BUG/MEDIUM: ssl: free the ckch instance linked to a server This patch unlinks and frees the ckch instance linked to a server during the free of this server. This could have locked certificates in a "Used" state when removing servers dynamically from the CLI. And could provoke a segfault once we try to dynamically update the certificate after that. This must be backported as far as 2.4. (cherry picked from commit e69563fd8ed1a492ae4547451935908c0802e2c4) Signed-off-by: Willy Tarreau <w@1wt.eu> (cherry picked from commit 89151b7c981c55dd8413fe16e42f8236a3bfb9cd) Signed-off-by: Willy Tarreau <w@1wt.eu>

commit: ec3d2d6515be4095e3acb38a870dfd245abccfff [log] [tgz]
author: William Lallemand <wlallemand@haproxy.org> Thu Dec 30 14:45:19 2021 +0100
committer: Willy Tarreau <w@1wt.eu> Fri Jan 07 15:52:40 2022 +0100
tree: 4d436ff73a372b1df22e41b7ad034048c41b4f9a
parent: 9d11868086ab45690e561acb50ccd0ad569354b7 [diff] [blame]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6093d38..191243f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -5080,6 +5080,8 @@
 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 	ha_free(&srv->ssl_ctx.ciphersuites);
 #endif
+	/* If there is a certificate we must unlink the ckch instance */
+	ckch_inst_free(srv->ssl_ctx.inst);
 }
 
 /* Walks down the two trees in bind_conf and frees all the certs. The pointer may
commit	ec3d2d6515be4095e3acb38a870dfd245abccfff	[log] [tgz]
author	William Lallemand <wlallemand@haproxy.org>	Thu Dec 30 14:45:19 2021 +0100
committer	Willy Tarreau <w@1wt.eu>	Fri Jan 07 15:52:40 2022 +0100
tree	4d436ff73a372b1df22e41b7ad034048c41b4f9a
parent	9d11868086ab45690e561acb50ccd0ad569354b7 [diff] [blame]