On Fri, Aug 14, 2020 at 07:23:36PM +0200, Willy Tarreau wrote: > Another long-standing issue was addressed by William today, regarding how > filters "work" in crt-lists. When using an exclusion they don't work well > because instead of using a list of exclusions, a lookup is performed and > the matching entry is skipped. While that might work in certain cases > (single entry for a given cert), there are situations where it cannot work > like when this is used to exclude certain servernames from certain cert > types. Thus William reworked that so that it really does what the doc > says and what the syntax suggests. It should not have any visible effect > for all those who were not subject to the problem, but might possibly > reveal issues in certain broken configs that were working by accident > (i.e. the desired cert is broken and not used and might suddenly be > exposed). If you're using crt-lists with exlusions, you're welcome to > verify that it's still OK for you. After some time this fix will be > backported so that users don't get trapped anymore, but we'll have to > delay this to avoid bad surprises.
There is indeed a problem which was identified with the exclusions, but the current commits fix another problem (issue #810). The problem lies in the lookup of the SNIs, if a SNI with a single name is found, it won't try to lookup for a wildcard, which is a problem if you use a single name certificate for ECDSA and a wildcard for the RSA certificate. This bug was introduced quite recently and backported as far as 1.8 in december 2019... But this is not a fix for the negative filters, that should also be fixed but need a rework of the filters. -- William Lallemand
