RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-07 12:49:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: make self-generated certs also work with raw IPv6 addresses

Browse Source 
The current method of retrieving the incoming connection's destination
address to hash it is not compatible with IPv6 nor the proxy protocol
because it directly tries to get an IPv4 address from the socket. Instead
we must ask the connection. This is only used when no SNI is provided.
This commit is contained in:
Willy Tarreau 2015-07-07 18:04:38 +02:00
parent 96a0be78ed
commit f67214554c
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/ssl_sock.c
View File

@ -1188,18 +1188,20 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s)
servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if (!servername) {
struct sockaddr to;
int fd;
if (s->generate_certs) {
struct connection *conn = (struct connection *)SSL_get_app_data(ssl);
unsigned int serial;
SSL_CTX *ctx;
if (s->generate_certs &&
(fd = SSL_get_fd(ssl)) != -1 &&
tcp_get_dst(fd, &to, sizeof(to), 0) != -1) {
unsigned int serial = ssl_sock_generated_cert_serial(&to, sizeof(to));
SSL_CTX *ctx = ssl_sock_get_generated_cert(serial, s->ca_sign_cert);
if (ctx) {
/* switch ctx */
SSL_set_SSL_CTX(ssl, ctx);
return SSL_TLSEXT_ERR_OK;
conn_get_to_addr(conn);
if (conn->flags & CO_FL_ADDR_TO_SET) {
serial = ssl_sock_generated_cert_serial(&conn->addr.to, get_addr_len(&conn->addr.to));
ctx = ssl_sock_get_generated_cert(serial, s->ca_sign_cert);
if (ctx) {
/* switch ctx */
SSL_set_SSL_CTX(ssl, ctx);
return SSL_TLSEXT_ERR_OK;
}
}
}