commit f67214554cfb3117effab1f0b705d027354f4b36
author Willy Tarreau <w@1wt.eu> Tue Jul 07 18:04:38 2015 +0200
committer Willy Tarreau <w@1wt.eu> Tue Jul 07 18:04:38 2015 +0200
tree 5b52946688c36455544440cefa2320ad86bc667c
parent 96a0be78ed1a0d7a473c7f8a301174c3afdc06f6

MINOR: ssl: make self-generated certs also work with raw IPv6 addresses

The current method of retrieving the incoming connection's destination
address to hash it is not compatible with IPv6 nor the proxy protocol
because it directly tries to get an IPv4 address from the socket. Instead
we must ask the connection. This is only used when no SNI is provided.

src/ssl_sock.c

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index dcbef4c..aa7bb1b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1188,18 +1188,20 @@
 
 	servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
 	if (!servername) {
-		struct sockaddr to;
-		int             fd;
+		if (s->generate_certs) {
+			struct connection *conn = (struct connection *)SSL_get_app_data(ssl);
+			unsigned int serial;
+			SSL_CTX *ctx;
 
-		if (s->generate_certs &&
-		    (fd = SSL_get_fd(ssl)) != -1 &&
-		    tcp_get_dst(fd, &to, sizeof(to), 0) != -1) {
-			unsigned int serial = ssl_sock_generated_cert_serial(&to, sizeof(to));
-			SSL_CTX *ctx = ssl_sock_get_generated_cert(serial, s->ca_sign_cert);
-			if (ctx) {
-				/* switch ctx */
-				SSL_set_SSL_CTX(ssl, ctx);
-				return SSL_TLSEXT_ERR_OK;
+			conn_get_to_addr(conn);
+			if (conn->flags & CO_FL_ADDR_TO_SET) {
+				serial = ssl_sock_generated_cert_serial(&conn->addr.to, get_addr_len(&conn->addr.to));
+				ctx = ssl_sock_get_generated_cert(serial, s->ca_sign_cert);
+				if (ctx) {
+					/* switch ctx */
+					SSL_set_SSL_CTX(ssl, ctx);
+					return SSL_TLSEXT_ERR_OK;
+				}
 			}
 		}