Hi, while preparing to use multi-keytype bundles for my company's domains, I found the following two issues:
1.) When loading bundles with .rsa and/or .ecdsa extension fails, haproxy neither exits nor prints alerts. This behavior differs from failing while loading normal bundles. I think this is because of a missing "cfgerr +=" in method ssl_sock_load_cert() on line 3478 of file src/ssl_sock.c (version 1.8.13). proposed patch, line 3478: replace ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err); with cfgerr += ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err); 2.) When using the global option 'ssl-dh-param-file' in haproxy.cfg, it is possible that openssl fails to load a chain. These kind of errors do not occur when using a dh-params block in the bundle file instead of the global option in haproxy.cfg. In src/ssl_sock.c the function ssl_sock_load_crt_file_into_ckch() is called while loading the bundles. The while loop on line 2847 (version 1.8.13) fails to load the bundle because openssl fails with: "error:0200100E:system library:fopen:Bad address" (This would be the openssl error message at this stage, would haproxy convert the return value to string with ERR_error_string) As a workaround I will disable ssl-dh-param-file and add them to each bundle in a dh-params block. I am using: Haproxy version: 1.8.12/1.8.13 (from ppa:vbernat/haproxy-1.8) OS: Ubuntu 18.04 OpenSSL: 1.1.0h example haproxy.cfg (bare minimum to get the ssl errors): global ssl-dh-param-file /haproxy-path/dh-params-2048.pem tune.ssl.default-dh-param 2048 # not essential for error reproduction frontend https_in bind 0.0.0.0:443 ssl crt /haproxy-path/bundles/ timeout client 1m To setup an environment to reproduce the error, I included the bash script 'make_bundles.sh' (see attachment) which creates a dh-params-2048.pem file and a directory named 'cert' containing 20 copies of a bundle. If you then start haproxy with these configs, it will fail (after applying the patch regarding the first point -- ssl_sock_load_multi_cert). cheers, Michael
make-bundles.sh
Description: application/shellscript