mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-11 09:37:20 +02:00
Code Issues Projects Releases Wiki Activity
2ab88675ec
haproxy/include/proto
History
Willy Tarreau 2ab88675ec MINOR: ssl: compare server certificate names to the SNI on outgoing connections 
When support for passing SNI to the server was added in 1.6-dev3, there
was no way to validate that the certificate presented by the server would
really match the name requested in the SNI, which is quite a problem as
it allows other (valid) certificates to be presented instead (when hitting
the wrong server or due to a man in the middle).

This patch adds the missing check against the value passed in the SNI.
The "verifyhost" value keeps precedence if set. If no SNI is used and
no verifyhost directive is specified, then the certificate name is not
checked (this is unchanged).

In order to extract the SNI value, it was necessary to make use of
SSL_SESSION_get0_hostname(), which appeared in openssl 1.1.0. This is
a trivial function which returns the value of s->tlsext_hostname, so
it was provided in the compat layer for older versions. After some
refinements from Emmanuel, it now builds with openssl 1.0.2, openssl
1.1.0 and boringssl. A test file was provided to ease testing all cases.

After some careful observation period it may make sense to backport
this to 1.7 and 1.6 as some users rightfully consider this limitation
as a bug.

Cc: Emmanuel Hocdet <manu@gandi.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
2017-07-06 15:15:28 +02:00
..
acl.h MAJOR: sample: pass a pointer to the session to each sample fetch function 2015-04-06 11:37:25 +02:00
action.h MINOR: http/tcp: fill the avalaible actions 2015-10-02 22:56:11 +02:00
applet.h MAJOR: applet: applet scheduler rework. 2017-06-27 14:38:02 +02:00
arg.h MINOR: sample: Moves ARGS underlying type from 32 to 64 bits. 2016-03-15 22:11:52 +01:00
auth.h MEDIUM: pattern: The match function browse itself the list or the tree. 2014-03-17 18:06:07 +01:00
backend.h MINOR: backends: Change get_server_sh/get_server_uh into private function 2017-06-27 14:38:02 +02:00
channel.h CLEANUP: http: Remove channel_congested function 2017-03-31 14:38:08 +02:00
checks.h MAJOR/REORG: dns: DNS resolution task and requester queues 2017-06-02 11:58:54 +02:00
cli.h MINOR: cli: create new function cli_has_level() to validate permissions 2016-11-24 16:59:27 +01:00
compression.h REORG: filters: Prepare creation of the HTTP compression filter 2016-02-09 14:53:15 +01:00
connection.h MINOR: connection: add a .get_alpn() method to xprt_ops 2017-06-27 14:38:02 +02:00
dns.h MAJOR/REORG: dns: DNS resolution task and requester queues 2017-06-02 11:58:54 +02:00
fd.h MINOR: proxy: Don't close FDs if not our proxy. 2017-04-13 19:15:17 +02:00
filters.h CLEANUP: filters: use the function registration to initialize all proxies 2016-12-21 21:30:54 +01:00
flt_http_comp.h MAJOR: filters/http: Rewrite the HTTP compression as a filter 2016-02-09 14:53:15 +01:00
freq_ctr.h BUG/MINOR: freq-ctr: make swrate_add() support larger values 2016-11-25 11:55:10 +01:00
frontend.h REORG/MAJOR: session: rename the "session" entity to "stream" 2015-04-06 11:23:56 +02:00
hdr_idx.h OPTIM/MINOR: move the hdr_idx pools out of the proxy struct 2011-10-24 18:15:04 +02:00
hlua_fcn.h MINOR: lua: add utility function for check boolean argument 2016-11-24 21:35:10 +01:00
hlua.h BUILD/MINOR: lua: ensure that hlua_ctx_destroy is properly defined 2015-06-17 20:18:54 +02:00
lb_chash.h [MEDIUM] backend: implement consistent hashing variation 2009-10-09 07:17:58 +02:00
lb_fas.h MEDIUM: backend: add the 'first' balancing algorithm 2012-02-21 22:27:27 +01:00
lb_fwlc.h [CLEANUP] backend: move LB algos to individual files 2009-10-01 11:19:37 +02:00
lb_fwrr.h [CLEANUP] backend: move LB algos to individual files 2009-10-01 11:19:37 +02:00
lb_map.h [MINOR] lb_map: reorder code in order to ease integration of new hash functions 2009-10-01 21:11:15 +02:00
listener.h MINOR: proxy: Don't close FDs if not our proxy. 2017-04-13 19:15:17 +02:00
log.h MEDIUM: log-format: Use standard HAProxy log system to report errors 2016-11-25 07:32:58 +01:00
map.h MINOR: samples: rename some struct member from "smp" to "data" 2015-08-20 17:13:46 +02:00
obj_type.h CLEANUP: applet: rename struct si_applet to applet 2015-04-23 17:56:16 +02:00
openssl-compat.h MINOR: ssl: compare server certificate names to the SNI on outgoing connections 2017-07-06 15:15:28 +02:00
pattern.h BUG/MEDIUM: map/acl: fix unwanted flags inheritance. 2017-07-04 10:45:53 +02:00
payload.h REORG/MAJOR: session: rename the "session" entity to "stream" 2015-04-06 11:23:56 +02:00
peers.h MAJOR: peers: peers protocol version 2.0 2015-05-29 15:50:33 +02:00
pipe.h [MEDIUM] introduce pipe pools 2009-01-25 13:49:53 +01:00
port_range.h [MEDIUM] add support for binding to source port ranges during connect 2009-06-10 12:23:32 +02:00
proto_http.h DOC: update RFC references 2017-04-28 18:58:11 +02:00
proto_tcp.h REORG: tcp-rules: move tcp rules processing to their own file 2016-11-25 15:57:38 +01:00
proto_udp.h CLEANUP: fix inconsistency between fd->iocb, proto->accept and accept() 2016-04-14 11:18:22 +02:00
proto_uxst.h REORG/MAJOR: session: rename the "session" entity to "stream" 2015-04-06 11:23:56 +02:00
protocol.h MEDIUM: protocol: use a family array to index the protocol handlers 2015-02-28 23:12:31 +01:00
proxy.h MINOR: proxy: Don't close FDs if not our proxy. 2017-04-13 19:15:17 +02:00
queue.h MINOR: queue: Change pendconn_from_srv/pendconn_from_px into private functions 2017-06-27 14:38:02 +02:00
raw_sock.h CLEANUP: connection: unexport raw_sock and ssl_sock 2016-12-22 23:26:38 +01:00
sample.h REORG: sample: move code to release a sample expression in sample.c 2016-11-09 22:57:00 +01:00
server.h MAJOR/REORG: dns: DNS resolution task and requester queues 2017-06-02 11:58:54 +02:00
session.h MINOR: session: introduce session_new() 2015-04-06 11:37:33 +02:00
shctx.h BUG/MAJOR: ssl: Fallback to private session cache if current lock mode is not supported. 2014-05-08 22:46:32 +02:00
signal.h CLEANUP: includes: fix includes for a number of users of fd.h 2012-09-03 20:49:14 +02:00
spoe.h REORG: spoe: move spoe_encode_varint / spoe_decode_varint from spoe to common 2017-04-27 11:50:41 +02:00
ssl_sock.h MEDIUM: ssl: add basic support for OpenSSL crypto engine 2017-05-27 07:05:00 +02:00
stats.h BUG/MINOR: stats: make field_str() return an empty string on NULL 2016-11-26 15:58:37 +01:00
stick_table.h REORG: stkctr: move all the stick counters processing to stick-tables.c 2016-11-25 16:10:05 +01:00
stream_interface.h CLEANUP: connection: completely remove CO_FL_WAKE_DATA 2017-03-19 12:18:27 +01:00
stream.h BUG/MINOR: stream: flag TASK_WOKEN_RES not set if task in runqueue 2017-06-27 14:37:52 +02:00
task.h MAJOR: task: task scheduler rework. 2017-06-27 14:38:02 +02:00
tcp_rules.h REORG: tcp-rules: move tcp rules processing to their own file 2016-11-25 15:57:38 +01:00
template.h [CLEANUP] included common/version.h everywhere 2006-06-29 18:54:54 +02:00
vars.h MINOR: vars: Add 'unset-var' action/converter 2016-11-09 22:57:01 +01:00