BUG/MINOR: ssl: shut the ca-file errors emitted during httpclient init

With an OpenSSL library which use the wrong OPENSSLDIR, HAProxy tries to
load the OPENSSLDIR/certs/ into @system-ca, but emits a warning when it
can't.

This patch fixes the issue by allowing to shut the error when the SSL
configuration for the httpclient is not explicit.

Must be backported in 2.6.

(cherry picked from commit 0a2d63236c)
[wla: context changed in httpclient_precheck()]
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
This commit is contained in:
William Lallemand 2022-11-24 19:14:19 +01:00
parent d371520001
commit b1351c1a05
3 changed files with 25 additions and 11 deletions

View File

@ -66,6 +66,7 @@ struct cafile_entry *ssl_store_create_cafile_entry(char *path, X509_STORE *store
void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e); void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e);
int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf); int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf);
int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type); int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type);
int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror);
extern struct cert_exts cert_exts[]; extern struct cert_exts cert_exts[];

View File

@ -1215,8 +1215,9 @@ static int httpclient_precheck()
httpclient_srv_ssl->ssl_ctx.verify = httpclient_ssl_verify; httpclient_srv_ssl->ssl_ctx.verify = httpclient_ssl_verify;
/* if the verify is required, try to load the system CA */ /* if the verify is required, try to load the system CA */
if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) { if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) {
httpclient_srv_ssl->ssl_ctx.ca_file = strdup(httpclient_ssl_ca_file ? httpclient_ssl_ca_file : "@system-ca"); httpclient_srv_ssl->ssl_ctx.ca_file = strdup(httpclient_ssl_ca_file ? httpclient_ssl_ca_file : "@system-ca");
if (!ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT)) { if (!__ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT, !hard_error_ssl)) {
/* if we failed to load the ca-file, only quits in /* if we failed to load the ca-file, only quits in
* error with hard_error, otherwise just disable the * error with hard_error, otherwise just disable the
* feature. */ * feature. */

View File

@ -1183,10 +1183,10 @@ int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf)
/* /*
* Try to load a ca-file from disk into the ca-file cache. * Try to load a ca-file from disk into the ca-file cache.
* * <shuterror> allows you to to stop emitting the errors.
* Return 0 upon error * Return 0 upon error
*/ */
int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type) int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror)
{ {
X509_STORE *store = ssl_store_get0_locations_file(path); X509_STORE *store = ssl_store_get0_locations_file(path);
@ -1204,21 +1204,24 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
store = X509_STORE_new(); store = X509_STORE_new();
if (!store) { if (!store) {
ha_alert("Cannot allocate memory!\n"); if (!shuterror)
ha_alert("Cannot allocate memory!\n");
goto err; goto err;
} }
if (strcmp(path, "@system-ca") == 0) { if (strcmp(path, "@system-ca") == 0) {
dir = X509_get_default_cert_dir(); dir = X509_get_default_cert_dir();
if (!dir) { if (!dir) {
ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n"); if (!shuterror)
ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n");
goto err; goto err;
} }
} else { } else {
if (stat(path, &buf) == -1) { if (stat(path, &buf) == -1) {
ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, strerror(errno)); if (!shuterror)
ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, strerror(errno));
goto err; goto err;
} }
@ -1231,7 +1234,8 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
if (file) { if (file) {
if (!X509_STORE_load_locations(store, file, NULL)) { if (!X509_STORE_load_locations(store, file, NULL)) {
e = ERR_get_error(); e = ERR_get_error();
ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, ERR_reason_error_string(e)); if (!shuterror)
ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, ERR_reason_error_string(e));
goto err; goto err;
} }
} else if (dir) { } else if (dir) {
@ -1296,23 +1300,27 @@ scandir_err:
BIO_free(in); BIO_free(in);
free(de); free(de);
/* warn if it can load one of the files, but don't abort */ /* warn if it can load one of the files, but don't abort */
ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e)); if (!shuterror)
ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e));
} }
free(de_list); free(de_list);
} else { } else {
ha_alert("ca-file: couldn't load '%s'\n", path); if (!shuterror)
ha_alert("ca-file: couldn't load '%s'\n", path);
goto err; goto err;
} }
objs = X509_STORE_get0_objects(store); objs = X509_STORE_get0_objects(store);
cert_count = sk_X509_OBJECT_num(objs); cert_count = sk_X509_OBJECT_num(objs);
if (cert_count == 0) { if (cert_count == 0) {
ha_warning("ca-file: 0 CA were loaded from '%s'\n", path); if (!shuterror)
ha_warning("ca-file: 0 CA were loaded from '%s'\n", path);
} }
ca_e = ssl_store_create_cafile_entry(path, store, type); ca_e = ssl_store_create_cafile_entry(path, store, type);
if (!ca_e) { if (!ca_e) {
ha_alert("Cannot allocate memory!\n"); if (!shuterror)
ha_alert("Cannot allocate memory!\n");
goto err; goto err;
} }
ebst_insert(&cafile_tree, &ca_e->node); ebst_insert(&cafile_tree, &ca_e->node);
@ -1326,6 +1334,10 @@ err:
} }
int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
{
return __ssl_store_load_locations_file(path, create_if_none, type, 0);
}
/*************************** CLI commands ***********************/ /*************************** CLI commands ***********************/