BUG/MINOR: ssl: shut the ca-file errors emitted during httpclient init

With an OpenSSL library which use the wrong OPENSSLDIR, HAProxy tries to load the OPENSSLDIR/certs/ into @system-ca, but emits a warning when it can't. This patch fixes the issue by allowing to shut the error when the SSL configuration for the httpclient is not explicit. Must be backported in 2.6.
2022-11-24 19:14:19 +01:00 · 2022-11-24 19:14:19 +01:00 · 0a2d63236c
commit 0a2d63236c
parent 3992f55ff3
3 changed files with 24 additions and 11 deletions
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@ -67,6 +67,7 @@ struct cafile_entry *ssl_store_dup_cafile_entry(struct cafile_entry *src);
 void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e);
 int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf, int append);
 int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type);
+int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror);

 extern struct cert_exts cert_exts[];

--- a/src/http_client.c
+++ b/src/http_client.c
@ -1275,7 +1275,7 @@ struct proxy *httpclient_create_proxy(const char *id)
 	if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) {

 		srv_ssl->ssl_ctx.ca_file = strdup(httpclient_ssl_ca_file ? httpclient_ssl_ca_file : "@system-ca");
-		if (!ssl_store_load_locations_file(srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT)) {
+		if (!__ssl_store_load_locations_file(srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT, !hard_error_ssl)) {
 			/* if we failed to load the ca-file, only quits in
 			 * error with hard_error, otherwise just disable the
 			 * feature. */
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@ -1247,10 +1247,10 @@ end:

 /*
 * Try to load a ca-file from disk into the ca-file cache.
- *
+ *  <shuterror> allows you to to stop emitting the errors.
 *  Return 0 upon error
 */
-int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
+int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror)
 {
 	X509_STORE *store = ssl_store_get0_locations_file(path);

@ -1268,21 +1268,24 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty

 		store = X509_STORE_new();
 		if (!store) {
-			ha_alert("Cannot allocate memory!\n");
+			if (!shuterror)
+				ha_alert("Cannot allocate memory!\n");
 			goto err;
 		}

 		if (strcmp(path, "@system-ca") == 0) {
 			dir = X509_get_default_cert_dir();
 			if (!dir) {
-				ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n");
+				if (!shuterror)
+					ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n");
 				goto err;
 			}

 		} else {

 			if (stat(path, &buf) == -1) {
-				ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, strerror(errno));
+				if (!shuterror)
+					ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, strerror(errno));
 				goto err;
 			}

@ -1295,7 +1298,8 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
 		if (file) {
 			if (!X509_STORE_load_locations(store, file, NULL)) {
 				e = ERR_get_error();
-				ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, ERR_reason_error_string(e));
+				if (!shuterror)
+					ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, ERR_reason_error_string(e));
 				goto err;
 			}
 		} else if (dir) {
@ -1360,23 +1364,27 @@ scandir_err:
 				BIO_free(in);
 				free(de);
 				/* warn if it can load one of the files, but don't abort */
-				ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e));
+				if (!shuterror)
+					ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e));

 			}
 			free(de_list);
 		} else {
-			ha_alert("ca-file: couldn't load '%s'\n", path);
+			if (!shuterror)
+				ha_alert("ca-file: couldn't load '%s'\n", path);
 			goto err;
 		}

 		objs = X509_STORE_get0_objects(store);
 		cert_count = sk_X509_OBJECT_num(objs);
 		if (cert_count == 0) {
-			ha_warning("ca-file: 0 CA were loaded from '%s'\n", path);
+			if (!shuterror)
+				ha_warning("ca-file: 0 CA were loaded from '%s'\n", path);
 		}
 		ca_e = ssl_store_create_cafile_entry(path, store, type);
 		if (!ca_e) {
-			ha_alert("Cannot allocate memory!\n");
+			if (!shuterror)
+				ha_alert("Cannot allocate memory!\n");
 			goto err;
 		}
 		ebst_insert(&cafile_tree, &ca_e->node);
@ -1390,6 +1398,10 @@ err:

 }

+int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
+{
+	return __ssl_store_load_locations_file(path, create_if_none, type, 0);
+}

 /*************************** CLI commands ***********************/