Bryan found an interesting bug in the code, which I’ve root caused to an optimization bug(?)/eccentricity in gcc 4.8.4.
Either way, I’ve fixed the error and have attached 2 more patches on top of the 3 already provided. 0004 fixed the bug, and 0005 cleans up some of the code. I’m reposting all 5 here so people don’t have to track them down. Patches 1,2, and 3 are identical to the original. Please take a look. -Dave On 12/3/15, 2:35 PM, "Willy Tarreau" <[email protected]> wrote: >On Thu, Dec 03, 2015 at 07:24:10PM +0000, Dave Zhu (yanbzhu) wrote: >> HAProxy will use the first ³crt² file that it loads as the default >> cert(represented by bind_conf->default_ctx). >> >> So, if you loaded multiple certs in one operation as your first cert, >> HAProxy will have to determine WHICH cert is the bind_conf->default_ctx. >> This operation happens during loading of the config, way before any >>users >> can connect. > >Ah indeed, I had not thought about that. > >> What I¹m saying is that the logic for loading multiple certs might >> generate multiple SSL_CTX¹s depending on CN/SAN overlap. In that case, >>it >> will pick the SSL_CTX that has the highest number of different key types >> and set it as bind_conf->default_ctx if bind_conf->default_ctx has not >> been set previously. >> >> Does that make sense? > >Yes it does. I just feel that it adds some uncertainty (for the admin) >regarding the choice and that the risk that the default one changes will >change as individual certs are expired/renewed/updated/replaced. > >Maybe at some point we'll have to make it possible to specify (or to >document) the selection order so that it's stable in time and easy to >determine. > >By the way this ordering may be required as well for other certs if some >people decide for example to suddenly make RSA picked before ECDSA (if >a vulnerability is reported or whatever for example). Then in this case >we could use the same selection rules. > >Thanks for your clear explanation! >Willy >
0001-MINOR-ssl-Added-cert_key_and_chain-struct.patch
Description: 0001-MINOR-ssl-Added-cert_key_and_chain-struct.patch
0002-MEDIUM-ssl-Added-support-for-creating-SSL_CTX-with-m.patch
Description: 0002-MEDIUM-ssl-Added-support-for-creating-SSL_CTX-with-m.patch
0003-MINOR-ssl-Added-multi-cert-support-for-crt-list-conf.patch
Description: 0003-MINOR-ssl-Added-multi-cert-support-for-crt-list-conf.patch
0004-BUG-MINOR-ssl-Fixed-code-that-crashed-under-optimiza.patch
Description: 0004-BUG-MINOR-ssl-Fixed-code-that-crashed-under-optimiza.patch
0005-MINOR-ssl-Clean-up-unused-code-fixed-spelling-error.patch
Description: 0005-MINOR-ssl-Clean-up-unused-code-fixed-spelling-error.patch
