MINOR: ssl: load the sctl in/from the ckch
Don't try to load the file containing the sctl each time we generate a
SSL_CTX.
The .sctl is now loaded in the struct cert_key_and_chain only once and
then loaded from this structure when creating a SSL_CTX.
Note that this now make possible the use of sctl with multi-cert
bundles.
diff --git a/include/types/ssl_sock.h b/include/types/ssl_sock.h
index dd30ed4..6f06efd 100644
--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -98,6 +98,7 @@
EVP_PKEY *key;
STACK_OF(X509) *chain;
DH *dh;
+ struct buffer *sctl;
};
/*
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 29170aa..bd1a6cc 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1498,26 +1498,13 @@
return 1;
}
-static int ssl_sock_load_sctl(SSL_CTX *ctx, const char *cert_path)
+static int ssl_sock_load_sctl(SSL_CTX *ctx, struct buffer *sctl)
{
- char sctl_path[MAXPATHLEN+1];
int ret = -1;
- struct stat st;
- struct buffer *sctl = NULL;
- snprintf(sctl_path, MAXPATHLEN+1, "%s.sctl", cert_path);
-
- if (stat(sctl_path, &st))
- return 1;
-
- if (ssl_sock_load_sctl_from_file(sctl_path, &sctl))
+ if (!SSL_CTX_add_server_custom_ext(ctx, CT_EXTENSION_TYPE, ssl_sock_sctl_add_cbk, NULL, sctl, ssl_sock_sctl_parse_cbk, NULL))
goto out;
- if (!SSL_CTX_add_server_custom_ext(ctx, CT_EXTENSION_TYPE, ssl_sock_sctl_add_cbk, NULL, sctl, ssl_sock_sctl_parse_cbk, NULL)) {
- free(sctl);
- goto out;
- }
-
SSL_CTX_set_ex_data(ctx, sctl_ex_index, sctl);
ret = 0;
@@ -3027,6 +3014,24 @@
ret = 1;
goto end;
}
+
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
+ /* try to load the sctl file */
+ {
+ char fp[MAXPATHLEN+1];
+ struct stat st;
+
+ snprintf(fp, MAXPATHLEN+1, "%s.sctl", path);
+ if (stat(fp, &st) == 0) {
+ if (ssl_sock_load_sctl_from_file(fp, &ckch->sctl)) {
+ memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
+ *err ? *err : "", fp);
+ ret = 1;
+ goto end;
+ }
+ }
+ }
+#endif
ret = 0;
@@ -3098,6 +3103,16 @@
}
#endif
+#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
+ if (sctl_ex_index >= 0 && ckch->sctl) {
+ if (ssl_sock_load_sctl(ctx, ckch->sctl) < 0) {
+ memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
+ *err ? *err : "", path);
+ return 1;
+ }
+ }
+#endif
+
return 0;
}
@@ -3627,17 +3642,6 @@
ssl_sock_set_ocsp_response_from_file(ctx, path);
#endif
-#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
- if (sctl_ex_index >= 0) {
- if (ssl_sock_load_sctl(ctx, path) < 0) {
- if (err)
- memprintf(err, "%s '%s.sctl' is present but cannot be read or parsed'.\n",
- *err ? *err : "", path);
- goto error;
- }
- }
-#endif
-
#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
if (bind_conf->default_ctx) {
memprintf(err, "%sthis version of openssl cannot load multiple SSL certificates.\n",