From c5fdf0f3dcf91435c943742eaf338167e761dede Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet Date: Mon, 4 Nov 2019 15:49:46 +0100 Subject: [PATCH] BUG/MINOR: ssl: fix crt-list neg filter for openssl < 1.1.1 Certificate selection in client_hello_cb (openssl >= 1.1.1) correctly handles crt-list neg filter. Certificate selection for openssl < 1.1.1 has not been touched for a while: crt-list neg filter is not the same than his counterpart and is wrong. Fix it to mimic the same behavior has is counterpart. It should be backported as far as 1.6. --- src/ssl_sock.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 0ad514772..3546c3b83 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -2451,11 +2451,10 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv) trash.area[i] = 0; HA_RWLOCK_RDLOCK(SNI_LOCK, &s->sni_lock); + node = NULL; /* lookup in full qualified names */ - node = ebst_lookup(&s->sni_ctx, trash.area); - - /* lookup a not neg filter */ - for (n = node; n; n = ebmb_next_dup(n)) { + for (n = ebst_lookup(&s->sni_ctx, trash.area); n; n = ebmb_next_dup(n)) { + /* lookup a not neg filter */ if (!container_of(n, struct sni_ctx, name)->neg) { node = n; break; @@ -2463,9 +2462,15 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv) } if (!node && wildp) { /* lookup in wildcards names */ - node = ebst_lookup(&s->sni_w_ctx, wildp); + for (n = ebst_lookup(&s->sni_w_ctx, wildp); n; n = ebmb_next_dup(n)) { + /* lookup a not neg filter */ + if (!container_of(n, struct sni_ctx, name)->neg) { + node = n; + break; + } + } } - if (!node || container_of(node, struct sni_ctx, name)->neg) { + if (!node) { #if (!defined SSL_NO_GENERATE_CERTIFICATES) if (s->generate_certs && ssl_sock_generate_certificate(servername, s, ssl)) { /* switch ctx done in ssl_sock_generate_certificate */