BUG/MEDIUM: ssl: Fix regression about certificates generation Since the commit f6b37c67 ["BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored."], the certificates generation is broken. To generate a certificate, we retrieved the private key of the default certificate using the SSL object. But since the commit f6b37c67, the SSL object is created with a dummy certificate (initial_ctx). So to fix the bug, we use directly the default certificate in the bind_conf structure. We use SSL_CTX_get0_privatekey function to do so. Because this function does not exist for OpenSSL < 1.0.2 and for LibreSSL, it has been added in openssl-compat.h with the right #ifdef.

commit: 48a8332a4a82f151877bd6baf567031088845f2d [log] [tgz]
author: Christopher Faulet <cfaulet@haproxy.com> Fri Jul 28 16:56:09 2017 +0200
committer: Willy Tarreau <w@1wt.eu> Fri Jul 28 18:25:18 2017 +0200
tree: 1834a5852a66dfbab23276c231bc94c8af422b99
parent: 7a4a0ac71d51c592f20622d1b5530042ae79f3b9 [diff] [blame]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b4d4e14..d81dd70 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -1586,8 +1586,8 @@
 	unsigned int  i;
 	int 	      key_type;
 
-	/* Get the private key of the defautl certificate and use it */
-	if (!(pkey = SSL_get_privatekey(ssl)))
+	/* Get the private key of the default certificate and use it */
+	if (!(pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx)))
 		goto mkcert_error;
 
 	/* Create the certificate */
commit	48a8332a4a82f151877bd6baf567031088845f2d	[log] [tgz]
author	Christopher Faulet <cfaulet@haproxy.com>	Fri Jul 28 16:56:09 2017 +0200
committer	Willy Tarreau <w@1wt.eu>	Fri Jul 28 18:25:18 2017 +0200
tree	1834a5852a66dfbab23276c231bc94c8af422b99
parent	7a4a0ac71d51c592f20622d1b5530042ae79f3b9 [diff] [blame]