> Le 28 juil. 2017 à 15:37, Christopher Faulet <cfau...@haproxy.com> a écrit : > > Le 28/07/2017 à 14:28, Emmanuel Hocdet a écrit : >> . fix generate_certificates issue >> perhaps it’s more simple to do: >> *diff --git a/src/ssl_sock.c b/src/ssl_sock.c* >> *index c71c2e3..311d465 100644* >> *--- a/src/ssl_sock.c* >> *+++ b/src/ssl_sock.c* >> @@ -1587,7 +1587,7 @@ssl_sock_do_create_cert(const char *servername, struct >> bind_conf *bind_conf, SSL >> int key_type; >> /* Get the private key of the defautl certificate and use it */ >> - if (!(pkey = SSL_get_privatekey(ssl))) >> +if (!pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx)) >> goto mkcert_error; >> /* Create the certificate */ >> . for the patch "allow haproxy to start without default certificate" >> default_ctx could be required when bind_conf.generate_certs is set. > SSL_CTX_get0_privatekey is only available in openssl >= 1.0.2. So for > previous versions, you need to create a SSL object with the default > certificate and then extract the private key: > > @@ -1637,7 +1639,17 @@ ssl_sock_do_create_cert(const char *servername, struct > bind_conf *bind_conf, SSL > int key_type; > > /* Get the private key of the defautl certificate and use it */ > - if (!(pkey = SSL_get_privatekey(ssl))) > +#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined > LIBRESSL_VERSION_NUMBER) > + pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx); > +#else > + SSL *tmp_ssl = SSL_new(bind_conf->default_ctx); > + > + if (tmp_ssl) { > + pkey = SSL_get_privatekey(tmp_ssl); > + SSL_free(tmp_ssl); > + } > +#endif > + if (!pkey) > goto mkcert_error; >
okay compat… SSL_free should not be call until pkey is dup. for SSL_get_privatekey: "These functions retrieve certificate and key data from an SSL object. They return internal pointers that must not be freed by the application program. » perhaps add the declaration in openssl-compat.h: EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) { if (ctx->cert != NULL) return ctx->cert->key->privatekey; else return NULL; } > > This is the workaround I mentioned in my previous mail. That's acceptable, > but my question remains. Is the initial certificate is still needed ? > > Even if we allow haproxy to be started without default certificate, we can > probably remove initial_ctx. That's just I want to be sure to not have missed > something :) > initial_ctx is still needed, remove it could be painful. The case is ssl params per certificate. take on bind line with only crt-list. crtlist: a.pem [ alpn h2,http/1.1] b.pem default_ctx is set with the first parsed certificate (and is configuration) b.pem will inherited from « alpn » configuration from a.pem to fix that: 1) clean all ssl configuration inherited from default_ctx (does not work in all cases, much time spent testing with openssl versionS) 2) change the definition of default_ctx: first parsed certificate without is configuration (only the bind configuration) I don’t want do that, this is an unexpected behavior 3) force usage of one crt in bind line to set the default cert (and before crt-list) It break old configurations. (and i don’t want a default cert) other? i try, fail and fix with introduce initial_ctx to normalise the behavior in a clean manner. ++ Manu