mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-01-01 01:32:04 +00:00
CLEANUP: listener: replace bind_conf->generate_cers with BC_O_GENERATE_CERTS
The new flag will now replace this boolean variable.
This commit is contained in:
Willy Tarreau
parent
11ba404c6b
commit
1ea6e6a17f
@ -115,6 +115,7 @@ enum li_status {
|
|||||||
|
|
||||||
/* flags used with bind_conf->options */
|
/* flags used with bind_conf->options */
|
||||||
#define BC_O_USE_SSL 0x00000001 /* SSL is being used on this bind_conf */
|
#define BC_O_USE_SSL 0x00000001 /* SSL is being used on this bind_conf */
|
||||||
|
#define BC_O_GENERATE_CERTS 0x00000002 /* 1 if generate-certificates option is set, else 0 */
|
||||||
|
|
||||||
|
|
||||||
/* flags used with bind_conf->ssl_options */
|
/* flags used with bind_conf->ssl_options */
|
||||||
@ -181,7 +182,6 @@ struct bind_conf {
|
|||||||
const struct mux_proto_list *mux_proto; /* the mux to use for all incoming connections (specified by the "proto" keyword) */
|
const struct mux_proto_list *mux_proto; /* the mux to use for all incoming connections (specified by the "proto" keyword) */
|
||||||
struct xprt_ops *xprt; /* transport-layer operations for all listeners */
|
struct xprt_ops *xprt; /* transport-layer operations for all listeners */
|
||||||
uint options; /* set of BC_O_* flags */
|
uint options; /* set of BC_O_* flags */
|
||||||
int generate_certs; /* 1 if generate-certificates option is set, else 0 */
|
|
||||||
int level; /* stats access level (ACCESS_LVL_*) */
|
int level; /* stats access level (ACCESS_LVL_*) */
|
||||||
int severity_output; /* default severity output format in cli feedback messages */
|
int severity_output; /* default severity output format in cli feedback messages */
|
||||||
struct list listeners; /* list of listeners using this bind config */
|
struct list listeners; /* list of listeners using this bind config */
|
||||||
|
|||||||
@ -1151,7 +1151,7 @@ static int bind_parse_pcc(char **args, int cur_arg, struct proxy *px, struct bin
|
|||||||
static int bind_parse_generate_certs(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
static int bind_parse_generate_certs(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||||
{
|
{
|
||||||
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
|
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
|
||||||
conf->generate_certs = 1;
|
conf->options |= BC_O_GENERATE_CERTS;
|
||||||
#else
|
#else
|
||||||
memprintf(err, "%sthis version of openssl cannot generate SSL certificates.\n",
|
memprintf(err, "%sthis version of openssl cannot generate SSL certificates.\n",
|
||||||
err && *err ? *err : "");
|
err && *err ? *err : "");
|
||||||
|
|||||||
@ -2557,7 +2557,7 @@ int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
|
|||||||
struct bind_conf *s = priv;
|
struct bind_conf *s = priv;
|
||||||
(void)al; /* shut gcc stupid warning */
|
(void)al; /* shut gcc stupid warning */
|
||||||
|
|
||||||
if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) || s->generate_certs)
|
if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) || (s->options & BC_O_GENERATE_CERTS))
|
||||||
return SSL_TLSEXT_ERR_OK;
|
return SSL_TLSEXT_ERR_OK;
|
||||||
return SSL_TLSEXT_ERR_NOACK;
|
return SSL_TLSEXT_ERR_NOACK;
|
||||||
}
|
}
|
||||||
@ -2664,7 +2664,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
|
|||||||
servername_len = len;
|
servername_len = len;
|
||||||
} else {
|
} else {
|
||||||
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
|
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
|
||||||
if (s->generate_certs && ssl_sock_generate_certificate_from_conn(s, ssl)) {
|
if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate_from_conn(s, ssl)) {
|
||||||
goto allow_early;
|
goto allow_early;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
@ -2827,7 +2827,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
|
|||||||
|
|
||||||
HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock);
|
HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock);
|
||||||
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
|
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
|
||||||
if (s->generate_certs && ssl_sock_generate_certificate(trash.area, s, ssl)) {
|
if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate(trash.area, s, ssl)) {
|
||||||
/* switch ctx done in ssl_sock_generate_certificate */
|
/* switch ctx done in ssl_sock_generate_certificate */
|
||||||
goto allow_early;
|
goto allow_early;
|
||||||
}
|
}
|
||||||
@ -2897,7 +2897,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
|
|||||||
servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
|
servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
|
||||||
if (!servername) {
|
if (!servername) {
|
||||||
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
|
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
|
||||||
if (s->generate_certs && ssl_sock_generate_certificate_from_conn(s, ssl))
|
if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate_from_conn(s, ssl))
|
||||||
return SSL_TLSEXT_ERR_OK;
|
return SSL_TLSEXT_ERR_OK;
|
||||||
#endif
|
#endif
|
||||||
if (s->strict_sni)
|
if (s->strict_sni)
|
||||||
@ -2939,7 +2939,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
|
|||||||
}
|
}
|
||||||
if (!node) {
|
if (!node) {
|
||||||
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
|
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
|
||||||
if (s->generate_certs && ssl_sock_generate_certificate(servername, s, ssl)) {
|
if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate(servername, s, ssl)) {
|
||||||
/* switch ctx done in ssl_sock_generate_certificate */
|
/* switch ctx done in ssl_sock_generate_certificate */
|
||||||
HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock);
|
HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock);
|
||||||
return SSL_TLSEXT_ERR_OK;
|
return SSL_TLSEXT_ERR_OK;
|
||||||
@ -5453,7 +5453,7 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (!bind_conf->default_ctx) {
|
if (!bind_conf->default_ctx) {
|
||||||
if (bind_conf->strict_sni && !bind_conf->generate_certs) {
|
if (bind_conf->strict_sni && !(bind_conf->options & BC_O_GENERATE_CERTS)) {
|
||||||
ha_warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d], ssl connections will fail (use 'crt').\n",
|
ha_warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d], ssl connections will fail (use 'crt').\n",
|
||||||
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
|
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
|
||||||
}
|
}
|
||||||
@ -5606,7 +5606,7 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
|
|||||||
int ret = 0;
|
int ret = 0;
|
||||||
char *err = NULL;
|
char *err = NULL;
|
||||||
|
|
||||||
if (!bind_conf->generate_certs)
|
if (!(bind_conf->options & BC_O_GENERATE_CERTS))
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
|
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
|
||||||
@ -5657,7 +5657,7 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
|
|||||||
free(ckch);
|
free(ckch);
|
||||||
}
|
}
|
||||||
|
|
||||||
bind_conf->generate_certs = 0;
|
bind_conf->options &= ~BC_O_GENERATE_CERTS;
|
||||||
ret++;
|
ret++;
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user