BUG/MINOR: ssl: shut the ca-file errors emitted during httpclient init

With an OpenSSL library which use the wrong OPENSSLDIR, HAProxy tries to load the OPENSSLDIR/certs/ into @system-ca, but emits a warning when it can't. This patch fixes the issue by allowing to shut the error when the SSL configuration for the httpclient is not explicit. Must be backported in 2.6. (cherry picked from commit 0a2d63236c) [wla: context changed in httpclient_precheck()] Signed-off-by: William Lallemand <wlallemand@haproxy.org>
2022-11-24 19:14:19 +01:00 · 2022-11-24 19:14:19 +01:00 · b1351c1a05
commit b1351c1a05
parent d371520001
3 changed files with 25 additions and 11 deletions
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@ -66,6 +66,7 @@ struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store
 void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e);
 int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf);
 int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type);
+int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror);

 extern struct cert_exts cert_exts[];

--- a/src/http_client.c
+++ b/src/http_client.c
@ -1215,8 +1215,9 @@ static int httpclient_precheck()
 	httpclient_srv_ssl->ssl_ctx.verify = httpclient_ssl_verify;
 	/* if the verify is required, try to load the system CA */
 	if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) {
+
 		httpclient_srv_ssl->ssl_ctx.ca_file = strdup(httpclient_ssl_ca_file ? httpclient_ssl_ca_file : "@system-ca");
-		if (!ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT)) {
+		if (!__ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT, !hard_error_ssl)) {
 			/* if we failed to load the ca-file, only quits in
 			 * error with hard_error, otherwise just disable the
 			 * feature. */
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@ -1183,10 +1183,10 @@ int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf)

 /*
 * Try to load a ca-file from disk into the ca-file cache.
- *
+ *  <shuterror> allows you to to stop emitting the errors.
 *  Return 0 upon error
 */
-int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
+int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror)
 {
 	X509_STORE *store = ssl_store_get0_locations_file(path);

@ -1204,21 +1204,24 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty

 		store = X509_STORE_new();
 		if (!store) {
-			ha_alert("Cannot allocate memory!\n");
+			if (!shuterror)
+				ha_alert("Cannot allocate memory!\n");
 			goto err;
 		}

 		if (strcmp(path, "@system-ca") == 0) {
 			dir = X509_get_default_cert_dir();
 			if (!dir) {
-				ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n");
+				if (!shuterror)
+					ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n");
 				goto err;
 			}

 		} else {

 			if (stat(path, &buf) == -1) {
-				ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, strerror(errno));
+				if (!shuterror)
+					ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, strerror(errno));
 				goto err;
 			}

@ -1231,7 +1234,8 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
 		if (file) {
 			if (!X509_STORE_load_locations(store, file, NULL)) {
 				e = ERR_get_error();
-				ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, ERR_reason_error_string(e));
+				if (!shuterror)
+					ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, ERR_reason_error_string(e));
 				goto err;
 			}
 		} else if (dir) {
@ -1296,23 +1300,27 @@ scandir_err:
 				BIO_free(in);
 				free(de);
 				/* warn if it can load one of the files, but don't abort */
-				ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e));
+				if (!shuterror)
+					ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e));

 			}
 			free(de_list);
 		} else {
-			ha_alert("ca-file: couldn't load '%s'\n", path);
+			if (!shuterror)
+				ha_alert("ca-file: couldn't load '%s'\n", path);
 			goto err;
 		}

 		objs = X509_STORE_get0_objects(store);
 		cert_count = sk_X509_OBJECT_num(objs);
 		if (cert_count == 0) {
-			ha_warning("ca-file: 0 CA were loaded from '%s'\n", path);
+			if (!shuterror)
+				ha_warning("ca-file: 0 CA were loaded from '%s'\n", path);
 		}
 		ca_e = ssl_store_create_cafile_entry(path, store, type);
 		if (!ca_e) {
-			ha_alert("Cannot allocate memory!\n");
+			if (!shuterror)
+				ha_alert("Cannot allocate memory!\n");
 			goto err;
 		}
 		ebst_insert(&cafile_tree, &ca_e->node);
@ -1326,6 +1334,10 @@ err:

 }

+int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
+{
+	return __ssl_store_load_locations_file(path, create_if_none, type, 0);
+}

 /*************************** CLI commands ***********************/