Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-08-09 Thread Emmanuel Hocdet
Le 9 août 2017 à 11:13, Willy Tarreau a écrit :On Wed, Aug 09, 2017 at 10:26:54AM +0200, Emmanuel Hocdet wrote:Le 9 août 2017 à 08:37, Willy Tarreau a écrit :Hi Manu,On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote:Hi Willy, Emeric, ChristopherThe new

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-08-09 Thread Willy Tarreau
On Wed, Aug 09, 2017 at 10:26:54AM +0200, Emmanuel Hocdet wrote: > > > Le 9 août 2017 à 08:37, Willy Tarreau a écrit : > > > > Hi Manu, > > > > On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote: > >> Hi Willy, Emeric, Christopher > >> > >> The new patch is much

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-08-09 Thread Emmanuel Hocdet
> Le 9 août 2017 à 08:37, Willy Tarreau a écrit : > > Hi Manu, > > On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote: >> Hi Willy, Emeric, Christopher >> >> The new patch is much simpler: > >> From f2918c87910f3ba18a2536eee5f4b9573cc695e3 Mon Sep 17 00:00:00 2001

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-08-09 Thread Willy Tarreau
Hi Manu, On Tue, Aug 08, 2017 at 03:00:47PM +0200, Emmanuel Hocdet wrote: > Hi Willy, Emeric, Christopher > > The new patch is much simpler: > From f2918c87910f3ba18a2536eee5f4b9573cc695e3 Mon Sep 17 00:00:00 2001 > From: Emmanuel Hocdet > Date: Sun, 30 Jul 2017 18:29:04 +0200

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-08-08 Thread Emmanuel Hocdet
Hi Willy, Emeric, Christopher The new patch is much simpler: ++ Manu 0001-MINOR-ssl-allow-to-start-without-certificate-if-stri.patch Description: Binary data > Le 28 juil. 2017 à 23:24, Willy Tarreau a écrit : > > On Fri, Jul 28, 2017 at 07:17:24PM +0200, Emmanuel Hocdet

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Willy Tarreau
On Fri, Jul 28, 2017 at 07:17:24PM +0200, Emmanuel Hocdet wrote: > > I think it's fine not to have a default_cert if not needed > > The default_cert is always set with the first certificate. > The default_cert is used if no certificate match sni. > With strict-sni, the default_cert is never used

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Emmanuel Hocdet
> Le 28 juil. 2017 à 18:43, Willy Tarreau a écrit : > > On Fri, Jul 28, 2017 at 06:01:10PM +0200, Emmanuel Hocdet wrote: >> >>> Le 28 juil. 2017 à 17:48, Emmanuel Hocdet a écrit : >>> I propose: >>> strict_sni is set and generated_cert is not set: default_cert is

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Willy Tarreau
On Fri, Jul 28, 2017 at 06:01:10PM +0200, Emmanuel Hocdet wrote: > > > Le 28 juil. 2017 à 17:48, Emmanuel Hocdet a écrit : > > I propose: > > strict_sni is set and generated_cert is not set: default_cert is optional > > (with or without warning?) > > else default_cert is

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Emmanuel Hocdet
> Le 28 juil. 2017 à 17:48, Emmanuel Hocdet a écrit : > >> >> Le 28 juil. 2017 à 17:13, Willy Tarreau a écrit : >> >> On Fri, Jul 28, 2017 at 05:04:16PM +0200, Emmanuel Hocdet wrote: >>> I talk with the case we don't want a default cert. With strict-sni the «

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Emmanuel Hocdet
> Le 28 juil. 2017 à 17:13, Willy Tarreau a écrit : > > On Fri, Jul 28, 2017 at 05:04:16PM +0200, Emmanuel Hocdet wrote: >> I talk with the case we don't want a default cert. With strict-sni the « fake >> » default_cert can be use if it as sni (i don't want that ideally). >> with

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Willy Tarreau
On Fri, Jul 28, 2017 at 05:04:16PM +0200, Emmanuel Hocdet wrote: > I talk with the case we don't want a default cert. With strict-sni the « fake > » default_cert can be use if it as sni (i don't want that ideally). > with strict-sni: no certificate match sni -> no ssl connection. > I add

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Emmanuel Hocdet
> Le 28 juil. 2017 à 16:24, Christopher Faulet > a écrit : > > Le 28/07/2017 à 12:41, Emmanuel Hocdet a écrit : >> A useless certificat should be provide with haproxy configuration?, it’s >> definitely a workaround. It’s legacy from pre SNI. > > Not really.

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Christopher Faulet
Le 28/07/2017 à 16:35, Emmanuel Hocdet a écrit : okay compat… SSL_free should not be call until pkey is dup. for SSL_get_privatekey: "These functions retrieve certificate and key data from an SSL object. They return internal pointers that must not be freed by the application program. »

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Emmanuel Hocdet
> Le 28 juil. 2017 à 15:37, Christopher Faulet a écrit : > > Le 28/07/2017 à 14:28, Emmanuel Hocdet a écrit : >> . fix generate_certificates issue >> perhaps it’s more simple to do: >> *diff --git a/src/ssl_sock.c b/src/ssl_sock.c* >> *index c71c2e3..311d465 100644* >> *---

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Christopher Faulet
Le 28/07/2017 à 12:41, Emmanuel Hocdet a écrit : A useless certificat should be provide with haproxy configuration?, it’s definitely a workaround. It’s legacy from pre SNI. Not really. The default certificate is not useless. It is the certificate to use when no other matches. Expect if

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Christopher Faulet
Le 28/07/2017 à 14:28, Emmanuel Hocdet a écrit : . fix generate_certificates issue perhaps it’s more simple to do: *diff --git a/src/ssl_sock.c b/src/ssl_sock.c* *index c71c2e3..311d465 100644* *--- a/src/ssl_sock.c* *+++ b/src/ssl_sock.c* @@ -1587,7 +1587,7 @@ssl_sock_do_create_cert(const char

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Emmanuel Hocdet
> Le 28 juil. 2017 à 12:41, Emmanuel Hocdet a écrit : > > > Hi Christopher > >> Le 28 juil. 2017 à 11:08, Christopher Faulet > > a écrit : >> >> Le 27/07/2017 à 18:16, Emmanuel Hocdet a écrit : >>> Hi Willy, Emeric >>> Can

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Emmanuel Hocdet
Hi Christopher > Le 28 juil. 2017 à 11:08, Christopher Faulet a écrit : > > Le 27/07/2017 à 18:16, Emmanuel Hocdet a écrit : >> Hi Willy, Emeric >> Can you consider this patch? I think it’s safe and it not depend on any >> openssl version. >> (It’s possible since patch

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Willy Tarreau
On Fri, Jul 28, 2017 at 11:08:33AM +0200, Christopher Faulet wrote: > But it is definitely in conflict with you current patch. Because without > initial_ctx, we need to have a default_ctx. So I can probably work around > this problem. But before doing it, I prefer to know if your patch will be >

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Christopher Faulet
Le 27/07/2017 à 18:16, Emmanuel Hocdet a écrit : Hi Willy, Emeric Can you consider this patch? I think it’s safe and it not depend on any openssl version. (It’s possible since patch f6b37c67) Hi Manu, Since this commit, the certificates generation doesn't work anymore. I'm working on a

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-27 Thread Emmanuel Hocdet
Hi Willy, Emeric Can you consider this patch? I think it’s safe and it not depend on any openssl version. (It’s possible since patch f6b37c67) ++ Manu > Le 16 juin 2017 à 10:48, Emmanuel Hocdet a écrit : > >> Le 15 juin 2017 à 16:42, Simos Xenitellis

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-06-16 Thread Emmanuel Hocdet
> Le 15 juin 2017 à 16:42, Simos Xenitellis a > écrit : > > On Mon, Jun 12, 2017 at 5:21 PM, Emmanuel Hocdet wrote: >> In haproxy 1.8dev, default certificate can now be optional. >> This patch allow that. >> > > Thanks Manu for looking into this.

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-06-15 Thread Simos Xenitellis
On Mon, Jun 12, 2017 at 5:21 PM, Emmanuel Hocdet wrote: > In haproxy 1.8dev, default certificate can now be optional. > This patch allow that. > Thanks Manu for looking into this. Here is my use-case: 1. A "frontend" would bind on port 80 and then look whether a request is from

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-06-14 Thread Emmanuel Hocdet
> Le 14 juin 2017 à 13:58, Dennis Jacobfeuerborn a > écrit : > > On 12.06.2017 16:21, Emmanuel Hocdet wrote: >> In haproxy 1.8dev, default certificate can now be optional. >> This patch allow that. > > This looks like a big footgun. While the idea is interesting and

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-06-14 Thread Georg Faerber
On 17-06-14 13:58:01, Dennis Jacobfeuerborn wrote: > On 12.06.2017 16:21, Emmanuel Hocdet wrote: > > In haproxy 1.8dev, default certificate can now be optional. > > This patch allow that. > > This looks like a big footgun. While the idea is interesting and > useful if this is to be considered at

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-06-14 Thread Dennis Jacobfeuerborn
On 12.06.2017 16:21, Emmanuel Hocdet wrote: > In haproxy 1.8dev, default certificate can now be optional. > This patch allow that. This looks like a big footgun. While the idea is interesting and useful if this is to be considered at all this behavior should only be allowed after the user