BUG/MEDIUM: ssl: Fix regression about certificates generation Since the commit f6b37c67 ["BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored."], the certificates generation is broken. To generate a certificate, we retrieved the private key of the default certificate using the SSL object. But since the commit f6b37c67, the SSL object is created with a dummy certificate (initial_ctx). So to fix the bug, we use directly the default certificate in the bind_conf structure. We use SSL_CTX_get0_privatekey function to do so. Because this function does not exist for OpenSSL < 1.0.2 and for LibreSSL, it has been added in openssl-compat.h with the right #ifdef.

commit: 48a8332a4a82f151877bd6baf567031088845f2d [log] [tgz]
author: Christopher Faulet <cfaulet@haproxy.com> Fri Jul 28 16:56:09 2017 +0200
committer: Willy Tarreau <w@1wt.eu> Fri Jul 28 18:25:18 2017 +0200
tree: 1834a5852a66dfbab23276c231bc94c8af422b99
parent: 7a4a0ac71d51c592f20622d1b5530042ae79f3b9 [diff] [blame]
diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h
index ea92072..9b67109 100644
--- a/include/proto/openssl-compat.h
+++ b/include/proto/openssl-compat.h

@@ -89,6 +89,19 @@
 }
 #endif
 
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L) || defined(LIBRESSL_VERSION_NUMBER)
+/*
+ * Functions introduced in OpenSSL 1.0.2 and not yet present in LibreSSL
+ */
+EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
+{
+	if (ctx->cert != NULL)
+		return ctx->cert->key->privatekey;
+	else
+		return NULL;
+}
+#endif
+
 #if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
 /*
  * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
commit	48a8332a4a82f151877bd6baf567031088845f2d	[log] [tgz]
author	Christopher Faulet <cfaulet@haproxy.com>	Fri Jul 28 16:56:09 2017 +0200
committer	Willy Tarreau <w@1wt.eu>	Fri Jul 28 18:25:18 2017 +0200
tree	1834a5852a66dfbab23276c231bc94c8af422b99
parent	7a4a0ac71d51c592f20622d1b5530042ae79f3b9 [diff] [blame]