From 6fce46a910e4f7158139748b6892fdeda7848b3a Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 4 May 2022 14:53:41 +0200 Subject: [PATCH] MEDIUM: httpclient: hard-error when SSL is configured The hard_error_ssl flag is set when the configuration is explicitely done for the ssl in the httpclient. If no configuration was made, the features are simply disabled and no alert is emitted. --- src/http_client.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/http_client.c b/src/http_client.c index 25011e94f..a3d87caf3 100644 --- a/src/http_client.c +++ b/src/http_client.c @@ -42,7 +42,10 @@ static struct proxy *httpclient_proxy; static struct server *httpclient_srv_raw; + #ifdef USE_OPENSSL +/* if the httpclient is not configured, error are ignored and features are limited */ +static int hard_error_ssl = 0; static struct server *httpclient_srv_ssl; static int httpclient_ssl_verify = SSL_SOCK_VERIFY_REQUIRED; #endif @@ -1155,10 +1158,18 @@ static int httpclient_precheck() if (httpclient_ssl_verify == SSL_SOCK_VERIFY_REQUIRED) { httpclient_srv_ssl->ssl_ctx.ca_file = strdup("@system-ca"); if (!ssl_store_load_locations_file(httpclient_srv_ssl->ssl_ctx.ca_file, 1, CAFILE_CERT)) { - ha_warning("httpclient: cannot initialize SSL verify with 'ca-file \"%s\"'. Disabling SSL.\n", httpclient_srv_ssl->ssl_ctx.ca_file); - ha_free(&httpclient_srv_ssl->ssl_ctx.ca_file); - srv_drop(httpclient_srv_ssl); - httpclient_srv_ssl = NULL; + /* if we failed to load the ca-file, only quits in + * error with hard_error, otherwise just disable the + * feature. */ + if (hard_error_ssl) { + memprintf(&errmsg, "cannot initialize SSL verify with 'ca-file \"%s\"'.", httpclient_srv_ssl->ssl_ctx.ca_file); + err_code |= ERR_ALERT | ERR_FATAL; + goto err; + } else { + ha_free(&httpclient_srv_ssl->ssl_ctx.ca_file); + srv_drop(httpclient_srv_ssl); + httpclient_srv_ssl = NULL; + } } } @@ -1273,6 +1284,9 @@ static int httpclient_parse_global_verify(char **args, int section_type, struct if (too_many_args(1, args, err, NULL)) return -1; + /* any configuration should set the hard_error flag */ + hard_error_ssl = 1; + if (strcmp(args[1],"none") == 0) httpclient_ssl_verify = SSL_SOCK_VERIFY_NONE; else if (strcmp(args[1],"required") == 0)