From 1b6fa7f5ea22e6d1598c037b2c14d7f186f9c515 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Tue, 26 Jul 2022 19:03:51 +0200 Subject: [PATCH] MINOR: peers: Add a warning about incompatible SSL config for the local peer In peers section, it is possible to enable SSL for the local peer. In this case, the bind line and the server line should both be configured. A "default-server" directive may also be used to configure the SSL on the server side. However there is no test to be sure the SSL is enabled on both sides. It is an problem because the local resync performed during a reload will be impossible and it is probably not the expected behavior. So, it is now checked during the configuration validation. A warning message is displayed if the SSL is not properly configured for the local peer. This patch is related to issue #1799. It should probably be backported to 2.6. --- src/cfgparse.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/cfgparse.c b/src/cfgparse.c index 0edfad095..1a8926fd1 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -4097,6 +4097,17 @@ int check_config_validity() l = &curpeers->peers_fe->conf.bind; bind_conf = LIST_ELEM(l->n, typeof(bind_conf), by_fe); + if (curpeers->local->srv) { + if (curpeers->local->srv->use_ssl == 1 && !(bind_conf->options & BC_O_USE_SSL)) { + ha_warning("Peers section '%s': local peer have a non-SSL listener and a SSL server configured at line %s:%d.\n", + curpeers->peers_fe->id, curpeers->local->conf.file, curpeers->local->conf.line); + } + else if (curpeers->local->srv->use_ssl != 1 && (bind_conf->options & BC_O_USE_SSL)) { + ha_warning("Peers section '%s': local peer have a SSL listener and a non-SSL server configured at line %s:%d.\n", + curpeers->peers_fe->id, curpeers->local->conf.file, curpeers->local->conf.line); + } + } + err = NULL; if (thread_resolve_group_mask(bind_conf->bind_tgroup, bind_conf->bind_thread, &bind_conf->bind_tgroup, &bind_conf->bind_thread, &err) < 0) {