On Wed, Aug 09, 2017 at 10:26:54AM +0200, Emmanuel Hocdet wrote:
> 
> > Le 9 août 2017 à 08:37, Willy Tarreau <w...@1wt.eu> a écrit :
> > 
> > Hi Manu,
> > 
> > On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote:
> >> Hi Willy, Emeric, Christopher
> >> 
> >> The new patch is much simpler: 
> > 
> >> From f2918c87910f3ba18a2536eee5f4b9573cc695e3 Mon Sep 17 00:00:00 2001
> >> From: Emmanuel Hocdet <m...@gandi.net>
> >> Date: Sun, 30 Jul 2017 18:29:04 +0200
> >> Subject: [PATCH] MINOR: ssl: allow to start without certificate if 
> >> strict-sni
> >> is set
> >> MIME-Version: 1.0
> >> Content-Type: text/plain; charset=UTF-8
> >> Content-Transfer-Encoding: 8bit
> >> 
> >> With strict-sni, ssl connection will fail if no certificate match. Have no
> >> certificate in bind line, fail on all ssl connections. It’s ok with the
> >> behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is
> >> never used. When 'strict-sni' is set, default_ctx is never used. Allow to 
> >> start
> >> without certificate only in this case.
> >> 
> >> Use case is to start haproxy with ssl before customer start to use 
> >> certificates.
> >> Typically with 'crt' on a empty directory and 'strict-sni' parameters.
> >> ---
> >> src/ssl_sock.c | 12 +++++++++---
> >> 1 file changed, 9 insertions(+), 3 deletions(-)
> >> 
> >> diff --git a/src/ssl_sock.c b/src/ssl_sock.c
> >> index d81dd70..041cba6 100644
> >> --- a/src/ssl_sock.c
> >> +++ b/src/ssl_sock.c
> >> @@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf 
> >> *bind_conf)
> >>            return 0;
> >>    }
> >>    if (!bind_conf->default_ctx) {
> >> -          Alert("Proxy '%s': no SSL certificate specified for bind '%s' 
> >> at [%s:%d] (use 'crt').\n",
> >> -                px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
> >> -          return -1;
> >> +          if (bind_conf->strict_sni && !bind_conf->generate_certs) {
> >> +                  Warning("Proxy '%s': no SSL certificate specified for 
> >> bind '%s' at [%s:%d] (use 'crt').\n",
> >> +                          px->id, bind_conf->arg, bind_conf->file, 
> >> bind_conf->line);
> >> +          }
> >> +          else {
> >> +                  Alert("Proxy '%s': no SSL certificate specified for 
> >> bind '%s' at [%s:%d] (use 'crt').\n",
> >> +                        px->id, bind_conf->arg, bind_conf->file, 
> >> bind_conf->line);
> >> +                  return -1;
> >> +          }
> >>    }
> >> 
> >>    alloc_ctx = shared_context_init(global.tune.sslcachesize, 
> >> (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0);
> > 
> > Quick question, what happens when we start in this case and only the
> > warning is emitted ? Will all SSL connections simply fail ? The impact
> > should be presented in the warning so that the user knows if he needs
> > to act on it or not. This aside, yes I think it should do the trick.
> > 
> 
> Yes, connections simply fail, as is already with a fake 'default' cert and 
> strict-sni.

Thanks. Then can you please update the message in the warning accordingly ?

Willy

Reply via email to