Le 28/07/2017 à 14:28, Emmanuel Hocdet a écrit :
. fix generate_certificates issue
perhaps it’s more simple to do:
*diff --git a/src/ssl_sock.c b/src/ssl_sock.c*
*index c71c2e3..311d465 100644*
*--- a/src/ssl_sock.c*
*+++ b/src/ssl_sock.c*
@@ -1587,7 +1587,7 @@ssl_sock_do_create_cert(const char *servername,
struct bind_conf *bind_conf, SSL
int key_type;
/* Get the private key of the defautl certificate and use it */
- if (!(pkey = SSL_get_privatekey(ssl)))
+if (!pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx))
goto mkcert_error;
/* Create the certificate */
. for the patch "allow haproxy to start without default certificate"
default_ctx could be required when bind_conf.generate_certs is set.
SSL_CTX_get0_privatekey is only available in openssl >= 1.0.2. So for
previous versions, you need to create a SSL object with the default
certificate and then extract the private key:
@@ -1637,7 +1639,17 @@ ssl_sock_do_create_cert(const char *servername,
struct bind_conf *bind_conf, SSL
int key_type;
/* Get the private key of the defautl certificate and use it */
- if (!(pkey = SSL_get_privatekey(ssl)))
+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined
LIBRESSL_VERSION_NUMBER)
+ pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx);
+#else
+ SSL *tmp_ssl = SSL_new(bind_conf->default_ctx);
+
+ if (tmp_ssl) {
+ pkey = SSL_get_privatekey(tmp_ssl);
+ SSL_free(tmp_ssl);
+ }
+#endif
+ if (!pkey)
goto mkcert_error;
This is the workaround I mentioned in my previous mail. That's
acceptable, but my question remains. Is the initial certificate is still
needed ?
Even if we allow haproxy to be started without default certificate, we
can probably remove initial_ctx. That's just I want to be sure to not
have missed something :)
--
Christopher Faulet