From 696f317f13151e4427e3f9a8b560730ed6a7bb40 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Fri, 7 Feb 2020 20:45:24 +0100 Subject: [PATCH] BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init The code which is supposed to apply the bind_conf configuration on the SSL_CTX was not called correctly. Indeed it was called with the previous SSL_CTX so the new ones were left with default settings. For example the ciphers were not changed. This patch fixes #429. Must be backported in 2.1. --- src/ssl_sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7698eec7fb..67e086dff2 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -10617,8 +10617,8 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) new_inst->is_default = 1; /* we need to initialize the SSL_CTX generated */ - /* TODO: the prepare_ctx function need to be reworked to be safer there */ - list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) { + /* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */ + list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) { if (!sc0->order) { /* we initiliazed only the first SSL_CTX because it's the same in the other sni_ctx's */ errcode |= ssl_sock_prepare_ctx(ckchi->bind_conf, ckchi->ssl_conf, sc0->ctx, &err); if (errcode & ERR_CODE)