commit 00b831edd661923bae6d71d093e8de05e0422996
author William Lallemand <wlallemand@haproxy.org> Fri Dec 04 15:45:02 2020 +0100
committer Christopher Faulet <cfaulet@haproxy.com> Mon Dec 14 09:29:17 2020 +0100
tree 2bff66281a9e456d8049dc60a19eea33fe1dedd6
parent efcf138b057d7a0d66526172764e6a9e4a3c5901

MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1

Since HAProxy 2.3, OpenSSL 1.1.1 is a requirement for using a
multi-certificate bundle in the configuration. This patch emits a fatal
error when HAProxy tries to load a bundle with an older version of
HAProxy.

This problem was encountered by an user in issue #990.

This must be backported in 2.3.

(cherry picked from commit b7fdfdfd92b9fdc6a3f742643760d6415fdc6f6b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0490b2a..b8ba625 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3501,7 +3501,13 @@
 					}
 				}
 			}
-
+#if HA_OPENSSL_VERSION_NUMBER < 0x10101000L
+			if (found) {
+				memprintf(err, "%sCan't load '%s'. Loading a multi certificates bundle requires OpenSSL >= 1.1.1\n",
+				          err && *err ? *err : "", path);
+				cfgerr |= ERR_ALERT | ERR_FATAL;
+			}
+#endif
 		}
 	}
 	if (!found) {