On Thu, Apr 01, 2021 at 02:26:07PM +0200, William Lallemand wrote: > On Thu, Apr 01, 2021 at 10:19:31AM +0000, Jarno Huuskonen wrote: > > Hello, > > > > I'm seeing a regression with 2.2.12 and using rsa and ecdsa certs on bind. > > (cert1.pem.ecdsa > > cert1.pem.ecdsa.ocsp > > cert1.pem.ocsp > > cert1.pem.rsa > > cert1.pem.rsa.ocsp > > ) > > > > Thanks for the report, I can reproduce the problem, I'm investigating. >
Could you try the attached patch? Thanks -- William Lallemand
>From 3adeb8baf45c2f775848770b349cfa5e3fdd561b Mon Sep 17 00:00:00 2001 From: William Lallemand <wlallem...@haproxy.org> Date: Thu, 1 Apr 2021 15:48:21 +0200 Subject: [PATCH] BUG/MEDIUM: ssl: ckch_inst->ctx not assigned with multi-bundle certificates When backporting patch 8218aed ("BUG/MINOR: ssl: Fix update of default certificate") in 2.2, a regression was introduced. The 2.2 multi-certificate loading code does not have the same code path and this part was not modified, introducing a segfault when trying to start haproxy with a multi-certificate bundle. This patch fixes the problem by setting the ckch_inst->ctx variable in ckch_inst_new_load_multi_store(). No backport needed, 2.2 only. --- src/ssl_sock.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 14311370f3..627de34761 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3340,9 +3340,16 @@ int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *ckchs, /* Mark a default context if none exists, using the ctx that has the most shared keys */ - if (!bind_conf->default_ctx) { - for (i = SSL_SOCK_POSSIBLE_KT_COMBOS - 1; i >= 0; i--) { - if (key_combos[i].ctx) { + for (i = SSL_SOCK_POSSIBLE_KT_COMBOS - 1; i >= 0; i--) { + if (key_combos[i].ctx) { + if (!ckch_inst->ctx) { + /* Always keep a reference to the newly constructed SSL_CTX in the + * instance. This way if the instance has no SNIs, the SSL_CTX will + * still be linked. */ + SSL_CTX_up_ref(key_combos[i].ctx); + ckch_inst->ctx = key_combos[i].ctx; + } + if (!bind_conf->default_ctx) { bind_conf->default_ctx = key_combos[i].ctx; bind_conf->default_ssl_conf = ssl_conf; ckch_inst->is_default = 1; -- 2.26.3