Re: [Patch&BUG] multiple key type bundles are not loaded correctly in certain cases

Thu, 16 Aug 2018 06:26:36 -0700 

Hi Willy, Michael,

On 08/02/2018 06:03 PM, Willy Tarreau wrote:
> Hi Michael,
> 
> On Thu, Aug 02, 2018 at 03:48:13PM +0200, Michael Wimmesberger wrote:
>> Hi,
>>
>> while preparing to use multi-keytype bundles for my company's
>> domains, I found the following two issues:
> (...)
> 
> Thanks for reporting these issues. I'm CCing Emeric who's currently
> in vacation and will be back soon.  I prefer that he double-checks
> the implications of these modifications and/or proposes some extra
> solutions. While I'd suspect your first proposed change is right, he
> might have a use case in mind that we don't want to break (and this
> code is quite tricky).
> 
> Thanks!
> Willy
> 

Here two patches which should fix the issues.


Thanks you for the debug scripts Michael and your informations. It was very 
useful.


R,
Emeric

>From b7698752256a405ee32f0ac412eec7a25163c459 Mon Sep 17 00:00:00 2001
From: Emeric Brun <eb...@haproxy.com>
Date: Thu, 16 Aug 2018 15:14:12 +0200
Subject: [PATCH 2/2] BUG/MEDIUM: ssl: loading dh param from certifile causes
 unpredictable error.

If the dh parameter is not found, the openssl's error global
stack was not correctly cleared causing unpredictable error
during the following parsing (chain cert parsing for instance).

This patch should be backported in 1.8 (and perhaps 1.7)
---
 src/ssl_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index b9c1285..8d0b674 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2607,6 +2607,8 @@ end:
         if (in)
                 BIO_free(in);
 
+	ERR_clear_error();
+
 	return dh;
 }
 
-- 
2.7.4


>From 246bad0bee1e02088538d492f801c38e5f9ad535 Mon Sep 17 00:00:00 2001
From: Emeric Brun <eb...@haproxy.com>
Date: Thu, 16 Aug 2018 15:11:12 +0200
Subject: [PATCH 1/2] BUG/MEDIUM: ssl: fix missing error loading a keytype cert
 from a bundle.

If there was an issue loading a keytype's part of a bundle, the bundle
was implicitly ignored without errors.

This patch should be backported in 1.8 (and perhaps 1.7)
---
 src/ssl_sock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7e8739a..b9c1285 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3491,7 +3491,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
 						}
 
 						snprintf(fp, sizeof(fp), "%s/%s", path, dp);
-						ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err);
+						cfgerr += ssl_sock_load_multi_cert(fp, bind_conf, NULL, NULL, 0, err);
 
 						/* Successfully processed the bundle */
 						goto ignore_entry;
-- 
2.7.4

Reply via email to