Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 0bed9945eec049f12638ac3ef82e2084ac4da1c0^! / .
commit0bed9945eec049f12638ac3ef82e2084ac4da1c0[log] [tgz]
authorEmeric Brun <ebrun@haproxy.com>Thu Oct 30 19:25:24 2014 +0100
committerWilly Tarreau <w@1wt.eu>Thu Oct 30 20:02:33 2014 +0100
tree59d4b125620699fa9dec69aae0ce3ef6d21dadcb
parent2c86cbf7539af2008d61780b14f37ea8c46c2192 [diff]
BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates

Bug reported by John Leach: no-sslv3 does not work using some certificates.

It appears that ssl ctx is not updated with configured options if the
CommonName of the certificate's subject is not found.

It applies only on the first cerificate of a configured bind line.

There is no security impact, because only invalid nameless certficates
are concerned.

This fix must be backported to 1.5

diff --git a/Makefile b/Makefile
index 0d1d13a..ee7473c 100644
--- a/Makefile
+++ b/Makefile

@@ -540,7 +540,7 @@
 # in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib.
 BUILD_OPTIONS   += $(call ignore_implicit,USE_OPENSSL)
 OPTIONS_CFLAGS  += -DUSE_OPENSSL $(if $(SSL_INC),-I$(SSL_INC))
-OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
+OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto -ldl
 OPTIONS_OBJS  += src/ssl_sock.o src/shctx.o
 ifneq ($(USE_PRIVATE_CACHE),)
 OPTIONS_CFLAGS  += -DUSE_PRIVATE_CACHE

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9f4b061..fbf8f9a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -1957,10 +1957,15 @@
 	if (!bind_conf || !bind_conf->is_ssl)
 		return 0;
 
+	if (bind_conf->default_ctx)
+		err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px);
+
 	node = ebmb_first(&bind_conf->sni_ctx);
 	while (node) {
 		sni = ebmb_entry(node, struct sni_ctx, name);
-		if (!sni->order) /* only initialize the CTX on its first occurrence */
+		if (!sni->order && sni->ctx != bind_conf->default_ctx)
+			/* only initialize the CTX on its first occurrence and
+			   if it is not the default_ctx */
 			err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
 		node = ebmb_next(node);
 	}
@@ -1968,7 +1973,9 @@
 	node = ebmb_first(&bind_conf->sni_w_ctx);
 	while (node) {
 		sni = ebmb_entry(node, struct sni_ctx, name);
-		if (!sni->order) /* only initialize the CTX on its first occurrence */
+		if (!sni->order && sni->ctx != bind_conf->default_ctx)
+			/* only initialize the CTX on its first occurrence and
+			   if it is not the default_ctx */
 			err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
 		node = ebmb_next(node);
 	}