From 40ddea8222fdee9852927846ef2bc67d910ea359 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Tue, 13 Apr 2021 16:07:29 +0200 Subject: [PATCH] MINOR: ssl: Add reference to default ckch instance in bind_conf In order for the link between the cafile_entry and the default ckch instance to be built, we need to give a pointer to the instance during the ssl_sock_prepare_ctx call. --- include/haproxy/listener-t.h | 1 + src/ssl_sock.c | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h index b9c129085..959f3e83e 100644 --- a/include/haproxy/listener-t.h +++ b/include/haproxy/listener-t.h @@ -164,6 +164,7 @@ struct bind_conf { unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */ SSL_CTX *initial_ctx; /* SSL context for initial negotiation */ SSL_CTX *default_ctx; /* SSL context of first/default certificate */ + struct ckch_inst *default_inst; struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */ int strict_sni; /* refuse negotiation if sni doesn't match a certificate */ int ssl_options; /* ssl options */ diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 8f9f53540..c7e1005d5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2933,6 +2933,7 @@ void ssl_sock_load_cert_sni(struct ckch_inst *ckch_inst, struct bind_conf *bind_ SSL_CTX_free(bind_conf->default_ctx); SSL_CTX_up_ref(ckch_inst->ctx); bind_conf->default_ctx = ckch_inst->ctx; + bind_conf->default_inst = ckch_inst; } } @@ -3368,6 +3369,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct bind_conf->default_ssl_conf = ssl_conf; ckch_inst->is_default = 1; SSL_CTX_up_ref(ctx); + bind_conf->default_inst = ckch_inst; } /* Always keep a reference to the newly constructed SSL_CTX in the @@ -4903,7 +4905,7 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf) errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, NULL, bind_conf->initial_ctx, NULL, &errmsg); } if (bind_conf->default_ctx) { - errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, bind_conf->default_ssl_conf, bind_conf->default_ctx, NULL, &errmsg); + errcode |= ssl_sock_prep_ctx_and_inst(bind_conf, bind_conf->default_ssl_conf, bind_conf->default_ctx, bind_conf->default_inst, &errmsg); } node = ebmb_first(&bind_conf->sni_ctx); @@ -5054,6 +5056,7 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf) bind_conf->initial_ctx = NULL; SSL_CTX_free(bind_conf->default_ctx); bind_conf->default_ctx = NULL; + bind_conf->default_inst = NULL; bind_conf->default_ssl_conf = NULL; }