Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

Tue, 08 Aug 2017 23:38:22 -0700 

Hi Manu,

On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote:
> Hi Willy, Emeric, Christopher
> 
> The new patch is much simpler: 

> From f2918c87910f3ba18a2536eee5f4b9573cc695e3 Mon Sep 17 00:00:00 2001
> From: Emmanuel Hocdet <m...@gandi.net>
> Date: Sun, 30 Jul 2017 18:29:04 +0200
> Subject: [PATCH] MINOR: ssl: allow to start without certificate if strict-sni
>  is set
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> With strict-sni, ssl connection will fail if no certificate match. Have no
> certificate in bind line, fail on all ssl connections. It’s ok with the
> behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is
> never used. When 'strict-sni' is set, default_ctx is never used. Allow to 
> start
> without certificate only in this case.
> 
> Use case is to start haproxy with ssl before customer start to use 
> certificates.
> Typically with 'crt' on a empty directory and 'strict-sni' parameters.
> ---
>  src/ssl_sock.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> index d81dd70..041cba6 100644
> --- a/src/ssl_sock.c
> +++ b/src/ssl_sock.c
> @@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf 
> *bind_conf)
>               return 0;
>       }
>       if (!bind_conf->default_ctx) {
> -             Alert("Proxy '%s': no SSL certificate specified for bind '%s' 
> at [%s:%d] (use 'crt').\n",
> -                   px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
> -             return -1;
> +             if (bind_conf->strict_sni && !bind_conf->generate_certs) {
> +                     Warning("Proxy '%s': no SSL certificate specified for 
> bind '%s' at [%s:%d] (use 'crt').\n",
> +                             px->id, bind_conf->arg, bind_conf->file, 
> bind_conf->line);
> +             }
> +             else {
> +                     Alert("Proxy '%s': no SSL certificate specified for 
> bind '%s' at [%s:%d] (use 'crt').\n",
> +                           px->id, bind_conf->arg, bind_conf->file, 
> bind_conf->line);
> +                     return -1;
> +             }
>       }
>  
>       alloc_ctx = shared_context_init(global.tune.sslcachesize, 
> (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0);

Quick question, what happens when we start in this case and only the
warning is emitted ? Will all SSL connections simply fail ? The impact
should be presented in the warning so that the user knows if he needs
to act on it or not. This aside, yes I think it should do the trick.

Thanks,
Willy

Reply via email to