Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
haproxy
0003-BUG-MINOR-ssl-correctly-initialize-ssl-ctx...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-BUG-MINOR-ssl-correctly-initialize-ssl-ctx-for-inval.patch of Package haproxy
From aef30d9c5c213b854a4be110cb30f3e8f54166ff Mon Sep 17 00:00:00 2001 From: Emeric Brun <ebrun@haproxy.com> Date: Thu, 30 Oct 2014 19:25:24 +0100 Subject: [PATCH 03/13] BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates Bug reported by John Leach: no-sslv3 does not work using some certificates. It appears that ssl ctx is not updated with configured options if the CommonName of the certificate's subject is not found. It applies only on the first cerificate of a configured bind line. There is no security impact, because only invalid nameless certficates are concerned. This fix must be backported to 1.5 (cherry picked from commit 0bed9945eec049f12638ac3ef82e2084ac4da1c0) --- Makefile | 2 +- src/ssl_sock.c | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 707037b..75bdce4 100644 --- a/Makefile +++ b/Makefile @@ -540,7 +540,7 @@ ifneq ($(USE_OPENSSL),) # in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib. BUILD_OPTIONS += $(call ignore_implicit,USE_OPENSSL) OPTIONS_CFLAGS += -DUSE_OPENSSL $(if $(SSL_INC),-I$(SSL_INC)) -OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto +OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto -ldl OPTIONS_OBJS += src/ssl_sock.o src/shctx.o ifneq ($(USE_PRIVATE_CACHE),) OPTIONS_CFLAGS += -DUSE_PRIVATE_CACHE diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f1616ca..f8bfbe7 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1949,10 +1949,15 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px) if (!bind_conf || !bind_conf->is_ssl) return 0; + if (bind_conf->default_ctx) + err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px); + node = ebmb_first(&bind_conf->sni_ctx); while (node) { sni = ebmb_entry(node, struct sni_ctx, name); - if (!sni->order) /* only initialize the CTX on its first occurrence */ + if (!sni->order && sni->ctx != bind_conf->default_ctx) + /* only initialize the CTX on its first occurrence and + if it is not the default_ctx */ err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px); node = ebmb_next(node); } @@ -1960,7 +1965,9 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px) node = ebmb_first(&bind_conf->sni_w_ctx); while (node) { sni = ebmb_entry(node, struct sni_ctx, name); - if (!sni->order) /* only initialize the CTX on its first occurrence */ + if (!sni->order && sni->ctx != bind_conf->default_ctx) + /* only initialize the CTX on its first occurrence and + if it is not the default_ctx */ err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px); node = ebmb_next(node); } -- 2.1.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor