MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1
Since HAProxy 2.3, OpenSSL 1.1.1 is a requirement for using a
multi-certificate bundle in the configuration. This patch emits a fatal
error when HAProxy tries to load a bundle with an older version of
HAProxy.
This problem was encountered by an user in issue #990.
This must be backported in 2.3.
(cherry picked from commit b7fdfdfd92b9fdc6a3f742643760d6415fdc6f6b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index f72f60e..077d6da 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -602,6 +602,13 @@
entry_dup = NULL; /* the entry was used, we need a new one next round */
}
+#if HA_OPENSSL_VERSION_NUMBER < 0x10101000L
+ if (found) {
+ memprintf(err, "%sCan't load '%s'. Loading a multi certificates bundle requires OpenSSL >= 1.1.1\n",
+ err && *err ? *err : "", crt_path);
+ cfgerr |= ERR_ALERT | ERR_FATAL;
+ }
+#endif
}
if (!found) {
memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0490b2a..b8ba625 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3501,7 +3501,13 @@
}
}
}
-
+#if HA_OPENSSL_VERSION_NUMBER < 0x10101000L
+ if (found) {
+ memprintf(err, "%sCan't load '%s'. Loading a multi certificates bundle requires OpenSSL >= 1.1.1\n",
+ err && *err ? *err : "", path);
+ cfgerr |= ERR_ALERT | ERR_FATAL;
+ }
+#endif
}
}
if (!found) {