git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Remi Tricot-Le Breton <rlebreton@haproxy.com>
	Mon, 25 Jan 2021 16:19:43 +0000 (17:19 +0100)
committer	William Lallemand <wlallemand@haproxy.org>
	Tue, 26 Jan 2021 14:19:36 +0000 (15:19 +0100)
commit	d817dc733eacfd7cf5bb0bbc6128f44644db078e
tree	457fecdb837df96fe5d1e94da55f09415789dc01	tree
parent	ec805a32b9db4822c6ef54c8f31d50c533d928d4	commit \| diff

MEDIUM: ssl: Load client certificates in a ckch for backend servers

In order for the backend server's certificate to be hot-updatable, it
needs to fit into the implementation used for the "bind" certificates.
This patch follows the architecture implemented for the frontend
implementation and reuses its structures and general function calls
(adapted for the server side).
The ckch store logic is kept and a dedicated ckch instance is used (one
per server). The whole sni_ctx logic was not kept though because it is
not needed.
All the new functions added in this patch are basically server-side
copies of functions that already exist on the frontend side with all the
sni and bind_cond references removed.
The ckch_inst structure has a new 'is_server_instance' flag which is
used to distinguish regular instances from the server-side ones, and a
new pointer to the server's structure in case of backend instance.
Since the new server ckch instances are linked to a standard ckch_store,
a lookup in the ckch store table will succeed so the cli code used to
update bind certificates needs to be covered to manage those new server
side ckch instances.

include/haproxy/server-t.h		diff \| blob \| blame \| history
include/haproxy/ssl_ckch-t.h		diff \| blob \| blame \| history
include/haproxy/ssl_ckch.h		diff \| blob \| blame \| history
include/haproxy/ssl_sock.h		diff \| blob \| blame \| history
src/cfgparse-ssl.c		diff \| blob \| blame \| history
src/ssl_ckch.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history