tree c16f672ff895ff1b4fc574d3b3990aa10da14926
parent 96c7b8dbd2d43017c66af098d97e8e99236a7517
author Willy Tarreau <w@1wt.eu> 1501234721 +0200
committer Willy Tarreau <w@1wt.eu> 1501234721 +0200
encoding latin1

BUG/MINOR: ssl: make use of the name in SNI before verifyhost

Commit 2ab8867 ("MINOR: ssl: compare server certificate names to the SNI
on outgoing connections") introduced the ability to check server cert
names against the name provided with in the SNI, but verifyhost was kept
as a way to force the name to check against. This was a mistake, because :
  - if an SNI is used, any static hostname in verifyhost will be wrong ;
    worse, if it matches and doesn't match the SNI, the server presented
    the wrong certificate ;

  - there's no way to have a default name to check against for health
    checks anymore because the point above mandates the removal of the
    verifyhost directive

This patch reverses the ordering of the check : whenever SNI is used, the
name provided always has precedence (ie the server must always present a
certificate that matches the requested name). And if no SNI is provided,
then verifyhost is used, and will be configured to match the server's
default certificate name. This will work both when SNI is not used and
for health checks.

If the commit 2ab8867 is backported in 1.7 and/or 1.6, this one must be
backported too.