konevsa/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MINOR: ssl: Add reference to default ckch instance in bind_conf

Browse Source 
In order for the link between the cafile_entry and the default ckch
instance to be built, we need to give a pointer to the instance during
the ssl_sock_prepare_ctx call.
This commit is contained in:
Remi Tricot-Le Breton 2021-04-13 16:07:29 +02:00 committed by William Lallemand
parent 4458b9732d
commit 40ddea8222
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/haproxy/listener-t.h
View File

@ -164,6 +164,7 @@ struct bind_conf {
unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */
SSL_CTX *initial_ctx; /* SSL context for initial negotiation */
SSL_CTX *default_ctx; /* SSL context of first/default certificate */
struct ckch_inst *default_inst;
struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
int strict_sni; /* refuse negotiation if sni doesn't match a certificate */
int ssl_options; /* ssl options */

5
src/ssl_sock.c
View File

@ -2933,6 +2933,7 @@ void ssl_sock_load_cert_sni(struct ckch_inst *ckch_inst, struct bind_conf *bind_
SSL_CTX_free(bind_conf->default_ctx);
SSL_CTX_up_ref(ckch_inst->ctx);
bind_conf->default_ctx = ckch_inst->ctx;
bind_conf->default_inst = ckch_inst;
}
}
@ -3368,6 +3369,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct
bind_conf->default_ssl_conf = ssl_conf;
ckch_inst->is_default = 1;
SSL_CTX_up_ref(ctx);
bind_conf->default_inst = ckch_inst;
}
/* Always keep a reference to the newly constructed SSL_CTX in the
@ -4903,7 +4905,7 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf)
errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, NULL, bind_conf->initial_ctx, NULL, &errmsg);
}
if (bind_conf->default_ctx) {
errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, bind_conf->default_ssl_conf, bind_conf->default_ctx, NULL, &errmsg);
errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, bind_conf->default_ssl_conf, bind_conf->default_ctx, bind_conf->default_inst, &errmsg);
}
node = ebmb_first(&bind_conf->sni_ctx);
@ -5054,6 +5056,7 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf)
bind_conf->initial_ctx = NULL;
SSL_CTX_free(bind_conf->default_ctx);
bind_conf->default_ctx = NULL;
bind_conf->default_inst = NULL;
bind_conf->default_ssl_conf = NULL;
}