Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 6338b7d4a884639f98823e885325a50750f72e04^! / . / reg-tests / ssl / ssl_default_server.vtc
commit6338b7d4a884639f98823e885325a50750f72e04[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.org>Tue Dec 28 18:47:17 2021 +0100
committerWilly Tarreau <w@1wt.eu>Thu Dec 30 13:58:09 2021 +0100
tree92f030702250baa7403da9961b7df6cf5a8e0307
parentfc13f79e8f8090018109e5c91e4e4e55a7105146 [diff] [blame]
BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server

This bug was introduced by d817dc73 ("MEDIUM: ssl: Load client
certificates in a ckch for backend servers") in which the creation of
the SSL_CTX for a server was moved to the configuration parser when
using a "crt" keyword instead of being done in ssl_sock_prepare_srv_ctx().

The patch 0498fa40 ("BUG/MINOR: ssl: Default-server configuration ignored by
server") made it worse by setting the same SSL_CTX for every servers
using a default-server. Resulting in any SSL option on a server applied
to every server in its backend.

This patch fixes the issue by reintroducing a string which store the
path of certificate inside the server structure, and loading the
certificate in ssl_sock_prepare_srv_ctx() again.

This is a quick fix to backport, a cleaner way can be achieve by always
creating the SSL_CTX in ssl_sock_prepare_srv_ctx() and splitting
properly the ssl_sock_load_srv_cert() function.

This patch fixes issue #1488.

Must be backported as far as 2.4.

(cherry picked from commit 2c776f1c30c85be11c9ba8ca8d9a7d62690d1a32)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 2f3c354b6cdc21ee185e263b5c7422c86ae58c98)
[wt: ssl_sock_load_srv_cert() doesn't take the create_if_none arg in 2.4,
     thus adjust context and make sure ssl_sock_prepare_srv_ctx() matches
     what srv_parse_crt() used to do]
Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/reg-tests/ssl/ssl_default_server.vtc b/reg-tests/ssl/ssl_default_server.vtc
index 607225d..63013f0 100644
--- a/reg-tests/ssl/ssl_default_server.vtc
+++ b/reg-tests/ssl/ssl_default_server.vtc

@@ -15,7 +15,7 @@
 feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
 feature ignore_unknown_macro
 
-server s1 -repeat 7 {
+server s1 -repeat 10 {
   rxreq
   txresp
 } -start
@@ -56,7 +56,10 @@
 
     backend third_be
         default-server ssl crt client1.pem ca-file ca-auth.crt verify none
-        server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem
+        server s1 "${tmpdir}/ssl.sock"
+        server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem
+        server s3 "${tmpdir}/ssl.sock"
+        server s4 "${tmpdir}/ssl.sock"
 
     backend fourth_be
         default-server ssl crt client1.pem verify none
@@ -106,9 +109,25 @@
     txreq
     rxresp
     expect resp.status == 200
+    expect resp.http.x-ssl == "Ok"
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/third"
+    txreq
+    rxresp
+    expect resp.status == 200
     expect resp.http.x-ssl == "Expired"
 } -run
 
+client c1 -connect ${h1_clearlst_sock} -repeat 2 {
+    txreq -url "/third"
+    txreq
+    rxresp
+    expect resp.status == 200
+    expect resp.http.x-ssl == "Ok"
+} -run
+
 client c1 -connect ${h1_clearlst_sock} {
     txreq -url "/fourth"
     txreq