commit 7cbd156186366b5f47b9b7ccc949126c1398937b
author Christopher Faulet <cfaulet@haproxy.com> Wed Dec 01 09:50:41 2021 +0100
committer Christopher Faulet <cfaulet@haproxy.com> Thu Dec 02 15:21:06 2021 +0100
tree 01240d1649f327fa1f7b2dd07272dec50fcf9537
parent be416711735acdeb65b4fc0a5c0e152033477bce

BUG/MINOR: server: Don't rely on last default-server to init server SSL context

During post-parsing stage, the SSL context of a server is initialized if SSL
is configured on the server or its default-server. It is required to be able
to enable SSL at runtime. However a regression was introduced, because the
last parsed default-server is used. But it is not necessarily the
default-server line used to configure the server. This may lead to
erroneously initialize the SSL context for a server without SSL parameter or
the skip it while it should be done.

The problem is the default-server used to configure a server is not saved
during configuration parsing. So, the information is lost during the
post-parsing. To fix the bug, the SRV_F_DEFSRV_USE_SSL flag is
introduced. It is used to know when a server was initialized with a
default-server using SSL.

For the record, the commit f63704488e ("MEDIUM: cli/ssl: configure ssl on
server at runtime") has introduced the bug.

This patch must be backported as far as 2.4.

(cherry picked from commit 4ab2679689c02882d9ea743ab0c458cd0c3b5388)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit e551ddf75ece31fa9b4f398d37cda7d89c64954b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

reg-tests/server/cli_set_ssl.vtc

diff --git a/reg-tests/server/cli_set_ssl.vtc b/reg-tests/server/cli_set_ssl.vtc
index 638debe..f97bf4d 100644
--- a/reg-tests/server/cli_set_ssl.vtc
+++ b/reg-tests/server/cli_set_ssl.vtc
@@ -27,8 +27,9 @@
         default_backend test0
 
     backend test0
-        default-server ssl
         server www0 ${s1_addr}:${s1_port} no-ssl
+        default-server ssl
+        server www1 ${s1_addr}:${s1_port} no-ssl
 
     backend test1
         server www0 ${s1_addr}:${s1_port} no-ssl
@@ -37,17 +38,22 @@
 haproxy h1 -cli {
     # supported case
     send "show servers state test0"
-    expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - -1"
-    send "set server test0/www0 ssl on"
+    expect ~ "test0 2 www1 ${s1_addr} .* - ${s1_port} - -1"
+    send "set server test0/www1 ssl on"
     expect ~ "server ssl setting updated"
     send "show servers state test0"
-    expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - 1"
-    send "set server test0/www0 ssl off"
+    expect ~ "test0 2 www1 ${s1_addr} .* - ${s1_port} - 1"
+    send "set server test0/www1 ssl off"
     expect ~ "server ssl setting updated"
     send "show servers state test0"
-    expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - 0"
+    expect ~ "test0 2 www1 ${s1_addr} .* - ${s1_port} - 0"
+
+    # unsupported cases
+    send "show servers state test0"
+    expect ~ "test0 1 www0 ${s1_addr} .* - ${s1_port} - -1"
+    send "set server test0/www0 ssl on"
+    expect ~ "'set server <srv> ssl' cannot be set"
 
-    # unsupported case
     send "show servers state test1"
     expect ~ "test1 1 www0 ${s1_addr} .* - ${s1_port} - -1"
     send "set server test1/www0 ssl on"