On Sat, Jun 13, 2020 at 04:55:53PM +0200, Tim Düsterhus wrote: > William, > > Am 13.06.20 um 16:46 schrieb Tim Düsterhus: > > tune.ssl.default-dh-param 2048 solved the issue for me. > > > > I'd argue that this is a bug in HAProxy nonetheless, because apparently > > the crt-list file is not fully parsed in case of DH parameter warnings > > (not errors). In fact I can remember that some similar issue was > > previously fixed. > > > > Could this be another version of this issue: > https://github.com/haproxy/haproxy/issues/483? Should I file a bug report? > > Best regards > Tim Düsterhus
Hello Tim, I think I found the problem, could you try the attached patch for 2.1? Thanks, -- William Lallemand
>From 671197ebf116b053169d6a2ec27ded0b2d090f93 Mon Sep 17 00:00:00 2001 From: William Lallemand <wlallem...@haproxy.org> Date: Mon, 15 Jun 2020 14:37:19 +0200 Subject: [PATCH] BUG/MINOR: ssl: crt-list should continue parsing on ERR_WARN The original crt-list parsing was using any value in the cfgerr variable as an error. This is wrong since the certificate loading could return an ERR_WARN and should be able to be parsed. The parsing must be only stopped on an ERR_CODE. This commit is 2.1 only since it was fixed in 2.2 by commit 2954c47 ("MEDIUM: ssl: allow crt-list caching") and accidently in 2.0 by commit b131c87 ("CLEANUP: ssl: make ssl_sock_load_cert*() return real error codes"). --- src/ssl_sock.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index adf06dd7a..574cd15dd 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4364,7 +4364,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct } line++; } - if (cfgerr) + if (cfgerr & ERR_CODE) break; args[arg++] = line; @@ -4409,7 +4409,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct } } - if (cfgerr) { + if (cfgerr & ERR_CODE) { ssl_sock_free_ssl_conf(ssl_conf); free(ssl_conf); ssl_conf = NULL; @@ -4428,7 +4428,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct else cfgerr |= ssl_sock_load_ckchs(crt_path, ckchs, bind_conf, ssl_conf, &args[cur_arg], arg - cur_arg - 1, err); - if (cfgerr) { + if (cfgerr & ERR_CODE) { memprintf(err, "error processing line %d in file '%s' : %s", linenum, file, *err); break; } -- 2.25.3