> Le 28 juil. 2017 à 15:37, Christopher Faulet <cfau...@haproxy.com> a écrit :
>
> Le 28/07/2017 à 14:28, Emmanuel Hocdet a écrit :
>> . fix generate_certificates issue
>> perhaps it’s more simple to do:
>> *diff --git a/src/ssl_sock.c b/src/ssl_sock.c*
>> *index c71c2e3..311d465 100644*
>> *--- a/src/ssl_sock.c*
>> *+++ b/src/ssl_sock.c*
>> @@ -1587,7 +1587,7 @@ssl_sock_do_create_cert(const char *servername, struct
>> bind_conf *bind_conf, SSL
>> int key_type;
>> /* Get the private key of the defautl certificate and use it */
>> - if (!(pkey = SSL_get_privatekey(ssl)))
>> +if (!pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx))
>> goto mkcert_error;
>> /* Create the certificate */
>> . for the patch "allow haproxy to start without default certificate"
>> default_ctx could be required when bind_conf.generate_certs is set.
> SSL_CTX_get0_privatekey is only available in openssl >= 1.0.2. So for
> previous versions, you need to create a SSL object with the default
> certificate and then extract the private key:
>
> @@ -1637,7 +1639,17 @@ ssl_sock_do_create_cert(const char *servername, struct
> bind_conf *bind_conf, SSL
> int key_type;
>
> /* Get the private key of the defautl certificate and use it */
> - if (!(pkey = SSL_get_privatekey(ssl)))
> +#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined
> LIBRESSL_VERSION_NUMBER)
> + pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx);
> +#else
> + SSL *tmp_ssl = SSL_new(bind_conf->default_ctx);
> +
> + if (tmp_ssl) {
> + pkey = SSL_get_privatekey(tmp_ssl);
> + SSL_free(tmp_ssl);
> + }
> +#endif
> + if (!pkey)
> goto mkcert_error;
>
okay compat…
SSL_free should not be call until pkey is dup. for SSL_get_privatekey:
"These functions retrieve certificate and key data from an SSL object. They
return internal pointers that must not be freed by the application program. »
perhaps add the declaration in openssl-compat.h:
EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx)
{
if (ctx->cert != NULL)
return ctx->cert->key->privatekey;
else
return NULL;
}
>
> This is the workaround I mentioned in my previous mail. That's acceptable,
> but my question remains. Is the initial certificate is still needed ?
>
> Even if we allow haproxy to be started without default certificate, we can
> probably remove initial_ctx. That's just I want to be sure to not have missed
> something :)
>
initial_ctx is still needed, remove it could be painful.
The case is ssl params per certificate. take on bind line with only crt-list.
crtlist:
a.pem [ alpn h2,http/1.1]
b.pem
default_ctx is set with the first parsed certificate (and is configuration)
b.pem will inherited from « alpn » configuration from a.pem
to fix that:
1) clean all ssl configuration inherited from default_ctx (does not work in all
cases, much time spent testing with openssl versionS)
2) change the definition of default_ctx: first parsed certificate without is
configuration (only the bind configuration)
I don’t want do that, this is an unexpected behavior
3) force usage of one crt in bind line to set the default cert (and before
crt-list)
It break old configurations. (and i don’t want a default cert)
other? i try, fail and fix with introduce initial_ctx to normalise the behavior
in a clean manner.
++
Manu
