BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored. Bug introduced with "removes SSL_CTX_set_ssl_version call and cleanup CTX creation": ssl_sock_new_ctx is called before all the bind line is parsed. The fix consists of separating the use of default_ctx as the initialization context of the SSL connection via bind_conf->initial_ctx. Initial_ctx contains all the necessary parameters before performing the selection of the CTX: default_ctx is processed as others ctx without unnecessary parameters.

commit: f6b37c67be277b5f0ae60438d796ff29ef19be40 [log] [tgz]
author: Emmanuel Hocdet <manu@gandi.net> Mon Mar 06 15:34:44 2017 +0100
committer: Willy Tarreau <w@1wt.eu> Tue Mar 07 10:42:43 2017 +0100
tree: ede02b2e437cef13c9c86ec26a7857b0b2925d24
parent: 4608ed9511a0bc7f96e22376953d1b05de466cfd [diff] [blame]
diff --git a/include/types/listener.h b/include/types/listener.h
index b8ddae8..1f94b0b 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h

@@ -141,6 +141,7 @@
 	struct ssl_bind_conf ssl_conf; /* ssl conf for ctx setting */
 	unsigned long long ca_ignerr;  /* ignored verify errors in handshake if depth > 0 */
 	unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */
+	SSL_CTX *initial_ctx;      /* SSL context for initial negotiation */
 	SSL_CTX *default_ctx;      /* SSL context of first/default certificate */
 	struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
 	int strict_sni;            /* refuse negotiation if sni doesn't match a certificate */
commit	f6b37c67be277b5f0ae60438d796ff29ef19be40	[log] [tgz]
author	Emmanuel Hocdet <manu@gandi.net>	Mon Mar 06 15:34:44 2017 +0100
committer	Willy Tarreau <w@1wt.eu>	Tue Mar 07 10:42:43 2017 +0100
tree	ede02b2e437cef13c9c86ec26a7857b0b2925d24
parent	4608ed9511a0bc7f96e22376953d1b05de466cfd [diff] [blame]