RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-02-08 14:27:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1

Browse Source 
Since HAProxy 2.3, OpenSSL 1.1.1 is a requirement for using a
multi-certificate bundle in the configuration. This patch emits a fatal
error when HAProxy tries to load a bundle with an older version of
HAProxy.

This problem was encountered by an user in issue #990.

This must be backported in 2.3.
This commit is contained in:
William Lallemand 2020-12-04 15:45:02 +01:00
parent d1f250f87b
commit b7fdfdfd92
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/ssl_crtlist.c
View File

@ -602,6 +602,13 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
entry_dup = NULL; /* the entry was used, we need a new one next round */
}
#if HA_OPENSSL_VERSION_NUMBER < 0x10101000L
if (found) {
memprintf(err, "%sCan't load '%s'. Loading a multi certificates bundle requires OpenSSL >= 1.1.1\n",
err && *err ? *err : "", crt_path);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
#endif
}
if (!found) {
memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",

8
src/ssl_sock.c
View File

@ -3543,7 +3543,13 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
}
}
}
#if HA_OPENSSL_VERSION_NUMBER < 0x10101000L
if (found) {
memprintf(err, "%sCan't load '%s'. Loading a multi certificates bundle requires OpenSSL >= 1.1.1\n",
err && *err ? *err : "", path);
cfgerr |= ERR_ALERT | ERR_FATAL;
}
#endif
}
}
if (!found) {