BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates

Bug reported by John Leach: no-sslv3 does not work using some certificates.

It appears that ssl ctx is not updated with configured options if the
CommonName of the certificate's subject is not found.

It applies only on the first cerificate of a configured bind line.

There is no security impact, because only invalid nameless certficates
are concerned.

This fix must be backported to 1.5
This commit is contained in:
Emeric Brun 2014-10-30 19:25:24 +01:00 committed by Willy Tarreau
parent 2c86cbf753
commit 0bed9945ee
2 changed files with 10 additions and 3 deletions

View File

@ -540,7 +540,7 @@ ifneq ($(USE_OPENSSL),)
# in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib. # in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib.
BUILD_OPTIONS += $(call ignore_implicit,USE_OPENSSL) BUILD_OPTIONS += $(call ignore_implicit,USE_OPENSSL)
OPTIONS_CFLAGS += -DUSE_OPENSSL $(if $(SSL_INC),-I$(SSL_INC)) OPTIONS_CFLAGS += -DUSE_OPENSSL $(if $(SSL_INC),-I$(SSL_INC))
OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto -ldl
OPTIONS_OBJS += src/ssl_sock.o src/shctx.o OPTIONS_OBJS += src/ssl_sock.o src/shctx.o
ifneq ($(USE_PRIVATE_CACHE),) ifneq ($(USE_PRIVATE_CACHE),)
OPTIONS_CFLAGS += -DUSE_PRIVATE_CACHE OPTIONS_CFLAGS += -DUSE_PRIVATE_CACHE

View File

@ -1957,10 +1957,15 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px)
if (!bind_conf || !bind_conf->is_ssl) if (!bind_conf || !bind_conf->is_ssl)
return 0; return 0;
if (bind_conf->default_ctx)
err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px);
node = ebmb_first(&bind_conf->sni_ctx); node = ebmb_first(&bind_conf->sni_ctx);
while (node) { while (node) {
sni = ebmb_entry(node, struct sni_ctx, name); sni = ebmb_entry(node, struct sni_ctx, name);
if (!sni->order) /* only initialize the CTX on its first occurrence */ if (!sni->order && sni->ctx != bind_conf->default_ctx)
/* only initialize the CTX on its first occurrence and
if it is not the default_ctx */
err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px); err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
node = ebmb_next(node); node = ebmb_next(node);
} }
@ -1968,7 +1973,9 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px)
node = ebmb_first(&bind_conf->sni_w_ctx); node = ebmb_first(&bind_conf->sni_w_ctx);
while (node) { while (node) {
sni = ebmb_entry(node, struct sni_ctx, name); sni = ebmb_entry(node, struct sni_ctx, name);
if (!sni->order) /* only initialize the CTX on its first occurrence */ if (!sni->order && sni->ctx != bind_conf->default_ctx)
/* only initialize the CTX on its first occurrence and
if it is not the default_ctx */
err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px); err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
node = ebmb_next(node); node = ebmb_next(node);
} }