RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-04 18:39:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
106f631280
haproxy/tests
History
Willy Tarreau 2ab88675ec MINOR: ssl: compare server certificate names to the SNI on outgoing connections 
When support for passing SNI to the server was added in 1.6-dev3, there
was no way to validate that the certificate presented by the server would
really match the name requested in the SNI, which is quite a problem as
it allows other (valid) certificates to be presented instead (when hitting
the wrong server or due to a man in the middle).

This patch adds the missing check against the value passed in the SNI.
The "verifyhost" value keeps precedence if set. If no SNI is used and
no verifyhost directive is specified, then the certificate name is not
checked (this is unchanged).

In order to extract the SNI value, it was necessary to make use of
SSL_SESSION_get0_hostname(), which appeared in openssl 1.1.0. This is
a trivial function which returns the value of s->tlsext_hostname, so
it was provided in the compat layer for older versions. After some
refinements from Emmanuel, it now builds with openssl 1.0.2, openssl
1.1.0 and boringssl. A test file was provided to ease testing all cases.

After some careful observation period it may make sense to backport
this to 1.7 and 1.6 as some users rightfully consider this limitation
as a bug.

Cc: Emmanuel Hocdet <manu@gandi.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
2017-07-06 15:15:28 +02:00
..
0000-debug-stats.diff BUG/MAJOR: trash must always be the size of a buffer 2012-05-16 14:21:55 +02:00
blocksig.c TESTS: add blocksig.c to run tests with all signals blocked 2016-04-20 10:53:12 +02:00
filltab25.c CLEANUP: remove unneeded casts 2016-04-03 14:17:42 +02:00
hash_results.txt
hashing-results.txt DOC: Documentation for hashing function, with test results. 2013-11-20 22:14:47 +01:00
io_limits.txt
ip-hash.c
reset.c [TESTS] add a simple program to test connection resets 2010-03-25 06:38:21 +01:00
sockstat.txt
test_hashes.c
test_pools.c
test-acl-args.cfg TESTS: add regression tests for ACL and sample expression parsers 2013-12-13 01:35:08 +01:00
test-address-syntax.cfg [TESTS] provide a test case for various address formats 2011-03-23 22:49:57 +01:00
test-arg.c MEDIUM: add a new typed argument list parsing framework 2012-05-08 20:57:10 +02:00
test-backlog.cfg
test-check-expect.cfg [TESTS] add test-check-expect to test various http-check methods 2010-10-30 19:04:32 +02:00
test-connection.cfg
test-cookie-indirect.cfg [MEDIUM] http: fix space handling in the request cookie parser 2010-09-01 00:02:21 +02:00
test-cookie-insert.cfg [MEDIUM] http: fix space handling in the request cookie parser 2010-09-01 00:02:21 +02:00
test-cookie-passive.cfg [MEDIUM] http: fix space handling in the request cookie parser 2010-09-01 00:02:21 +02:00
test-cookie-prefix.cfg [MEDIUM] http: fix space handling in the request cookie parser 2010-09-01 00:02:21 +02:00
test-cookie-rewrite.cfg [MEDIUM] http: fix space handling in the request cookie parser 2010-09-01 00:02:21 +02:00
test-disable-404.cfg
test-fsm.cfg [TESTS] refine non-regression tests and add 4 new tests 2010-06-07 22:43:55 +02:00
test-fwlc.cfg
test-fwrr.cfg
test-handshakes-chk.cfg TESTS: add a test configuration to stress handshake combinations 2017-03-19 11:59:47 +01:00
test-handshakes.cfg TESTS: add a test configuration to stress handshake combinations 2017-03-19 11:59:47 +01:00
test-http-send-name-hdr.cfg MEDIUM: http: add support for sending the server's name in the outgoing request 2012-01-05 15:17:31 +01:00
test-inspect-smtp.cfg
test-inspect-ssl.cfg
test-map-ports.cfg
test-pollers.cfg
test-redirect.cfg
test-sample-fetch-args.cfg TESTS: add regression tests for ACL and sample expression parsers 2013-12-13 01:35:08 +01:00
test-sample-fetch-conv.cfg TESTS: add regression tests for ACL and sample expression parsers 2013-12-13 01:35:08 +01:00
test-sql.cfg [MINOR] add better support to "mysql-check" 2010-10-30 19:04:35 +02:00
test-srv-verify.cfg MINOR: ssl: compare server certificate names to the SNI on outgoing connections 2017-07-06 15:15:28 +02:00
test-str2sa.cfg MINOR: tests: add a config file to ease address parsing tests. 2013-02-20 19:23:44 +01:00
test-time.cfg
test-timeout.cfg
test-url-hash.cfg [TESTS] update the url_param regression test to test check_post too 2011-03-01 20:43:27 +01:00
test-valid-names.cfg
test.c
testinet.c
uri_hash.c