RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init 

The code which is supposed to apply the bind_conf configuration on the
SSL_CTX was not called correctly. Indeed it was called with the previous
SSL_CTX so the new ones were left with default settings. For example the
ciphers were not changed.

This patch fixes #429.

Must be backported in 2.1.
This commit is contained in:
William Lallemand 2020-02-07 20:45:24 +01:00 committed by William Lallemand
parent 817c4e39e5
commit 696f317f13
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/ssl_sock.c
View File

@ -10617,8 +10617,8 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
new_inst->is_default = 1;
/* we need to initialize the SSL_CTX generated */
/* TODO: the prepare_ctx function need to be reworked to be safer there */
list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) {
/* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) {
if (!sc0->order) { /* we initiliazed only the first SSL_CTX because it's the same in the other sni_ctx's */
errcode |= ssl_sock_prepare_ctx(ckchi->bind_conf, ckchi->ssl_conf, sc0->ctx, &err);
if (errcode & ERR_CODE)