MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1
Since HAProxy 2.3, OpenSSL 1.1.1 is a requirement for using a
multi-certificate bundle in the configuration. This patch emits a fatal
error when HAProxy tries to load a bundle with an older version of
HAProxy.
This problem was encountered by an user in issue #990.
This must be backported in 2.3.
diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index ba09799..5002c0b 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -602,6 +602,13 @@
entry_dup = NULL; /* the entry was used, we need a new one next round */
}
+#if HA_OPENSSL_VERSION_NUMBER < 0x10101000L
+ if (found) {
+ memprintf(err, "%sCan't load '%s'. Loading a multi certificates bundle requires OpenSSL >= 1.1.1\n",
+ err && *err ? *err : "", crt_path);
+ cfgerr |= ERR_ALERT | ERR_FATAL;
+ }
+#endif
}
if (!found) {
memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b7d3b92..e1de595 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3543,7 +3543,13 @@
}
}
}
-
+#if HA_OPENSSL_VERSION_NUMBER < 0x10101000L
+ if (found) {
+ memprintf(err, "%sCan't load '%s'. Loading a multi certificates bundle requires OpenSSL >= 1.1.1\n",
+ err && *err ? *err : "", path);
+ cfgerr |= ERR_ALERT | ERR_FATAL;
+ }
+#endif
}
}
if (!found) {