Le 9 août 2017 à 11:13, Willy Tarreau < w...@1wt.eu> a écrit :
On Wed, Aug 09, 2017 at 10:26:54AM +0200, Emmanuel Hocdet wrote:
Le 9 août 2017 à 08:37, Willy Tarreau <w...@1wt.eu> a écrit :
Hi Manu,
On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote:
Hi Willy, Emeric, Christopher
The new patch is much simpler:
From f2918c87910f3ba18a2536eee5f4b9573cc695e3 Mon Sep 17 00:00:00 2001
From: Emmanuel Hocdet <m...@gandi.net>
Date: Sun, 30 Jul 2017 18:29:04 +0200
Subject: [PATCH] MINOR: ssl: allow to start without certificate if strict-sni
is set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
With strict-sni, ssl connection will fail if no certificate match. Have no
certificate in bind line, fail on all ssl connections. It’s ok with the
behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is
never used. When 'strict-sni' is set, default_ctx is never used. Allow to start
without certificate only in this case.
Use case is to start haproxy with ssl before customer start to use certificates.
Typically with 'crt' on a empty directory and 'strict-sni' parameters.
---
src/ssl_sock.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index d81dd70..041cba6 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
return 0;
}
if (!bind_conf->default_ctx) {
- Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
- px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
- return -1;
+ if (bind_conf->strict_sni && !bind_conf->generate_certs) {
+ Warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
+ px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
+ }
+ else {
+ Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
+ px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
+ return -1;
+ }
}
alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0);
Quick question, what happens when we start in this case and only the
warning is emitted ? Will all SSL connections simply fail ? The impact
should be presented in the warning so that the user knows if he needs
to act on it or not. This aside, yes I think it should do the trick.
Yes, connections simply fail, as is already with a fake 'default' cert and strict-sni.
Thanks. Then can you please update the message in the warning accordingly ?
Yep:
|
0001-MINOR-ssl-allow-to-start-without-certificate-if-stri.patch
