BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server
This bug was introduced by d817dc73 ("MEDIUM: ssl: Load client
certificates in a ckch for backend servers") in which the creation of
the SSL_CTX for a server was moved to the configuration parser when
using a "crt" keyword instead of being done in ssl_sock_prepare_srv_ctx().
The patch 0498fa40 ("BUG/MINOR: ssl: Default-server configuration ignored by
server") made it worse by setting the same SSL_CTX for every servers
using a default-server. Resulting in any SSL option on a server applied
to every server in its backend.
This patch fixes the issue by reintroducing a string which store the
path of certificate inside the server structure, and loading the
certificate in ssl_sock_prepare_srv_ctx() again.
This is a quick fix to backport, a cleaner way can be achieve by always
creating the SSL_CTX in ssl_sock_prepare_srv_ctx() and splitting
properly the ssl_sock_load_srv_cert() function.
This patch fixes issue #1488.
Must be backported as far as 2.4.
(cherry picked from commit 2c776f1c30c85be11c9ba8ca8d9a7d62690d1a32)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 2f3c354b6cdc21ee185e263b5c7422c86ae58c98)
[wt: ssl_sock_load_srv_cert() doesn't take the create_if_none arg in 2.4,
thus adjust context and make sure ssl_sock_prepare_srv_ctx() matches
what srv_parse_crt() used to do]
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/reg-tests/ssl/ssl_default_server.vtc b/reg-tests/ssl/ssl_default_server.vtc
index 607225d..63013f0 100644
--- a/reg-tests/ssl/ssl_default_server.vtc
+++ b/reg-tests/ssl/ssl_default_server.vtc
@@ -15,7 +15,7 @@
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
feature ignore_unknown_macro
-server s1 -repeat 7 {
+server s1 -repeat 10 {
rxreq
txresp
} -start
@@ -56,7 +56,10 @@
backend third_be
default-server ssl crt client1.pem ca-file ca-auth.crt verify none
- server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem
+ server s1 "${tmpdir}/ssl.sock"
+ server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem
+ server s3 "${tmpdir}/ssl.sock"
+ server s4 "${tmpdir}/ssl.sock"
backend fourth_be
default-server ssl crt client1.pem verify none
@@ -106,9 +109,25 @@
txreq
rxresp
expect resp.status == 200
+ expect resp.http.x-ssl == "Ok"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+ txreq -url "/third"
+ txreq
+ rxresp
+ expect resp.status == 200
expect resp.http.x-ssl == "Expired"
} -run
+client c1 -connect ${h1_clearlst_sock} -repeat 2 {
+ txreq -url "/third"
+ txreq
+ rxresp
+ expect resp.status == 200
+ expect resp.http.x-ssl == "Ok"
+} -run
+
client c1 -connect ${h1_clearlst_sock} {
txreq -url "/fourth"
txreq