mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-01-21 21:12:47 +00:00
BUG/MINOR: ssl/cli: sni_ctx' mustn't always be used as filters
Since commit 244b070 ("MINOR: ssl/cli: support crt-list filters"), HAProxy generates a list of filters based on the sni_ctx in memory. However it's not always relevant, sometimes no filters were configured and the CN/SAN in the new certificate are not the same. This patch fixes the issue by using a flag filters in the ckch_inst, so we are able to know if there were filters or not. In the late case it uses the CN/SAN of the new certificate to generate the sni_ctx. note: filters are still only used in the crt-list atm.
This commit is contained in:
parent
0a52846603
commit
6763016866
@ -129,6 +129,7 @@ struct ckch_inst {
|
|||||||
struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
|
struct bind_conf *bind_conf; /* pointer to the bind_conf that uses this ckch_inst */
|
||||||
struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
|
struct ssl_bind_conf *ssl_conf; /* pointer to the ssl_conf which is used by every sni_ctx of this inst */
|
||||||
struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
|
struct ckch_store *ckch_store; /* pointer to the store used to generate this inst */
|
||||||
|
unsigned int filters:1; /* using sni filters ? */
|
||||||
unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */
|
unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */
|
||||||
/* space for more flag there */
|
/* space for more flag there */
|
||||||
struct list sni_ctx; /* list of sni_ctx using this ckch_inst */
|
struct list sni_ctx; /* list of sni_ctx using this ckch_inst */
|
||||||
|
@ -4188,6 +4188,7 @@ static int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *c
|
|||||||
ckch_inst->bind_conf = bind_conf;
|
ckch_inst->bind_conf = bind_conf;
|
||||||
ckch_inst->ssl_conf = ssl_conf;
|
ckch_inst->ssl_conf = ssl_conf;
|
||||||
ckch_inst->ckch_store = ckchs;
|
ckch_inst->ckch_store = ckchs;
|
||||||
|
ckch_inst->filters = !!fcount;
|
||||||
end:
|
end:
|
||||||
|
|
||||||
if (names)
|
if (names)
|
||||||
@ -4377,6 +4378,7 @@ static int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs,
|
|||||||
ckch_inst->bind_conf = bind_conf;
|
ckch_inst->bind_conf = bind_conf;
|
||||||
ckch_inst->ssl_conf = ssl_conf;
|
ckch_inst->ssl_conf = ssl_conf;
|
||||||
ckch_inst->ckch_store = ckchs;
|
ckch_inst->ckch_store = ckchs;
|
||||||
|
ckch_inst->filters = !!fcount;
|
||||||
|
|
||||||
*ckchi = ckch_inst;
|
*ckchi = ckch_inst;
|
||||||
return errcode;
|
return errcode;
|
||||||
@ -11006,10 +11008,11 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
|
|||||||
appctx->ctx.ssl.next_ckchi = ckchi;
|
appctx->ctx.ssl.next_ckchi = ckchi;
|
||||||
goto yield;
|
goto yield;
|
||||||
}
|
}
|
||||||
|
if (ckchi->filters) {
|
||||||
errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
|
errcode |= ckch_inst_sni_ctx_to_sni_filters(ckchi, &sni_filter, &fcount, &err);
|
||||||
if (errcode & ERR_CODE)
|
if (errcode & ERR_CODE)
|
||||||
goto error;
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
if (new_ckchs->multi)
|
if (new_ckchs->multi)
|
||||||
errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);
|
errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, sni_filter, fcount, &new_inst, &err);
|
||||||
|
Loading…
Reference in New Issue
Block a user