BUG/MINOR: ssl: shut the ca-file errors emitted during httpclient init
With an OpenSSL library which use the wrong OPENSSLDIR, HAProxy tries to
load the OPENSSLDIR/certs/ into @system-ca, but emits a warning when it
can't.
This patch fixes the issue by allowing to shut the error when the SSL
configuration for the httpclient is not explicit.
Must be backported in 2.6.
diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h
index 085c5c0..21eb0d2 100644
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@@ -67,6 +67,7 @@
void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e);
int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf, int append);
int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type);
+int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror);
extern struct cert_exts cert_exts[];
diff --git a/src/http_client.c b/src/http_client.c
index 88375e9..c3e5add 100644
--- a/src/http_client.c
+++ b/src/http_client.c
@@ -1275,7 +1275,7 @@
if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) {
srv_ssl->ssl_ctx.ca_file = strdup(httpclient_ssl_ca_file ? httpclient_ssl_ca_file : "@system-ca");
- if (!ssl_store_load_locations_file(srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT)) {
+ if (!__ssl_store_load_locations_file(srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT, !hard_error_ssl)) {
/* if we failed to load the ca-file, only quits in
* error with hard_error, otherwise just disable the
* feature. */
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index e67702a..5843047 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1247,10 +1247,10 @@
/*
* Try to load a ca-file from disk into the ca-file cache.
- *
+ * <shuterror> allows you to to stop emitting the errors.
* Return 0 upon error
*/
-int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
+int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror)
{
X509_STORE *store = ssl_store_get0_locations_file(path);
@@ -1268,21 +1268,24 @@
store = X509_STORE_new();
if (!store) {
- ha_alert("Cannot allocate memory!\n");
+ if (!shuterror)
+ ha_alert("Cannot allocate memory!\n");
goto err;
}
if (strcmp(path, "@system-ca") == 0) {
dir = X509_get_default_cert_dir();
if (!dir) {
- ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n");
+ if (!shuterror)
+ ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n");
goto err;
}
} else {
if (stat(path, &buf) == -1) {
- ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, strerror(errno));
+ if (!shuterror)
+ ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, strerror(errno));
goto err;
}
@@ -1295,7 +1298,8 @@
if (file) {
if (!X509_STORE_load_locations(store, file, NULL)) {
e = ERR_get_error();
- ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, ERR_reason_error_string(e));
+ if (!shuterror)
+ ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, ERR_reason_error_string(e));
goto err;
}
} else if (dir) {
@@ -1360,23 +1364,27 @@
BIO_free(in);
free(de);
/* warn if it can load one of the files, but don't abort */
- ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e));
+ if (!shuterror)
+ ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e));
}
free(de_list);
} else {
- ha_alert("ca-file: couldn't load '%s'\n", path);
+ if (!shuterror)
+ ha_alert("ca-file: couldn't load '%s'\n", path);
goto err;
}
objs = X509_STORE_get0_objects(store);
cert_count = sk_X509_OBJECT_num(objs);
if (cert_count == 0) {
- ha_warning("ca-file: 0 CA were loaded from '%s'\n", path);
+ if (!shuterror)
+ ha_warning("ca-file: 0 CA were loaded from '%s'\n", path);
}
ca_e = ssl_store_create_cafile_entry(path, store, type);
if (!ca_e) {
- ha_alert("Cannot allocate memory!\n");
+ if (!shuterror)
+ ha_alert("Cannot allocate memory!\n");
goto err;
}
ebst_insert(&cafile_tree, &ca_e->node);
@@ -1390,6 +1398,10 @@
}
+int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type)
+{
+ return __ssl_store_load_locations_file(path, create_if_none, type, 0);
+}
/*************************** CLI commands ***********************/