Le 9 août 2017 à 11:13, Willy Tarreau < w...@1wt.eu> a écrit :
On Wed, Aug 09, 2017 at 10:26:54AM +0200, Emmanuel Hocdet wrote:
Le 9 août 2017 à 08:37, Willy Tarreau <w...@1wt.eu> a écrit :
Hi Manu,
On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote:
Hi Willy, Emeric, Christopher
The new patch is much simpler:
From f2918c87910f3ba18a2536eee5f4b9573cc695e3 Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet <m...@gandi.net> Date: Sun, 30 Jul 2017 18:29:04 +0200 Subject: [PATCH] MINOR: ssl: allow to start without certificate if strict-sni is set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
With strict-sni, ssl connection will fail if no certificate match. Have no certificate in bind line, fail on all ssl connections. It’s ok with the behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is never used. When 'strict-sni' is set, default_ctx is never used. Allow to start without certificate only in this case.
Use case is to start haproxy with ssl before customer start to use certificates. Typically with 'crt' on a empty directory and 'strict-sni' parameters. --- src/ssl_sock.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c index d81dd70..041cba6 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf) return 0; } if (!bind_conf->default_ctx) { - Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n", - px->id, bind_conf->arg, bind_conf->file, bind_conf->line); - return -1; + if (bind_conf->strict_sni && !bind_conf->generate_certs) { + Warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n", + px->id, bind_conf->arg, bind_conf->file, bind_conf->line); + } + else { + Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n", + px->id, bind_conf->arg, bind_conf->file, bind_conf->line); + return -1; + } }
alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0);
Quick question, what happens when we start in this case and only the warning is emitted ? Will all SSL connections simply fail ? The impact should be presented in the warning so that the user knows if he needs to act on it or not. This aside, yes I think it should do the trick.
Yes, connections simply fail, as is already with a fake 'default' cert and strict-sni.
Thanks. Then can you please update the message in the warning accordingly ?
Yep:
|