Re: All "server" settings supported on "default-server" lines

Tue, 21 Mar 2017 12:13:02 -0700 



>From 9da661d95b42cac3c65be783b4c8c71e900366e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <[email protected]>
Date: Tue, 14 Mar 2017 15:52:04 +0100
Subject: [PATCH 19/31] MINOR: server: Make 'default-server' support 'ca-file',
 'crl-file' and 'crt' settings.
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4

This patch makes 'default-server' directives support 'ca-file', 'crl-file' and
'crt' settings.
---
 src/server.c   | 6 ++++++
 src/ssl_sock.c | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/server.c b/src/server.c
index 988abee..c94e5dc 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1338,6 +1338,12 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
 			newsrv->init_addr         = curproxy->defsrv.init_addr;
 #if defined(USE_OPENSSL)
 			/* SSL config. */
+			if (curproxy->defsrv.ssl_ctx.ca_file != NULL)
+				newsrv->ssl_ctx.ca_file = strdup(curproxy->defsrv.ssl_ctx.ca_file);
+			if (curproxy->defsrv.ssl_ctx.crl_file != NULL)
+				newsrv->ssl_ctx.crl_file = strdup(curproxy->defsrv.ssl_ctx.crl_file);
+			if (curproxy->defsrv.ssl_ctx.client_crt != NULL)
+				newsrv->ssl_ctx.client_crt = strdup(curproxy->defsrv.ssl_ctx.crl_file);
 			newsrv->ssl_ctx.verify = curproxy->defsrv.ssl_ctx.verify;
 			if (curproxy->defsrv.ssl_ctx.verify_host != NULL)
 				newsrv->ssl_ctx.verify_host = strdup(curproxy->defsrv.ssl_ctx.verify_host);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 34860fe..72b3259 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7485,11 +7485,11 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
  * not enabled.
  */
 static struct srv_kw_list srv_kws = { "SSL", { }, {
-	{ "ca-file",                 srv_parse_ca_file,           1, 0 }, /* set CAfile to process verify server cert */
+	{ "ca-file",                 srv_parse_ca_file,           1, 1 }, /* set CAfile to process verify server cert */
 	{ "check-ssl",               srv_parse_check_ssl,         0, 1 }, /* enable SSL for health checks */
 	{ "ciphers",                 srv_parse_ciphers,           1, 0 }, /* select the cipher suite */
-	{ "crl-file",                srv_parse_crl_file,          1, 0 }, /* set certificate revocation list file use on server cert verify */
-	{ "crt",                     srv_parse_crt,               1, 0 }, /* set client certificate */
+	{ "crl-file",                srv_parse_crl_file,          1, 1 }, /* set certificate revocation list file use on server cert verify */
+	{ "crt",                     srv_parse_crt,               1, 1 }, /* set client certificate */
 	{ "force-sslv3",             srv_parse_force_sslv3,       0, 1 }, /* force SSLv3 */
 	{ "force-tlsv10",            srv_parse_force_tlsv10,      0, 1 }, /* force TLSv10 */
 	{ "force-tlsv11",            srv_parse_force_tlsv11,      0, 1 }, /* force TLSv11 */
-- 
2.1.4

Reply via email to