>From ffaf903ad7d5c7b9920e1e32ddc4f510365e8e5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <[email protected]>
Date: Mon, 13 Mar 2017 15:52:01 +0100
Subject: [PATCH 15/31] MINOR: server: Make 'default-server' support
'verifyhost' setting.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
This patch makes 'default-server' directive support 'verifyhost' setting.
Note: there was a little memory leak when several 'verifyhost' arguments were
supplied on the same 'server' line.
---
src/server.c | 2 ++
src/ssl_sock.c | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/server.c b/src/server.c
index b69d1d1..5819b75 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1298,6 +1298,8 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
#if defined(USE_OPENSSL)
/* SSL config. */
newsrv->ssl_ctx.verify = curproxy->defsrv.ssl_ctx.verify;
+ if (curproxy->defsrv.ssl_ctx.verify_host != NULL)
+ newsrv->ssl_ctx.verify_host = strdup(curproxy->defsrv.ssl_ctx.verify_host);
#endif
cur_arg = 3;
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5285e24..34860fe 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6792,6 +6792,7 @@ static int srv_parse_verifyhost(char **args, int *cur_arg, struct proxy *px, str
return ERR_ALERT | ERR_FATAL;
}
+ free(newsrv->ssl_ctx.verify_host);
newsrv->ssl_ctx.verify_host = strdup(args[*cur_arg + 1]);
return 0;
@@ -7518,7 +7519,7 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
{ "tlsv12", srv_parse_tlsv12, 0, 1 }, /* enable TLSv12 */
{ "tls-tickets", srv_parse_tls_tickets, 0, 1 }, /* enable session resumption tickets */
{ "verify", srv_parse_verify, 1, 1 }, /* set SSL verify method */
- { "verifyhost", srv_parse_verifyhost, 1, 0 }, /* require that SSL cert verifies for hostname */
+ { "verifyhost", srv_parse_verifyhost, 1, 1 }, /* require that SSL cert verifies for hostname */
{ NULL, NULL, 0, 0 },
}};
--
2.1.4
