BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init
The code which is supposed to apply the bind_conf configuration on the
SSL_CTX was not called correctly. Indeed it was called with the previous
SSL_CTX so the new ones were left with default settings. For example the
ciphers were not changed.
This patch fixes #429.
Must be backported in 2.1.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7698eec..67e086d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -10617,8 +10617,8 @@
new_inst->is_default = 1;
/* we need to initialize the SSL_CTX generated */
- /* TODO: the prepare_ctx function need to be reworked to be safer there */
- list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) {
+ /* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
+ list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) {
if (!sc0->order) { /* we initiliazed only the first SSL_CTX because it's the same in the other sni_ctx's */
errcode |= ssl_sock_prepare_ctx(ckchi->bind_conf, ckchi->ssl_conf, sc0->ctx, &err);
if (errcode & ERR_CODE)