Re: Broken SNI with crt-list for HAProxy 2.1.x after upgrade from Stretch to Buster

Mon, 15 Jun 2020 05:57:26 -0700 

On Sat, Jun 13, 2020 at 04:55:53PM +0200, Tim Düsterhus wrote:
> William,
> 
> Am 13.06.20 um 16:46 schrieb Tim Düsterhus:
> > tune.ssl.default-dh-param 2048 solved the issue for me.
> > 
> > I'd argue that this is a bug in HAProxy nonetheless, because apparently
> > the crt-list file is not fully parsed in case of DH parameter warnings
> > (not errors). In fact I can remember that some similar issue was
> > previously fixed.
> > 
> 
> Could this be another version of this issue:
> https://github.com/haproxy/haproxy/issues/483? Should I file a bug report?
> 
> Best regards
> Tim Düsterhus

Hello Tim,

I think I found the problem, could you try the attached patch for 2.1?

Thanks,

-- 
William Lallemand

>From 671197ebf116b053169d6a2ec27ded0b2d090f93 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallem...@haproxy.org>
Date: Mon, 15 Jun 2020 14:37:19 +0200
Subject: [PATCH] BUG/MINOR: ssl: crt-list should continue parsing on ERR_WARN

The original crt-list parsing was using any value in the cfgerr variable
as an error. This is wrong since the certificate loading could return
an ERR_WARN and should be able to be parsed. The parsing must be only
stopped on an ERR_CODE.

This commit is 2.1 only since it was fixed
in 2.2 by commit 2954c47 ("MEDIUM: ssl: allow crt-list caching")
and accidently in 2.0 by commit b131c87 ("CLEANUP: ssl: make
ssl_sock_load_cert*() return real error codes").
---
 src/ssl_sock.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index adf06dd7a..574cd15dd 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4364,7 +4364,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct
 			}
 			line++;
 		}
-		if (cfgerr)
+		if (cfgerr & ERR_CODE)
 			break;
 		args[arg++] = line;
 
@@ -4409,7 +4409,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct
 			}
 		}
 
-		if (cfgerr) {
+		if (cfgerr & ERR_CODE) {
 			ssl_sock_free_ssl_conf(ssl_conf);
 			free(ssl_conf);
 			ssl_conf = NULL;
@@ -4428,7 +4428,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct
 		else
 			cfgerr |= ssl_sock_load_ckchs(crt_path, ckchs, bind_conf, ssl_conf, &args[cur_arg], arg - cur_arg - 1, err);
 
-		if (cfgerr) {
+		if (cfgerr & ERR_CODE) {
 			memprintf(err, "error processing line %d in file '%s' : %s", linenum, file, *err);
 			break;
 		}
-- 
2.25.3

Reply via email to