Repositories - haproxy-2.3.git/commit

author	Remi Tricot-Le Breton <rlebreton@haproxy.com>
	Wed, 17 Mar 2021 13:56:54 +0000 (14:56 +0100)
committer	William Lallemand <wlallemand@haproxy.org>
	Wed, 31 Mar 2021 07:51:08 +0000 (09:51 +0200)
commit	358a82232edb885c466159b9ed487dd8ec8fb226
tree	6395e304614a587b51edc1aac80add658b9bcb0c	tree \| snapshot
parent	e3647da097fbf23ca45fb065bb5c1cde98d6c40d	commit \| diff

BUG/MINOR: ssl: Fix update of default certificate

The default SSL_CTX used by a specific frontend is the one of the first
ckch instance created for this frontend. If this instance has SNIs, then
the SSL context is linked to the instance through the list of SNIs
contained in it. If the instance does not have any SNIs though, then the
SSL_CTX is only referenced by the bind_conf structure and the instance
itself has no link to it.
When trying to update a certificate used by the default instance through
a cli command, a new version of the default instance was rebuilt but the
default SSL context referenced in the bind_conf structure would not be
changed, resulting in a buggy behavior in which depending on the SNI
used by the client, he could either use the new version of the updated
certificate or the original one.

This patch adds a reference to the default SSL context in the default
ckch instances so that it can be hot swapped during a certificate
update.

This should fix GitHub issue #1143.

It can be backported as far as 2.2.

(cherry picked from commit 8218aed90e862ed01c2a8bb9bf81e6d1a90f14db)
[wla: added the ctx field in the ckch_inst which is needed]
Signed-off-by: William Lallemand <wlallemand@haproxy.org>

include/haproxy/ssl_ckch-t.h		diff \| blob \| history
reg-tests/ssl/set_default_cert.crt-list	[new file with mode: 0644]	blob
reg-tests/ssl/set_default_cert.pem	[new file with mode: 0644]	blob
reg-tests/ssl/set_ssl_cert.vtc		diff \| blob \| history
src/ssl_sock.c		diff \| blob \| history