From: William Lallemand Date: Wed, 27 Aug 2025 13:44:24 +0000 (+0200) Subject: MINOR: ssl: diagnostic warning when both 'default-crt' and 'strict-sni' are used X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=47f8dcc7c57e032f2d5dbd8adb9158e0700f4b03;p=haproxy-3.0.git MINOR: ssl: diagnostic warning when both 'default-crt' and 'strict-sni' are used It possible to use both 'strict-sni' and 'default-crt' on the same bind line, which does not make much sense. This patch implements a check which will look for default certificates in the sni_w tree when strict-sni is used. (Referenced by their empty sni ""). default-crt sets the CKCH_INST_EXPL_DEFAULT flag in ckch_inst->is_default, so its possible to differenciate explicits default from implicit default. Could be backported as far as 3.0. This was discussed in ticket #3082. (cherry picked from commit 18ebd81962e1f53b8f59bfee5b9795bff69ac16b) Signed-off-by: Christopher Faulet (cherry picked from commit a9010888c016718d1b5200e88b0410ad315f8f64) [wla: BC_SSL_O_STRICT_SNI doesn't exist and must be replaced by strict_sni] Signed-off-by: William Lallemand (cherry picked from commit 39f930548d188c92aacf3107dcb8e03bca069a4b) Signed-off-by: William Lallemand --- diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h index 0e501e5..de5b7f8 100644 --- a/include/haproxy/ssl_ckch-t.h +++ b/include/haproxy/ssl_ckch-t.h @@ -107,6 +107,11 @@ struct ckch_inst_link_ref { struct list list; }; + +#define CKCH_INST_NO_DEFAULT 0 /* not the default instance */ +#define CKCH_INST_IMPL_DEFAULT 1 /* implicit default instance (declaration order) */ +#define CKCH_INST_EXPL_DEFAULT 2 /* explicit default instance (default-crt) */ + /* * This structure describe a ckch instance. An instance is generated for each * bind_conf. The instance contains a linked list of the sni ctx which uses @@ -119,7 +124,7 @@ struct ckch_inst { struct crtlist_entry *crtlist_entry; /* pointer to the crtlist_entry used, or NULL */ struct server *server; /* pointer to the server if is_server_instance is set, NULL otherwise */ SSL_CTX *ctx; /* pointer to the SSL context used by this instance */ - unsigned int is_default:1; /* This instance is used as the default ctx for this bind_conf */ + unsigned int is_default:2; /* This instance is used as the default ctx for this bind_conf (1: implicit default, 2: explicit default) */ unsigned int is_server_instance:1; /* This instance is used by a backend server */ /* space for more flag there */ struct list sni_ctx; /* list of sni_ctx using this ckch_inst */ diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index e7a7d47..267db60 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -777,7 +777,7 @@ static int bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, s static int bind_parse_crt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { char path[MAXPATHLEN]; - int default_crt = *args[cur_arg] == 'd' ? 1 : 0; + int default_crt = *args[cur_arg] == 'd' ? CKCH_INST_EXPL_DEFAULT : CKCH_INST_NO_DEFAULT; if (!*args[cur_arg + 1]) { memprintf(err, "'%s' : missing certificate location", args[cur_arg]); diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 77e760f..b946247 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -2056,8 +2056,7 @@ int ckch_inst_rebuild(struct ckch_store *ckch_store, struct ckch_inst *ckchi, return 1; /* if the previous ckchi was used as the default */ - if (ckchi->is_default) - (*new_inst)->is_default = 1; + (*new_inst)->is_default = ckchi->is_default; (*new_inst)->is_server_instance = ckchi->is_server_instance; (*new_inst)->server = ckchi->server; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 0db09b2..b6a3d30 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3586,7 +3586,7 @@ int ckch_inst_new_load_store(const char *path, struct ckch_store *ckchs, struct */ if (is_default) { - ckch_inst->is_default = 1; + ckch_inst->is_default = is_default; /* insert an empty SNI which will be used to lookup default certificate */ order = ckch_inst_add_cert_sni(ctx, ckch_inst, bind_conf, ssl_conf, kinfo, "*", order); @@ -3807,14 +3807,14 @@ int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_con list_for_each_entry(entry, &crtlist->ord_entries, by_crtlist) { struct ckch_store *store; struct ckch_inst *ckch_inst = NULL; - int is_default = 0; + int is_default = CKCH_INST_NO_DEFAULT; store = entry->node.key; /* if the SNI trees were empty the first "crt" become a default certificate, * it can be applied on multiple certificates if it's a bundle */ if (eb_is_empty(&bind_conf->sni_ctx) && eb_is_empty(&bind_conf->sni_w_ctx)) - is_default = 1; + is_default = CKCH_INST_IMPL_DEFAULT; cfgerr |= ssl_sock_load_ckchs(store->path, store, bind_conf, entry->ssl_conf, entry->filters, entry->fcount, is_default, &ckch_inst, err); @@ -3869,9 +3869,9 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, int is_default, /* if the SNI trees were empty the first "crt" become a default certificate, * it can be applied on multiple certificates if it's a bundle */ - if (is_default == 0) { + if (is_default == CKCH_INST_NO_DEFAULT) { if (eb_is_empty(&bind_conf->sni_ctx) && eb_is_empty(&bind_conf->sni_w_ctx)) - is_default = 1; + is_default = CKCH_INST_IMPL_DEFAULT; } if ((ckchs = ckchs_lookup(path))) { @@ -5369,6 +5369,34 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf) } } + /* check that we didn't use "strict-sni" and "default-crt" together */ + if (bind_conf->strict_sni) { + struct ebmb_node *node, *n; + const char *wildp = ""; + int is_default = CKCH_INST_NO_DEFAULT; + + node = ebst_lookup(&bind_conf->sni_w_ctx, wildp); + for (n = node; n; n = ebmb_next_dup(n)) { + struct sni_ctx *sni; + + sni = container_of(n, struct sni_ctx, name); + if (!sni->neg) { + + if (sni->ckch_inst->is_default == CKCH_INST_EXPL_DEFAULT) { + is_default = CKCH_INST_EXPL_DEFAULT; + break; + } + } + } + + if (is_default == CKCH_INST_EXPL_DEFAULT) { + ha_diag_warning("Proxy '%s': both 'default-crt' and 'strict-sni' keywords are used in bind '%s' at [%s:%d], certificates won't be used as fallback (use 'crt' instead).\n", + px->id, bind_conf->arg, bind_conf->file, bind_conf->line); + } + + } + + if ((bind_conf->options & BC_O_GENERATE_CERTS)) { struct sni_ctx *sni_ctx;