From 0a2d63236c4ada9a33f7e9495aa332fdcd9f5f82 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Thu, 24 Nov 2022 19:14:19 +0100 Subject: [PATCH] BUG/MINOR: ssl: shut the ca-file errors emitted during httpclient init With an OpenSSL library which use the wrong OPENSSLDIR, HAProxy tries to load the OPENSSLDIR/certs/ into @system-ca, but emits a warning when it can't. This patch fixes the issue by allowing to shut the error when the SSL configuration for the httpclient is not explicit. Must be backported in 2.6. --- include/haproxy/ssl_ckch.h | 1 + src/http_client.c | 2 +- src/ssl_ckch.c | 32 ++++++++++++++++++++++---------- 3 files changed, 24 insertions(+), 11 deletions(-) diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index 085c5c042..21eb0d26f 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -67,6 +67,7 @@ struct cafile_entry *ssl_store_dup_cafile_entry(struct cafile_entry *src); void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e); int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf, int append); int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type); +int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror); extern struct cert_exts cert_exts[]; diff --git a/src/http_client.c b/src/http_client.c index 88375e954..c3e5addeb 100644 --- a/src/http_client.c +++ b/src/http_client.c @@ -1275,7 +1275,7 @@ struct proxy *httpclient_create_proxy(const char *id) if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) { srv_ssl->ssl_ctx.ca_file = strdup(httpclient_ssl_ca_file ? httpclient_ssl_ca_file : "@system-ca"); - if (!ssl_store_load_locations_file(srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT)) { + if (!__ssl_store_load_locations_file(srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT, !hard_error_ssl)) { /* if we failed to load the ca-file, only quits in * error with hard_error, otherwise just disable the * feature. */ diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index e67702abd..58430476e 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1247,10 +1247,10 @@ end: /* * Try to load a ca-file from disk into the ca-file cache. - * + * allows you to to stop emitting the errors. * Return 0 upon error */ -int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type) +int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror) { X509_STORE *store = ssl_store_get0_locations_file(path); @@ -1268,21 +1268,24 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty store = X509_STORE_new(); if (!store) { - ha_alert("Cannot allocate memory!\n"); + if (!shuterror) + ha_alert("Cannot allocate memory!\n"); goto err; } if (strcmp(path, "@system-ca") == 0) { dir = X509_get_default_cert_dir(); if (!dir) { - ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n"); + if (!shuterror) + ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n"); goto err; } } else { if (stat(path, &buf) == -1) { - ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, strerror(errno)); + if (!shuterror) + ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, strerror(errno)); goto err; } @@ -1295,7 +1298,8 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty if (file) { if (!X509_STORE_load_locations(store, file, NULL)) { e = ERR_get_error(); - ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, ERR_reason_error_string(e)); + if (!shuterror) + ha_alert("Couldn't open the ca-file '%s' (%s).\n", path, ERR_reason_error_string(e)); goto err; } } else if (dir) { @@ -1360,23 +1364,27 @@ scandir_err: BIO_free(in); free(de); /* warn if it can load one of the files, but don't abort */ - ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e)); + if (!shuterror) + ha_warning("ca-file: '%s' couldn't load '%s' (%s)\n", path, trash.area, ERR_reason_error_string(e)); } free(de_list); } else { - ha_alert("ca-file: couldn't load '%s'\n", path); + if (!shuterror) + ha_alert("ca-file: couldn't load '%s'\n", path); goto err; } objs = X509_STORE_get0_objects(store); cert_count = sk_X509_OBJECT_num(objs); if (cert_count == 0) { - ha_warning("ca-file: 0 CA were loaded from '%s'\n", path); + if (!shuterror) + ha_warning("ca-file: 0 CA were loaded from '%s'\n", path); } ca_e = ssl_store_create_cafile_entry(path, store, type); if (!ca_e) { - ha_alert("Cannot allocate memory!\n"); + if (!shuterror) + ha_alert("Cannot allocate memory!\n"); goto err; } ebst_insert(&cafile_tree, &ca_e->node); @@ -1390,6 +1398,10 @@ err: } +int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type) +{ + return __ssl_store_load_locations_file(path, create_if_none, type, 0); +} /*************************** CLI commands ***********************/