RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-08 04:18:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
haproxy public development tree
12,581 Commits 20 Branches 376 Tags 87 MiB
C 98%
Shell 0.9%
Makefile 0.5%
Lua 0.2%
Python 0.2%
94bd319b26
Go to file
William Lallemand 94bd319b26 BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate 
In bug #810, the SNI are not matched correctly, indeed when trying to
match a certificate type in ssl_sock_switchctx_cbk() all SNIs were not
looked up correctly.

In the case you have in a crt-list:

wildcard.subdomain.domain.tld.pem.rsa *.subdomain.domain.tld record.subdomain.domain.tld
record.subdomain.domain.tld.pem.ecdsa record.subdomain.domain.tld another-record.subdomain.domain.tld

If the client only supports RSA and requests
"another-record.subdomain.domain.tld", HAProxy will find the single
ECDSA certificate and won't try to look up for a wildcard RSA
certificate.

This patch fixes the code so we look for all single and
wildcard before chosing the certificate type.

This bug was introduced by commit 3777e3a ("BUG/MINOR: ssl: certificate
choice can be unexpected with openssl >= 1.1.1").

It must be backported as far as 1.8 once it is heavily tested.
2020-08-14 15:47:48 +02:00
.github CI: extend spellchecker whitelist 2020-06-26 11:26:52 +02:00
contrib DOC: spoa-server: fix false friends actually 2020-08-05 22:12:54 +02:00
doc BUG/MINOR: ssl: ssl-skip-self-issued-ca requires >= 1.0.2 2020-08-10 17:31:10 +02:00
examples CLEANUP: assorted typo fixes in the code and comments 2020-06-26 11:27:28 +02:00
include OPTIM: regex: PCRE2 use JIT match when JIT optimisation occured. 2020-08-14 07:53:40 +02:00
reg-tests MINOR: ssl: add ssl_{c,s}_chain_der fetch methods 2020-08-07 15:38:40 +02:00
scripts SCRIPTS: git-show-backports: emit the shell command to backport a commit 2020-07-31 16:57:35 +02:00
src BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate 2020-08-14 15:47:48 +02:00
tests MINOR: lists: rename some MT_LIST operations to clarify them 2020-07-10 08:50:41 +02:00
.cirrus.yml CI: cirrus-ci: exclude slow reg-tests 2020-07-04 06:58:14 +02:00
.gitignore DOC: create a BRANCHES file to explain the life cycle 2019-06-15 22:00:14 +02:00
.travis.yml CI: travis-ci: specify SLZ_LIB, SLZ_INC for travis builds 2020-08-05 11:40:14 +02:00
BRANCHES DOC: assorted typo fixes in the documentation 2020-03-09 14:45:58 +01:00
CHANGELOG [RELEASE] Released version 2.3-dev2 2020-07-31 14:48:32 +02:00
CONTRIBUTING DOC: Use gender neutral language 2020-07-26 22:35:43 +02:00
INSTALL MINOR: version: back to development, update status message 2020-07-07 16:38:51 +02:00
LICENSE
MAINTAINERS REORG: include: split hathreads into haproxy/thread.h and haproxy/thread-t.h 2020-06-11 10:18:56 +02:00
Makefile BUILD: makefile: don't disable -Wstringop-overflow anymore 2020-08-11 10:31:18 +02:00
README DOC: create a BRANCHES file to explain the life cycle 2019-06-15 22:00:14 +02:00
ROADMAP DOC: update the outdated ROADMAP file 2019-06-15 21:59:54 +02:00
SUBVERS
VERDATE [RELEASE] Released version 2.3-dev2 2020-07-31 14:48:32 +02:00
VERSION [RELEASE] Released version 2.3-dev2 2020-07-31 14:48:32 +02:00

README 

The HAProxy documentation has been split into a number of different files for
ease of use.

Please refer to the following files depending on what you're looking for :

  - INSTALL for instructions on how to build and install HAProxy
  - BRANCHES to understand the project's life cycle and what version to use
  - LICENSE for the project's license
  - CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory :

  - doc/intro.txt for a quick introduction on HAProxy
  - doc/configuration.txt for the configuration's reference manual
  - doc/lua.txt for the Lua's reference manual
  - doc/SPOE.txt for how to use the SPOE engine
  - doc/network-namespaces.txt for how to use network namespaces under Linux
  - doc/management.txt for the management guide
  - doc/regression-testing.txt for how to use the regression testing suite
  - doc/peers.txt for the peers protocol reference
  - doc/coding-style.txt for how to adopt HAProxy's coding style
  - doc/internals for developer-specific documentation (not all up to date)