mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-09-25 07:41:36 +02:00
MINOR: ssl: allow to start without certificate if strict-sni is set
With strict-sni, ssl connection will fail if no certificate match. Have no certificate in bind line, fail on all ssl connections. It's ok with the behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is never used. When 'strict-sni' is set, default_ctx is never used. Allow to start without certificate only in this case. Use case is to start haproxy with ssl before customer start to use certificates. Typically with 'crt' on a empty directory and 'strict-sni' parameters.
This commit is contained in:
Emmanuel Hocdet
Willy Tarreau
parent
3169471964
commit
aa0d637292
@ -4283,10 +4283,16 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if (!bind_conf->default_ctx) {
|
if (!bind_conf->default_ctx) {
|
||||||
|
if (bind_conf->strict_sni && !bind_conf->generate_certs) {
|
||||||
|
Warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d], ssl connections will fail (use 'crt').\n",
|
||||||
|
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
|
||||||
|
}
|
||||||
|
else {
|
||||||
Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
|
Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n",
|
||||||
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
|
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0);
|
alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0);
|
||||||
if (alloc_ctx < 0) {
|
if (alloc_ctx < 0) {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user