Le 21/11/2017 à 13:46, Alexander Lebedev a écrit :
Hi!
In 1.7.9 with crt-base and ca-base in global haproxy try to search crt
for server in ca-base. In bind all work as expected. If I specify the
full path for crt in server - it's ok.
Hi,
You're right. There is a bug. The attached patch fixes it for the
upstream. It must be slightly adapted to be applied on 1.7, 1.6 and 1.5
(there is no global_ssl structure for older releases. global must be
used instead).
--
Christopher Faulet
>From e813590d22179da472d44131dd776fe76d60ff16 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <[email protected]>
Date: Thu, 23 Nov 2017 09:13:32 +0100
Subject: [PATCH] BUG/MINOR: Use crt_base instead of ca_base when crt is parsed
on a server line
In srv_parse_crt, crt_base was checked but ca_base was used to build the
certifacte path.
This patch must be backported in 1.7, 1.6 and 1.5.
---
src/ssl_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 24bb36877..0fca243d2 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7714,7 +7714,7 @@ static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct ser
}
if ((*args[*cur_arg + 1] != '/') && global_ssl.crt_base)
- memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global_ssl.ca_base, args[*cur_arg + 1]);
+ memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]);
else
memprintf(&newsrv->ssl_ctx.client_crt, "%s", args[*cur_arg + 1]);
--
2.13.6
