BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates
Bug reported by John Leach: no-sslv3 does not work using some certificates.
It appears that ssl ctx is not updated with configured options if the
CommonName of the certificate's subject is not found.
It applies only on the first cerificate of a configured bind line.
There is no security impact, because only invalid nameless certficates
are concerned.
This fix must be backported to 1.5
(cherry picked from commit 0bed9945eec049f12638ac3ef82e2084ac4da1c0)
diff --git a/Makefile b/Makefile
index 707037b..75bdce4 100644
--- a/Makefile
+++ b/Makefile
@@ -540,7 +540,7 @@
# in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib.
BUILD_OPTIONS += $(call ignore_implicit,USE_OPENSSL)
OPTIONS_CFLAGS += -DUSE_OPENSSL $(if $(SSL_INC),-I$(SSL_INC))
-OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
+OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto -ldl
OPTIONS_OBJS += src/ssl_sock.o src/shctx.o
ifneq ($(USE_PRIVATE_CACHE),)
OPTIONS_CFLAGS += -DUSE_PRIVATE_CACHE
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f1616ca..f8bfbe7 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1949,10 +1949,15 @@
if (!bind_conf || !bind_conf->is_ssl)
return 0;
+ if (bind_conf->default_ctx)
+ err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px);
+
node = ebmb_first(&bind_conf->sni_ctx);
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
- if (!sni->order) /* only initialize the CTX on its first occurrence */
+ if (!sni->order && sni->ctx != bind_conf->default_ctx)
+ /* only initialize the CTX on its first occurrence and
+ if it is not the default_ctx */
err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
node = ebmb_next(node);
}
@@ -1960,7 +1965,9 @@
node = ebmb_first(&bind_conf->sni_w_ctx);
while (node) {
sni = ebmb_entry(node, struct sni_ctx, name);
- if (!sni->order) /* only initialize the CTX on its first occurrence */
+ if (!sni->order && sni->ctx != bind_conf->default_ctx)
+ /* only initialize the CTX on its first occurrence and
+ if it is not the default_ctx */
err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px);
node = ebmb_next(node);
}