This is a corrected patch against 1.7.5. On 04/10/2017 05:00 PM, Sander Hoentjen wrote: > No scratch that, this is wrong. > > On 04/10/2017 04:57 PM, Sander Hoentjen wrote: >> The attached patch against haproxy 1.7.5 honours crt order also for >> wildcards. >> >> On 04/07/2017 03:42 PM, Sander Hoentjen wrote: >>> Hi Sander, >>> >>> On 04/06/2017 02:06 PM, Sander Klein wrote: >>>> Hi Sander, >>>> >>>> On 2017-04-06 10:45, Sander Hoentjen wrote: >>>>> Hi guys, >>>>> >>>>> We have a setup where we sometimes have multiple certificates for a >>>>> domain. We use multiple directories for that and would like the >>>>> following behavior: >>>>> - Look in dir A for any match, use it if found >>>>> - Look in dir B for any match, use it if found >>>>> - Look in dir .. etc >>>>> >>>>> This works great, except for wildcards. Right now a domain match in dir >>>>> B takes precedence over a wildcard match in dir A. >>>>> >>>>> Is there a way to get haproxy to behave the way I describe? >>>> I have been playing with this some time ago and my solution was to >>>> just think about the order of certificate loading. I then found out >>>> that the last certificate was preferred if it matched. Not sure if >>>> this has changed over time. >>> This does not work for wildcard certs, it seems they are always tried last. >>> >>> Regards, >>> Sander >>> >
diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f947c99..ad70783 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -130,6 +130,7 @@ int sslconns = 0; int totalsslconns = 0; +int order = 0; #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0) struct list tlskeys_reference = LIST_HEAD_INIT(tlskeys_reference); @@ -1453,9 +1454,12 @@ break; } } - if (!node && wildp) { + if (wildp) { /* lookup in wildcards names */ - node = ebst_lookup(&s->sni_w_ctx, wildp); + n = ebst_lookup(&s->sni_w_ctx, wildp); + if (!node || n && container_of(n, struct sni_ctx, name)->order < container_of(node, struct sni_ctx, name)->order) { + node = n; + } } if (!node || container_of(node, struct sni_ctx, name)->neg) { SSL_CTX *ctx; @@ -2265,7 +2269,6 @@ X509 *x = NULL, *ca; int i, err; int ret = -1; - int order = 0; X509_NAME *xname; char *str; pem_password_cb *passwd_cb;