Re: Certificate order

Mon, 10 Apr 2017 11:03:49 -0700 

This is a corrected patch against 1.7.5.

On 04/10/2017 05:00 PM, Sander Hoentjen wrote:
> No scratch that, this is wrong.
>
> On 04/10/2017 04:57 PM, Sander Hoentjen wrote:
>> The attached patch against haproxy 1.7.5 honours crt order also for
>> wildcards.
>>
>> On 04/07/2017 03:42 PM, Sander Hoentjen wrote:
>>> Hi Sander,
>>>
>>> On 04/06/2017 02:06 PM, Sander Klein wrote:
>>>> Hi Sander,
>>>>
>>>> On 2017-04-06 10:45, Sander Hoentjen wrote:
>>>>> Hi guys,
>>>>>
>>>>> We have a setup where we sometimes have multiple certificates for a
>>>>> domain. We use multiple directories for that and would like the
>>>>> following behavior:
>>>>> - Look in dir A for any match, use it if found
>>>>> - Look in dir B for any match, use it if found
>>>>> - Look in dir .. etc
>>>>>
>>>>> This works great, except for wildcards. Right now a domain match in dir
>>>>> B takes precedence over a wildcard match in dir A.
>>>>>
>>>>> Is there a way to get haproxy to behave the way I describe?
>>>> I have been playing with this some time ago and my solution was to
>>>> just think about the order of certificate loading. I then found out
>>>> that the last certificate was preferred if it matched. Not sure if
>>>> this has changed over time.
>>> This does not work for wildcard certs, it seems they are always tried last.
>>>
>>> Regards,
>>> Sander
>>>
>


diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f947c99..ad70783 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -130,6 +130,7 @@
 
 int sslconns = 0;
 int totalsslconns = 0;
+int order = 0;
 
 #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
 struct list tlskeys_reference = LIST_HEAD_INIT(tlskeys_reference);
@@ -1453,9 +1454,12 @@
 			break;
 		}
 	}
-	if (!node && wildp) {
+	if (wildp) {
 		/* lookup in wildcards names */
-		node = ebst_lookup(&s->sni_w_ctx, wildp);
+		n = ebst_lookup(&s->sni_w_ctx, wildp);
+		if (!node || n && container_of(n, struct sni_ctx, name)->order < container_of(node, struct sni_ctx, name)->order) {
+			node = n;
+		}
 	}
 	if (!node || container_of(node, struct sni_ctx, name)->neg) {
 		SSL_CTX *ctx;
@@ -2265,7 +2269,6 @@
 	X509 *x = NULL, *ca;
 	int i, err;
 	int ret = -1;
-	int order = 0;
 	X509_NAME *xname;
 	char *str;
 	pem_password_cb *passwd_cb;

Reply via email to