Repositories - haproxy-2.5.git/commit

author	William Lallemand <wlallemand@haproxy.org>
	Tue, 28 Dec 2021 17:47:17 +0000 (18:47 +0100)
committer	Willy Tarreau <w@1wt.eu>
	Thu, 30 Dec 2021 09:51:11 +0000 (10:51 +0100)
commit	2f3c354b6cdc21ee185e263b5c7422c86ae58c98
tree	7fcf75773fb56eef2deeccd774b5493bad520c8b	tree \| snapshot
parent	561b0849ab467331c68b499c0a0e12e6e7486734	commit \| diff

BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server

This bug was introduced by d817dc73 ("MEDIUM: ssl: Load client
certificates in a ckch for backend servers") in which the creation of
the SSL_CTX for a server was moved to the configuration parser when
using a "crt" keyword instead of being done in ssl_sock_prepare_srv_ctx().

The patch 0498fa40 ("BUG/MINOR: ssl: Default-server configuration ignored by
server") made it worse by setting the same SSL_CTX for every servers
using a default-server. Resulting in any SSL option on a server applied
to every server in its backend.

This patch fixes the issue by reintroducing a string which store the
path of certificate inside the server structure, and loading the
certificate in ssl_sock_prepare_srv_ctx() again.

This is a quick fix to backport, a cleaner way can be achieve by always
creating the SSL_CTX in ssl_sock_prepare_srv_ctx() and splitting
properly the ssl_sock_load_srv_cert() function.

This patch fixes issue #1488.

Must be backported as far as 2.4.

(cherry picked from commit 2c776f1c30c85be11c9ba8ca8d9a7d62690d1a32)
Signed-off-by: Willy Tarreau <w@1wt.eu>

include/haproxy/server-t.h		diff \| blob \| history
reg-tests/ssl/ssl_default_server.vtc		diff \| blob \| history
src/cfgparse-ssl.c		diff \| blob \| history
src/server.c		diff \| blob \| history
src/ssl_sock.c		diff \| blob \| history