mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-01-19 00:51:37 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: ssl: first outgoing connection would fail with {ca,crt}-ignore-err

Browse Source 
When using ca_ignore_err/crt_ignore_err, a connection to an untrusted
server raises an error which is ignored. But the next SSL_read() that
encounters EAGAIN raises the error again, breaking the connection.

Subsequent connections don't have this problem because the session has
been stored and is correctly reused without performing a verify again.

The solution consists in correctly flushing the SSL error stack when
ignoring the crt/ca error.
This commit is contained in:
Emeric Brun 2012-12-03 13:24:29 +01:00 committed by Willy Tarreau
parent 78617e51fd
commit 1eb20efe70
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/ssl_sock.c
View File

@ -127,8 +127,10 @@ int ssl_sock_verifycbk(int ok, X509_STORE_CTX *x_store)
conn->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
}
if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err))
if (objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
ERR_clear_error();
return 1;
}
conn->err_code = CO_ER_SSL_CA_FAIL;
return 0;
@ -138,8 +140,10 @@ int ssl_sock_verifycbk(int ok, X509_STORE_CTX *x_store)
conn->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
/* check if certificate error needs to be ignored */
if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err))
if (objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
ERR_clear_error();
return 1;
}
conn->err_code = CO_ER_SSL_CRT_FAIL;
return 0;