Willy, Here is the patch fixing the certificates generation.
Thanks -- Christopher Faulet
>From 4cfdaa09b218d784e7b814f70981f35d1a7811df Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Fri, 28 Jul 2017 16:56:09 +0200 Subject: [PATCH] BUG/MEDIUM: ssl: Fix regression about certificates generation Since the commit f6b37c67 ["BUG/MEDIUM: ssl: in bind line, ssl-options after 'crt' are ignored."], the certificates generation is broken. To generate a certificate, we retrieved the private key of the default certificate using the SSL object. But since the commit f6b37c67, the SSL object is created with a dummy certificate (initial_ctx). So to fix the bug, we use directly the default certificate in the bind_conf structure. We use SSL_CTX_get0_privatekey function to do so. Because this function does not exist for OpenSSL < 1.0.2 and for LibreSSL, it has been added in openssl-compat.h with the right #ifdef. --- include/proto/openssl-compat.h | 13 +++++++++++++ src/ssl_sock.c | 4 ++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h index ea92072e..9b671095 100644 --- a/include/proto/openssl-compat.h +++ b/include/proto/openssl-compat.h @@ -89,6 +89,19 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha } #endif +#if (OPENSSL_VERSION_NUMBER < 0x10002000L) || defined(LIBRESSL_VERSION_NUMBER) +/* + * Functions introduced in OpenSSL 1.0.2 and not yet present in LibreSSL + */ +EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) +{ + if (ctx->cert != NULL) + return ctx->cert->key->privatekey; + else + return NULL; +} +#endif + #if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) /* * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL diff --git a/src/ssl_sock.c b/src/ssl_sock.c index b4d4e14f..d81dd70c 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1586,8 +1586,8 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL unsigned int i; int key_type; - /* Get the private key of the defautl certificate and use it */ - if (!(pkey = SSL_get_privatekey(ssl))) + /* Get the private key of the default certificate and use it */ + if (!(pkey = SSL_CTX_get0_privatekey(bind_conf->default_ctx))) goto mkcert_error; /* Create the certificate */ -- 2.13.3