From f67214554cfb3117effab1f0b705d027354f4b36 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 7 Jul 2015 18:04:38 +0200 Subject: [PATCH] MINOR: ssl: make self-generated certs also work with raw IPv6 addresses The current method of retrieving the incoming connection's destination address to hash it is not compatible with IPv6 nor the proxy protocol because it directly tries to get an IPv4 address from the socket. Instead we must ask the connection. This is only used when no SNI is provided. --- src/ssl_sock.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index dcbef4c57..aa7bb1bd8 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1188,18 +1188,20 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s) servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); if (!servername) { - struct sockaddr to; - int fd; + if (s->generate_certs) { + struct connection *conn = (struct connection *)SSL_get_app_data(ssl); + unsigned int serial; + SSL_CTX *ctx; - if (s->generate_certs && - (fd = SSL_get_fd(ssl)) != -1 && - tcp_get_dst(fd, &to, sizeof(to), 0) != -1) { - unsigned int serial = ssl_sock_generated_cert_serial(&to, sizeof(to)); - SSL_CTX *ctx = ssl_sock_get_generated_cert(serial, s->ca_sign_cert); - if (ctx) { - /* switch ctx */ - SSL_set_SSL_CTX(ssl, ctx); - return SSL_TLSEXT_ERR_OK; + conn_get_to_addr(conn); + if (conn->flags & CO_FL_ADDR_TO_SET) { + serial = ssl_sock_generated_cert_serial(&conn->addr.to, get_addr_len(&conn->addr.to)); + ctx = ssl_sock_get_generated_cert(serial, s->ca_sign_cert); + if (ctx) { + /* switch ctx */ + SSL_set_SSL_CTX(ssl, ctx); + return SSL_TLSEXT_ERR_OK; + } } }