MINOR: ssl: Add reference to default ckch instance in bind_conf
In order for the link between the cafile_entry and the default ckch
instance to be built, we need to give a pointer to the instance during
the ssl_sock_prepare_ctx call.
diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h
index b9c1290..959f3e8 100644
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@@ -164,6 +164,7 @@
unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */
SSL_CTX *initial_ctx; /* SSL context for initial negotiation */
SSL_CTX *default_ctx; /* SSL context of first/default certificate */
+ struct ckch_inst *default_inst;
struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
int strict_sni; /* refuse negotiation if sni doesn't match a certificate */
int ssl_options; /* ssl options */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8f9f535..c7e1005 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2933,6 +2933,7 @@
SSL_CTX_free(bind_conf->default_ctx);
SSL_CTX_up_ref(ckch_inst->ctx);
bind_conf->default_ctx = ckch_inst->ctx;
+ bind_conf->default_inst = ckch_inst;
}
}
@@ -3368,6 +3369,7 @@
bind_conf->default_ssl_conf = ssl_conf;
ckch_inst->is_default = 1;
SSL_CTX_up_ref(ctx);
+ bind_conf->default_inst = ckch_inst;
}
/* Always keep a reference to the newly constructed SSL_CTX in the
@@ -4903,7 +4905,7 @@
errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, NULL, bind_conf->initial_ctx, NULL, &errmsg);
}
if (bind_conf->default_ctx) {
- errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, bind_conf->default_ssl_conf, bind_conf->default_ctx, NULL, &errmsg);
+ errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, bind_conf->default_ssl_conf, bind_conf->default_ctx, bind_conf->default_inst, &errmsg);
}
node = ebmb_first(&bind_conf->sni_ctx);
@@ -5054,6 +5056,7 @@
bind_conf->initial_ctx = NULL;
SSL_CTX_free(bind_conf->default_ctx);
bind_conf->default_ctx = NULL;
+ bind_conf->default_inst = NULL;
bind_conf->default_ssl_conf = NULL;
}