Hi Manu, On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote: > Hi Willy, Emeric, Christopher > > The new patch is much simpler:
> From f2918c87910f3ba18a2536eee5f4b9573cc695e3 Mon Sep 17 00:00:00 2001 > From: Emmanuel Hocdet <m...@gandi.net> > Date: Sun, 30 Jul 2017 18:29:04 +0200 > Subject: [PATCH] MINOR: ssl: allow to start without certificate if strict-sni > is set > MIME-Version: 1.0 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: 8bit > > With strict-sni, ssl connection will fail if no certificate match. Have no > certificate in bind line, fail on all ssl connections. Itâs ok with the > behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is > never used. When 'strict-sni' is set, default_ctx is never used. Allow to > start > without certificate only in this case. > > Use case is to start haproxy with ssl before customer start to use > certificates. > Typically with 'crt' on a empty directory and 'strict-sni' parameters. > --- > src/ssl_sock.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/src/ssl_sock.c b/src/ssl_sock.c > index d81dd70..041cba6 100644 > --- a/src/ssl_sock.c > +++ b/src/ssl_sock.c > @@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf > *bind_conf) > return 0; > } > if (!bind_conf->default_ctx) { > - Alert("Proxy '%s': no SSL certificate specified for bind '%s' > at [%s:%d] (use 'crt').\n", > - px->id, bind_conf->arg, bind_conf->file, bind_conf->line); > - return -1; > + if (bind_conf->strict_sni && !bind_conf->generate_certs) { > + Warning("Proxy '%s': no SSL certificate specified for > bind '%s' at [%s:%d] (use 'crt').\n", > + px->id, bind_conf->arg, bind_conf->file, > bind_conf->line); > + } > + else { > + Alert("Proxy '%s': no SSL certificate specified for > bind '%s' at [%s:%d] (use 'crt').\n", > + px->id, bind_conf->arg, bind_conf->file, > bind_conf->line); > + return -1; > + } > } > > alloc_ctx = shared_context_init(global.tune.sslcachesize, > (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0); Quick question, what happens when we start in this case and only the warning is emitted ? Will all SSL connections simply fail ? The impact should be presented in the warning so that the user knows if he needs to act on it or not. This aside, yes I think it should do the trick. Thanks, Willy