> Le 9 août 2017 à 08:37, Willy Tarreau <w...@1wt.eu> a écrit : > > Hi Manu, > > On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote: >> Hi Willy, Emeric, Christopher >> >> The new patch is much simpler: > >> From f2918c87910f3ba18a2536eee5f4b9573cc695e3 Mon Sep 17 00:00:00 2001 >> From: Emmanuel Hocdet <m...@gandi.net> >> Date: Sun, 30 Jul 2017 18:29:04 +0200 >> Subject: [PATCH] MINOR: ssl: allow to start without certificate if strict-sni >> is set >> MIME-Version: 1.0 >> Content-Type: text/plain; charset=UTF-8 >> Content-Transfer-Encoding: 8bit >> >> With strict-sni, ssl connection will fail if no certificate match. Have no >> certificate in bind line, fail on all ssl connections. Itâs ok with the >> behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is >> never used. When 'strict-sni' is set, default_ctx is never used. Allow to >> start >> without certificate only in this case. >> >> Use case is to start haproxy with ssl before customer start to use >> certificates. >> Typically with 'crt' on a empty directory and 'strict-sni' parameters. >> --- >> src/ssl_sock.c | 12 +++++++++--- >> 1 file changed, 9 insertions(+), 3 deletions(-) >> >> diff --git a/src/ssl_sock.c b/src/ssl_sock.c >> index d81dd70..041cba6 100644 >> --- a/src/ssl_sock.c >> +++ b/src/ssl_sock.c >> @@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf >> *bind_conf) >> return 0; >> } >> if (!bind_conf->default_ctx) { >> - Alert("Proxy '%s': no SSL certificate specified for bind '%s' >> at [%s:%d] (use 'crt').\n", >> - px->id, bind_conf->arg, bind_conf->file, bind_conf->line); >> - return -1; >> + if (bind_conf->strict_sni && !bind_conf->generate_certs) { >> + Warning("Proxy '%s': no SSL certificate specified for >> bind '%s' at [%s:%d] (use 'crt').\n", >> + px->id, bind_conf->arg, bind_conf->file, >> bind_conf->line); >> + } >> + else { >> + Alert("Proxy '%s': no SSL certificate specified for >> bind '%s' at [%s:%d] (use 'crt').\n", >> + px->id, bind_conf->arg, bind_conf->file, >> bind_conf->line); >> + return -1; >> + } >> } >> >> alloc_ctx = shared_context_init(global.tune.sslcachesize, >> (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0); > > Quick question, what happens when we start in this case and only the > warning is emitted ? Will all SSL connections simply fail ? The impact > should be presented in the warning so that the user knows if he needs > to act on it or not. This aside, yes I think it should do the trick. >
Yes, connections simply fail, as is already with a fake 'default’ cert and strict-sni. Manu