mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-09-20 13:21:29 +02:00
842f32f3f1
When an SNI is set on a QUIC server line, ssl_sock_set_servername() is called from connect_server() (backend.c). This leads some BUG_ON() to be triggered because the CO_FL_WAIT_L6_CONN | CO_FL_SSL_WAIT_HS were not set. This must be done into the ->init() xprt callback. This patch move the flags settings from ->start() to ->init() callback. Indeed, connect_server() calls these functions in this order: ->init(), ssl_sock_set_servername() # => crash if CO_FL_WAIT_L6_CONN | CO_FL_SSL_WAIT_HS not set ->start() Furthermore ssl_sock_set_servername() has a side effect to reset the SSL_SESSION object (attached to SSL object) calling SSL_set_session(), leading to crashes as follows: [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `./haproxy -f quic_srv.cfg'. Program terminated with signal SIGSEGV, Segmentation fault. #0 tls_process_server_hello (s=0x560c259733b0, pkt=0x7fffac239f20) at ssl/statem/statem_clnt.c:1624 1624 if (s->session->session_id_length > 0) { [Current thread is 1 (Thread 0x7fc364e53dc0 (LWP 35514))] (gdb) bt #0 tls_process_server_hello (s=0x560c259733b0, pkt=0x7fffac239f20) at ssl/statem/statem_clnt.c:1624 #1 0x00007fc36540fba4 in ossl_statem_client_process_message (s=0x560c259733b0, pkt=0x7fffac239f20) at ssl/statem/statem_clnt.c:1042 #2 0x00007fc36540d028 in read_state_machine (s=0x560c259733b0) at ssl/statem/statem.c:646 #3 0x00007fc36540ca70 in state_machine (s=0x560c259733b0, server=0) at ssl/statem/statem.c:439 #4 0x00007fc36540c576 in ossl_statem_connect (s=0x560c259733b0) at ssl/statem/statem.c:250 #5 0x00007fc3653f1698 in SSL_do_handshake (s=0x560c259733b0) at ssl/ssl_lib.c:3835 #6 0x0000560c22620327 in qc_ssl_do_hanshake (qc=qc@entry=0x560c25961f60, ctx=ctx@entry=0x560c25963020) at src/quic_ssl.c:863 #7 0x0000560c226210be in qc_ssl_provide_quic_data (len=90, data=<optimized out>, ctx=0x560c25963020, level=ssl_encryption_initial, ncbuf=0x560c2588bb18) at src/quic_ssl.c:1071 #8 qc_ssl_provide_all_quic_data (qc=qc@entry=0x560c25961f60, ctx=0x560c25963020) at src/quic_ssl.c:1123 #9 0x0000560c2260ca5f in quic_conn_io_cb (t=0x560c25962f80, context=0x560c25961f60, state=<optimized out>) at src/quic_conn.c:791 #10 0x0000560c228255ed in run_tasks_from_lists (budgets=<optimized out>) at src/task.c:648 #11 0x0000560c22825f7a in process_runnable_tasks () at src/task.c:889 #12 0x0000560c22793dc7 in run_poll_loop () at src/haproxy.c:2836 #13 0x0000560c22794481 in run_thread_poll_loop (data=<optimized out>) at src/haproxy.c:3056 #14 0x0000560c2259082d in main (argc=<optimized out>, argv=<optimized out>) at src/haproxy.c:3667 <s> is the SSL object, and <s->session> is the SSL_SESSION object. For the client, this is the first call do SSL_do_handshake() which initializes this SSL_SESSION object from ->init() xpt callback. Then it is reset by ssl_sock_set_servername(), then tls_process_server_hello() TLS stack is called with NULL value for s->session when receiving the ServerHello TLS message. To fix this, simply move the first call to SSL_do_handshake to ->start xprt call back (qc_xprt_start()). No need to backport.
HAProxy
HAProxy is a free, very fast and reliable reverse-proxy offering high availability, load balancing, and proxying for TCP and HTTP-based applications.
Installation
The INSTALL file describes how to build HAProxy. A list of packages is also available on the wiki.
Getting help
The discourse and the mailing-list are available for questions or configuration assistance. You can also use the slack or IRC channel. Please don't use the issue tracker for these.
The issue tracker is only for bug reports or feature requests.
Documentation
The HAProxy documentation has been split into a number of different files for ease of use. It is available in text format as well as HTML. The wiki is also meant to replace the old architecture guide.
Please refer to the following files depending on what you're looking for:
- INSTALL for instructions on how to build and install HAProxy
- BRANCHES to understand the project's life cycle and what version to use
- LICENSE for the project's license
- CONTRIBUTING for the process to follow to submit contributions
The more detailed documentation is located into the doc/ directory:
- doc/intro.txt for a quick introduction on HAProxy
- doc/configuration.txt for the configuration's reference manual
- doc/lua.txt for the Lua's reference manual
- doc/SPOE.txt for how to use the SPOE engine
- doc/network-namespaces.txt for how to use network namespaces under Linux
- doc/management.txt for the management guide
- doc/regression-testing.txt for how to use the regression testing suite
- doc/peers.txt for the peers protocol reference
- doc/coding-style.txt for how to adopt HAProxy's coding style
- doc/internals for developer-specific documentation (not all up to date)
License
HAProxy is licensed under GPL 2 or any later version, the headers under LGPL 2.1. See the LICENSE file for a more detailed explanation.