Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 6338b7d4a884639f98823e885325a50750f72e04^! / . / src / server.c
commit6338b7d4a884639f98823e885325a50750f72e04[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.org>Tue Dec 28 18:47:17 2021 +0100
committerWilly Tarreau <w@1wt.eu>Thu Dec 30 13:58:09 2021 +0100
tree92f030702250baa7403da9961b7df6cf5a8e0307
parentfc13f79e8f8090018109e5c91e4e4e55a7105146 [diff] [blame]
BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server

This bug was introduced by d817dc73 ("MEDIUM: ssl: Load client
certificates in a ckch for backend servers") in which the creation of
the SSL_CTX for a server was moved to the configuration parser when
using a "crt" keyword instead of being done in ssl_sock_prepare_srv_ctx().

The patch 0498fa40 ("BUG/MINOR: ssl: Default-server configuration ignored by
server") made it worse by setting the same SSL_CTX for every servers
using a default-server. Resulting in any SSL option on a server applied
to every server in its backend.

This patch fixes the issue by reintroducing a string which store the
path of certificate inside the server structure, and loading the
certificate in ssl_sock_prepare_srv_ctx() again.

This is a quick fix to backport, a cleaner way can be achieve by always
creating the SSL_CTX in ssl_sock_prepare_srv_ctx() and splitting
properly the ssl_sock_load_srv_cert() function.

This patch fixes issue #1488.

Must be backported as far as 2.4.

(cherry picked from commit 2c776f1c30c85be11c9ba8ca8d9a7d62690d1a32)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 2f3c354b6cdc21ee185e263b5c7422c86ae58c98)
[wt: ssl_sock_load_srv_cert() doesn't take the create_if_none arg in 2.4,
     thus adjust context and make sure ssl_sock_prepare_srv_ctx() matches
     what srv_parse_crt() used to do]
Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/src/server.c b/src/server.c
index 99aec54..9d0a35b 100644
--- a/src/server.c
+++ b/src/server.c

@@ -2063,6 +2063,8 @@
 static void srv_ssl_settings_cpy(struct server *srv, struct server *src)
 {
 	/* <src> is the current proxy's default server and SSL is enabled */
+	BUG_ON(src->ssl_ctx.ctx != NULL); /* the SSL_CTX must never be initialized in a default-server */
+
 	if (src == &srv->proxy->defsrv && src->use_ssl == 1)
 		srv->flags |= SRV_F_DEFSRV_USE_SSL;
 
@@ -2070,10 +2072,11 @@
 		srv->ssl_ctx.ca_file = strdup(src->ssl_ctx.ca_file);
 	if (src->ssl_ctx.crl_file != NULL)
 		srv->ssl_ctx.crl_file = strdup(src->ssl_ctx.crl_file);
+	if (src->ssl_ctx.client_crt != NULL)
+		srv->ssl_ctx.client_crt = strdup(src->ssl_ctx.client_crt);
 
 	srv->ssl_ctx.verify = src->ssl_ctx.verify;
 
-	srv->ssl_ctx.ctx = src->ssl_ctx.ctx;
 
 	if (src->ssl_ctx.verify_host != NULL)
 		srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);