On Wed, Aug 09, 2017 at 10:26:54AM +0200, Emmanuel Hocdet wrote: > > > Le 9 août 2017 à 08:37, Willy Tarreau <[email protected]> a écrit : > > > > Hi Manu, > > > > On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote: > >> Hi Willy, Emeric, Christopher > >> > >> The new patch is much simpler: > > > >> From f2918c87910f3ba18a2536eee5f4b9573cc695e3 Mon Sep 17 00:00:00 2001 > >> From: Emmanuel Hocdet <[email protected]> > >> Date: Sun, 30 Jul 2017 18:29:04 +0200 > >> Subject: [PATCH] MINOR: ssl: allow to start without certificate if > >> strict-sni > >> is set > >> MIME-Version: 1.0 > >> Content-Type: text/plain; charset=UTF-8 > >> Content-Transfer-Encoding: 8bit > >> > >> With strict-sni, ssl connection will fail if no certificate match. Have no > >> certificate in bind line, fail on all ssl connections. Itâs ok with the > >> behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is > >> never used. When 'strict-sni' is set, default_ctx is never used. Allow to > >> start > >> without certificate only in this case. > >> > >> Use case is to start haproxy with ssl before customer start to use > >> certificates. > >> Typically with 'crt' on a empty directory and 'strict-sni' parameters. > >> --- > >> src/ssl_sock.c | 12 +++++++++--- > >> 1 file changed, 9 insertions(+), 3 deletions(-) > >> > >> diff --git a/src/ssl_sock.c b/src/ssl_sock.c > >> index d81dd70..041cba6 100644 > >> --- a/src/ssl_sock.c > >> +++ b/src/ssl_sock.c > >> @@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf > >> *bind_conf) > >> return 0; > >> } > >> if (!bind_conf->default_ctx) { > >> - Alert("Proxy '%s': no SSL certificate specified for bind '%s' > >> at [%s:%d] (use 'crt').\n", > >> - px->id, bind_conf->arg, bind_conf->file, bind_conf->line); > >> - return -1; > >> + if (bind_conf->strict_sni && !bind_conf->generate_certs) { > >> + Warning("Proxy '%s': no SSL certificate specified for > >> bind '%s' at [%s:%d] (use 'crt').\n", > >> + px->id, bind_conf->arg, bind_conf->file, > >> bind_conf->line); > >> + } > >> + else { > >> + Alert("Proxy '%s': no SSL certificate specified for > >> bind '%s' at [%s:%d] (use 'crt').\n", > >> + px->id, bind_conf->arg, bind_conf->file, > >> bind_conf->line); > >> + return -1; > >> + } > >> } > >> > >> alloc_ctx = shared_context_init(global.tune.sslcachesize, > >> (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0); > > > > Quick question, what happens when we start in this case and only the > > warning is emitted ? Will all SSL connections simply fail ? The impact > > should be presented in the warning so that the user knows if he needs > > to act on it or not. This aside, yes I think it should do the trick. > > > > Yes, connections simply fail, as is already with a fake 'default' cert and > strict-sni.
Thanks. Then can you please update the message in the warning accordingly ? Willy
