BUG/MINOR: ssl: fix management of the cache where forged certificates are stored First, the LRU cache must be initialized after the configuration parsing to correctly set its size. Next, the function 'ssl_sock_set_generated_cert' returns -1 when an error occurs (0 if success). In that case, the caller is responsible to free the memory allocated for the certificate. Finally, when a SSL certificate is generated by HAProxy but cannot be inserted in the cache, it must be freed when the SSL connection is closed. This happens when 'tune.ssl.ssl-ctx-cache-size' is set to 0.

commit: d2cab92e75debdb7008fda9f94773d0c45758058 [log] [tgz]
author: Christopher Faulet <cfaulet@qualys.com> Tue Jul 28 16:03:47 2015 +0200
committer: Willy Tarreau <w@1wt.eu> Fri Oct 09 10:20:53 2015 +0200
tree: a21749132fd5e29cf2e4a87fe615874a81aae66c
parent: d57ad648735d228a3fb238d18aa31adfb42e791c [diff] [blame]
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index c2156bb..1b6c081 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h

@@ -72,7 +72,7 @@
 
 SSL_CTX *ssl_sock_create_cert(const char *servername, unsigned int serial, X509 *cacert, EVP_PKEY *capkey);
 SSL_CTX *ssl_sock_get_generated_cert(unsigned int serial, X509 *cacert);
-void ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int serial, X509 *cacert);
+int ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int serial, X509 *cacert);
 unsigned int ssl_sock_generated_cert_serial(const void *data, size_t len);
 
 #endif /* _PROTO_SSL_SOCK_H */
commit	d2cab92e75debdb7008fda9f94773d0c45758058	[log] [tgz]
author	Christopher Faulet <cfaulet@qualys.com>	Tue Jul 28 16:03:47 2015 +0200
committer	Willy Tarreau <w@1wt.eu>	Fri Oct 09 10:20:53 2015 +0200
tree	a21749132fd5e29cf2e4a87fe615874a81aae66c
parent	d57ad648735d228a3fb238d18aa31adfb42e791c [diff] [blame]