Re: 2.2.12 and rsa/ecdsa cert regression (crash on startup) ?

Thu, 01 Apr 2021 07:04:55 -0700 

On Thu, Apr 01, 2021 at 02:26:07PM +0200, William Lallemand wrote:
> On Thu, Apr 01, 2021 at 10:19:31AM +0000, Jarno Huuskonen wrote:
> > Hello,
> > 
> > I'm seeing a regression with 2.2.12 and using rsa and ecdsa certs on bind.
> > (cert1.pem.ecdsa
> > cert1.pem.ecdsa.ocsp
> > cert1.pem.ocsp
> > cert1.pem.rsa
> > cert1.pem.rsa.ocsp
> > )
> > 
> 
> Thanks for the report, I can reproduce the problem, I'm investigating.
> 

Could you try the attached patch?

Thanks

-- 
William Lallemand

>From 3adeb8baf45c2f775848770b349cfa5e3fdd561b Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallem...@haproxy.org>
Date: Thu, 1 Apr 2021 15:48:21 +0200
Subject: [PATCH] BUG/MEDIUM: ssl: ckch_inst->ctx not assigned with
 multi-bundle certificates

When backporting patch 8218aed ("BUG/MINOR: ssl: Fix update of default
certificate") in 2.2, a regression was introduced. The 2.2
multi-certificate loading code does not have the same code path and this
part was not modified, introducing a segfault when trying to start
haproxy with a multi-certificate bundle.

This patch fixes the problem by setting the ckch_inst->ctx variable in
ckch_inst_new_load_multi_store().

No backport needed, 2.2 only.
---
 src/ssl_sock.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 14311370f3..627de34761 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3340,9 +3340,16 @@ int ckch_inst_new_load_multi_store(const char *path, struct ckch_store *ckchs,
 
 
 	/* Mark a default context if none exists, using the ctx that has the most shared keys */
-	if (!bind_conf->default_ctx) {
-		for (i = SSL_SOCK_POSSIBLE_KT_COMBOS - 1; i >= 0; i--) {
-			if (key_combos[i].ctx) {
+	for (i = SSL_SOCK_POSSIBLE_KT_COMBOS - 1; i >= 0; i--) {
+		if (key_combos[i].ctx) {
+			if (!ckch_inst->ctx) {
+				/* Always keep a reference to the newly constructed SSL_CTX in the
+				 * instance. This way if the instance has no SNIs, the SSL_CTX will
+				 * still be linked. */
+				SSL_CTX_up_ref(key_combos[i].ctx);
+				ckch_inst->ctx = key_combos[i].ctx;
+			}
+			if (!bind_conf->default_ctx) {
 				bind_conf->default_ctx = key_combos[i].ctx;
 				bind_conf->default_ssl_conf = ssl_conf;
 				ckch_inst->is_default = 1;
-- 
2.26.3

Reply via email to