h		diff \| blob \| blame \| history
reg-tests/ssl/ssl_default_server.vtc		diff \| blob \| blame \| history
src/cfgparse-ssl.c		diff \| blob \| blame \| history
src/server.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history