commit 3b0f3e0a698c08f28b0327aa1f6751be2928719c
author Remi Tricot-Le Breton <rlebreton@haproxy.com> Tue Jul 13 18:28:22 2021 +0200
committer Christopher Faulet <cfaulet@haproxy.com> Thu Jul 15 13:17:22 2021 +0200
tree 419086085348cb1ad530ec87606f36b662bad920
parent 0ea2c4f9af92218198b31324997508fb9dae83e6

BUG/MINOR: ssl: Default-server configuration ignored by server

When a default-server line specified a client certificate to use, the
frontend would not take it into account and create an empty SSL context,
which would raise an error on the backend side ("peer did not return a
certificate").

This bug was introduced by d817dc733eacfd7cf5bb0bbc6128f44644db078e in
which the SSL contexts are created earlier than before (during the
default-server line parsing) without setting it in the corresponding
server structures. It then made the server create an empty SSL context
in ssl_sock_prepare_srv_ctx because it thought it needed one.

It was raised on redmine, in Bug #3906.

It can be backported to 2.4.

(cherry picked from commit 0498fa4059c545d9c066db094dff154174e15bca)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

reg-tests/ssl/ssl_default_server.vtc

diff --git a/reg-tests/ssl/ssl_default_server.vtc b/reg-tests/ssl/ssl_default_server.vtc
new file mode 100644
index 0000000..607225d
--- /dev/null
+++ b/reg-tests/ssl/ssl_default_server.vtc
@@ -0,0 +1,142 @@
+#REGTEST_TYPE=devel
+
+# This reg-test ensures that SSL related configuration specified in a
+# default-server option are properly taken into account by the servers
+# (frontend). It mainly focuses on the client certificate used by the frontend,
+# that can either be defined in the server line itself, in the default-server
+# line or in both.
+#
+# It was created following a bug raised in redmine (issue #3906) in which a
+# server used an "empty" SSL context instead of the proper one.
+#
+
+varnishtest "Test the 'set ssl cert' feature of the CLI"
+feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.5-dev0)'"
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
+feature ignore_unknown_macro
+
+server s1 -repeat 7 {
+  rxreq
+  txresp
+} -start
+
+haproxy h1 -conf {
+    global
+        tune.ssl.default-dh-param 2048
+        tune.ssl.capture-cipherlist-size 1
+        stats socket "${tmpdir}/h1/stats" level admin
+        crt-base ${testdir}
+        ca-base ${testdir}
+
+    defaults
+        mode http
+        option httplog
+        log stderr local0 debug err
+        option logasap
+        timeout connect 100ms
+        timeout client  1s
+        timeout server  1s
+
+    listen clear-lst
+        bind "fd@${clearlst}"
+        use_backend first_be if { path /first }
+        use_backend second_be if { path /second }
+        use_backend third_be if { path /third }
+        use_backend fourth_be if { path /fourth }
+        use_backend fifth_be if { path /fifth }
+
+
+    backend first_be
+        default-server ssl crt client1.pem ca-file ca-auth.crt verify none
+        server s1 "${tmpdir}/ssl.sock"
+
+    backend second_be
+        default-server ssl ca-file ca-auth.crt verify none
+        server s1 "${tmpdir}/ssl.sock" crt client1.pem
+
+    backend third_be
+        default-server ssl crt client1.pem ca-file ca-auth.crt verify none
+        server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem
+
+    backend fourth_be
+        default-server ssl crt client1.pem verify none
+        server s1 "${tmpdir}/ssl.sock" ca-file ca-auth.crt
+
+    backend fifth_be
+        balance roundrobin
+        default-server ssl crt client1.pem verify none
+        server s1 "${tmpdir}/ssl.sock"
+        server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem
+        server s3 "${tmpdir}/ssl.sock"
+
+
+    listen ssl-lst
+        bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem ca-file ca-auth.crt verify required crt-ignore-err all
+
+        acl cert_expired ssl_c_verify 10
+        acl cert_revoked ssl_c_verify 23
+        acl cert_ok ssl_c_verify 0
+
+        http-response add-header X-SSL Ok if cert_ok
+        http-response add-header X-SSL Expired if cert_expired
+        http-response add-header X-SSL Revoked if cert_revoked
+
+        server s1 ${s1_addr}:${s1_port}
+} -start
+
+
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/first"
+    rxresp
+    expect resp.status == 200
+    expect resp.http.x-ssl == "Ok"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/second"
+    txreq
+    rxresp
+    expect resp.status == 200
+    expect resp.http.x-ssl == "Ok"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/third"
+    txreq
+    rxresp
+    expect resp.status == 200
+    expect resp.http.x-ssl == "Expired"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/fourth"
+    txreq
+    rxresp
+    expect resp.status == 200
+    expect resp.http.x-ssl == "Ok"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/fifth"
+    txreq
+    rxresp
+    expect resp.status == 200
+    expect resp.http.x-ssl == "Ok"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/fifth"
+    txreq
+    rxresp
+    expect resp.status == 200
+    expect resp.http.x-ssl == "Expired"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/fifth"
+    txreq
+    rxresp
+    expect resp.status == 200
+    expect resp.http.x-ssl == "Ok"
+} -run

src/server.c

diff --git a/src/server.c b/src/server.c
index 586fa02..c482eb1 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1949,6 +1949,8 @@
 
 	srv->ssl_ctx.verify = src->ssl_ctx.verify;
 
+	srv->ssl_ctx.ctx = src->ssl_ctx.ctx;
+
 	if (src->ssl_ctx.verify_host != NULL)
 		srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);
 	if (src->ssl_ctx.ciphers != NULL)