RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-18 09:24:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

MEDIUM: ssl: emulate multi-cert bundles loading in standard loading

Browse Source 
Like the previous commit, this one emulates the bundling by loading each
certificate separately and storing it in a separate SSL_CTX.
This patch does it for the standard certificate loading, which means
outside directories or crt-list.

The multi-certificates bundle was the common way of offering multiple
certificates of different types (ecdsa and rsa) for a same SSL_CTX.
This was implemented with OpenSSL 1.0.2 before the client_hello callback
was available.

Now that all versions which does not support this callback are
deprecated (< 1.1.0), we can safely removes the support for the bundle
which was inconvenient and complexify too much the code.
This commit is contained in:
William Lallemand 2020-09-16 14:48:52 +02:00 committed by William Lallemand
parent 47da82111d
commit dfa93be3b5
1 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/ssl_sock.c
View File

@ -3784,11 +3784,29 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
} else {
/* stat failed, could be a bundle */
if (global_ssl.extra_files & SSL_GF_BUNDLE) {
/* try to load a bundle if it is permitted */
ckchs = ckchs_load_cert_file(path, 1, err);
if (!ckchs)
return ERR_ALERT | ERR_FATAL;
cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
char fp[MAXPATHLEN+1] = {0};
int n = 0;
/* Load all possible certs and keys in separate ckch_store */
for (n = 0; n < SSL_SOCK_NUM_KEYTYPES; n++) {
struct stat buf;
int ret;
ret = snprintf(fp, sizeof(fp), "%s.%s", path, SSL_SOCK_KEYTYPE_NAMES[n]);
if (ret > sizeof(fp))
continue;
if ((ckchs = ckchs_lookup(fp))) {
cfgerr |= ssl_sock_load_ckchs(fp, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
} else {
if (stat(fp, &buf) == 0) {
ckchs = ckchs_load_cert_file(fp, 0, err);
if (!ckchs)
return ERR_ALERT | ERR_FATAL;
cfgerr |= ssl_sock_load_ckchs(fp, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
}
}
}
} else {
memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",
err && *err ? *err : "", fp, strerror(errno));