Hello Willy,
As I began to work on server template feature, I found a bug in patch #0019 (due to a copy and paste again).
Here is a new patch. Sorry for this one. Fred
>From 9da661d95b42cac3c65be783b4c8c71e900366e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <[email protected]> Date: Tue, 14 Mar 2017 15:52:04 +0100 Subject: [PATCH 19/31] MINOR: server: Make 'default-server' support 'ca-file', 'crl-file' and 'crt' settings. X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 This patch makes 'default-server' directives support 'ca-file', 'crl-file' and 'crt' settings. --- src/server.c | 6 ++++++ src/ssl_sock.c | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/server.c b/src/server.c index 988abee..c94e5dc 100644 --- a/src/server.c +++ b/src/server.c @@ -1338,6 +1338,12 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr newsrv->init_addr = curproxy->defsrv.init_addr; #if defined(USE_OPENSSL) /* SSL config. */ + if (curproxy->defsrv.ssl_ctx.ca_file != NULL) + newsrv->ssl_ctx.ca_file = strdup(curproxy->defsrv.ssl_ctx.ca_file); + if (curproxy->defsrv.ssl_ctx.crl_file != NULL) + newsrv->ssl_ctx.crl_file = strdup(curproxy->defsrv.ssl_ctx.crl_file); + if (curproxy->defsrv.ssl_ctx.client_crt != NULL) + newsrv->ssl_ctx.client_crt = strdup(curproxy->defsrv.ssl_ctx.client_crt); newsrv->ssl_ctx.verify = curproxy->defsrv.ssl_ctx.verify; if (curproxy->defsrv.ssl_ctx.verify_host != NULL) newsrv->ssl_ctx.verify_host = strdup(curproxy->defsrv.ssl_ctx.verify_host); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 34860fe..72b3259 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -7485,11 +7485,11 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { * not enabled. */ static struct srv_kw_list srv_kws = { "SSL", { }, { - { "ca-file", srv_parse_ca_file, 1, 0 }, /* set CAfile to process verify server cert */ + { "ca-file", srv_parse_ca_file, 1, 1 }, /* set CAfile to process verify server cert */ { "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */ { "ciphers", srv_parse_ciphers, 1, 0 }, /* select the cipher suite */ - { "crl-file", srv_parse_crl_file, 1, 0 }, /* set certificate revocation list file use on server cert verify */ - { "crt", srv_parse_crt, 1, 0 }, /* set client certificate */ + { "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */ + { "crt", srv_parse_crt, 1, 1 }, /* set client certificate */ { "force-sslv3", srv_parse_force_sslv3, 0, 1 }, /* force SSLv3 */ { "force-tlsv10", srv_parse_force_tlsv10, 0, 1 }, /* force TLSv10 */ { "force-tlsv11", srv_parse_force_tlsv11, 0, 1 }, /* force TLSv11 */ -- 2.1.4
