Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

Wed, 09 Aug 2017 01:28:00 -0700 

> Le 9 août 2017 à 08:37, Willy Tarreau <w...@1wt.eu> a écrit :
> 
> Hi Manu,
> 
> On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote:
>> Hi Willy, Emeric, Christopher
>> 
>> The new patch is much simpler: 
> 
>> From f2918c87910f3ba18a2536eee5f4b9573cc695e3 Mon Sep 17 00:00:00 2001
>> From: Emmanuel Hocdet <m...@gandi.net>
>> Date: Sun, 30 Jul 2017 18:29:04 +0200
>> Subject: [PATCH] MINOR: ssl: allow to start without certificate if strict-sni
>> is set
>> MIME-Version: 1.0
>> Content-Type: text/plain; charset=UTF-8
>> Content-Transfer-Encoding: 8bit
>> 
>> With strict-sni, ssl connection will fail if no certificate match. Have no
>> certificate in bind line, fail on all ssl connections. It’s ok with the
>> behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is
>> never used. When 'strict-sni' is set, default_ctx is never used. Allow to 
>> start
>> without certificate only in this case.
>> 
>> Use case is to start haproxy with ssl before customer start to use 
>> certificates.
>> Typically with 'crt' on a empty directory and 'strict-sni' parameters.
>> ---
>> src/ssl_sock.c | 12 +++++++++---
>> 1 file changed, 9 insertions(+), 3 deletions(-)
>> 
>> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
>> index d81dd70..041cba6 100644
>> --- a/src/ssl_sock.c
>> +++ b/src/ssl_sock.c
>> @@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf 
>> *bind_conf)
>>              return 0;
>>      }
>>      if (!bind_conf->default_ctx) {
>> -            Alert("Proxy '%s': no SSL certificate specified for bind '%s' 
>> at [%s:%d] (use 'crt').\n",
>> -                  px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
>> -            return -1;
>> +            if (bind_conf->strict_sni && !bind_conf->generate_certs) {
>> +                    Warning("Proxy '%s': no SSL certificate specified for 
>> bind '%s' at [%s:%d] (use 'crt').\n",
>> +                            px->id, bind_conf->arg, bind_conf->file, 
>> bind_conf->line);
>> +            }
>> +            else {
>> +                    Alert("Proxy '%s': no SSL certificate specified for 
>> bind '%s' at [%s:%d] (use 'crt').\n",
>> +                          px->id, bind_conf->arg, bind_conf->file, 
>> bind_conf->line);
>> +                    return -1;
>> +            }
>>      }
>> 
>>      alloc_ctx = shared_context_init(global.tune.sslcachesize, 
>> (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0);
> 
> Quick question, what happens when we start in this case and only the
> warning is emitted ? Will all SSL connections simply fail ? The impact
> should be presented in the warning so that the user knows if he needs
> to act on it or not. This aside, yes I think it should do the trick.
> 

Yes, connections simply fail, as is already with a fake 'default’ cert and 
strict-sni.

Manu

Reply via email to