mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: ssl: fix verify/ca-file per certificate

Browse Source 
SSL verify and client_CA inherits from the initial ctx (default_ctx).
When a certificate is found, the SSL connection environment must be replaced by
the certificate configuration (via SSL_set_verify and SSL_set_client_CA_list).
This commit is contained in:
Emmanuel Hocdet 2017-03-01 18:54:56 +01:00 committed by Willy Tarreau
parent 0594211987
commit 530141f747
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/ssl_sock.c
View File

@ -1435,6 +1435,13 @@ ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind_con
}
#endif /* !defined SSL_NO_GENERATE_CERTIFICATES */
static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
{
SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), ssl_sock_bind_verifycbk);
SSL_set_client_CA_list(ssl, SSL_dup_CA_list(SSL_CTX_get_client_CA_list(ctx)));
SSL_set_SSL_CTX(ssl, ctx);
}
#ifdef OPENSSL_IS_BORINGSSL
static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
@ -1613,7 +1620,7 @@ static int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx)
if (node) {
/* switch ctx */
SSL_set_SSL_CTX(ctx->ssl, container_of(node, struct sni_ctx, name)->ctx);
ssl_sock_switchctx_set(ctx->ssl, container_of(node, struct sni_ctx, name)->ctx);
return 1;
}
if (!s->strict_sni)
@ -1704,7 +1711,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
}
/* switch ctx */
SSL_set_SSL_CTX(ssl, container_of(node, struct sni_ctx, name)->ctx);
ssl_sock_switchctx_set(ssl, container_of(node, struct sni_ctx, name)->ctx);
return SSL_TLSEXT_ERR_OK;
}
#endif /* (!) OPENSSL_IS_BORINGSSL */