BUG/MINOR: ssl: prevent multiple entries for the same certificate
Today, the certificate are indexed int he SNI tree using their CN and the
list of thier AltNames. So, Some certificates have the same names in the
CN and one of the AltNames entries.
Typically Let's Encrypt duplicate the the DNS name in the CN and the
AltName.
This patch prevents the creation of identical entries in the trees. It
checks the same DNS name and the same SSL context.
If the same certificate is registered two time it will be duplicated.
This patch should be backported in the 1.6 and 1.5 version.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8a0961a..3eee173 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1688,6 +1688,7 @@
{
struct sni_ctx *sc;
int wild = 0, neg = 0;
+ struct ebmb_node *node;
if (*name == '!') {
neg = 1;
@@ -1703,12 +1704,27 @@
if (*name) {
int j, len;
len = strlen(name);
+ for (j = 0; j < len && j < trash.size; j++)
+ trash.str[j] = tolower(name[j]);
+ if (j >= trash.size)
+ return order;
+ trash.str[j] = 0;
+
+ /* Check for duplicates. */
+ if (wild)
+ node = ebst_lookup(&s->sni_w_ctx, trash.str);
+ else
+ node = ebst_lookup(&s->sni_ctx, trash.str);
+ for (; node; node = ebmb_next_dup(node)) {
+ sc = ebmb_entry(node, struct sni_ctx, name);
+ if (sc->ctx == ctx && sc->neg == neg)
+ return order;
+ }
+
sc = malloc(sizeof(struct sni_ctx) + len + 1);
if (!sc)
return order;
- for (j = 0; j < len; j++)
- sc->name.key[j] = tolower(name[j]);
- sc->name.key[len] = 0;
+ memcpy(sc->name.key, trash.str, len + 1);
sc->ctx = ctx;
sc->order = order++;
sc->neg = neg;