commit 6338b7d4a884639f98823e885325a50750f72e04 Author: William Lallemand Date: Tue Dec 28 18:47:17 2021 +0100 BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server This bug was introduced by d817dc73 ("MEDIUM: ssl: Load client certificates in a ckch for backend servers") in which the creation of the SSL_CTX for a server was moved to the configuration parser when using a "crt" keyword instead of being done in ssl_sock_prepare_srv_ctx(). The patch 0498fa40 ("BUG/MINOR: ssl: Default-server configuration ignored by server") made it worse by setting the same SSL_CTX for every servers using a default-server. Resulting in any SSL option on a server applied to every server in its backend. This patch fixes the issue by reintroducing a string which store the path of certificate inside the server structure, and loading the certificate in ssl_sock_prepare_srv_ctx() again. This is a quick fix to backport, a cleaner way can be achieve by always creating the SSL_CTX in ssl_sock_prepare_srv_ctx() and splitting properly the ssl_sock_load_srv_cert() function. This patch fixes issue #1488. Must be backported as far as 2.4. (cherry picked from commit 2c776f1c30c85be11c9ba8ca8d9a7d62690d1a32) Signed-off-by: Willy Tarreau (cherry picked from commit 2f3c354b6cdc21ee185e263b5c7422c86ae58c98) [wt: ssl_sock_load_srv_cert() doesn't take the create_if_none arg in 2.4, thus adjust context and make sure ssl_sock_prepare_srv_ctx() matches what srv_parse_crt() used to do] Signed-off-by: Willy Tarreau --- a/include/haproxy/server-t.h +++ b/include/haproxy/server-t.h @@ -364,6 +364,7 @@ struct server { char *verify_host; /* hostname of certificate must match this host */ char *ca_file; /* CAfile to use on verify */ char *crl_file; /* CRLfile to use on verify */ + char *client_crt; /* client certificate to send */ struct sample_expr *sni; /* sample expression for SNI */ #ifdef OPENSSL_NPN_NEGOTIATED char *npn_str; /* NPN protocol string */ --- a/reg-tests/ssl/ssl_default_server.vtc +++ b/reg-tests/ssl/ssl_default_server.vtc @@ -15,7 +15,7 @@ feature cmd "$HAPROXY_PROGRAM -cc 'versi feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" feature ignore_unknown_macro -server s1 -repeat 7 { +server s1 -repeat 10 { rxreq txresp } -start @@ -56,7 +56,10 @@ haproxy h1 -conf { backend third_be default-server ssl crt client1.pem ca-file ca-auth.crt verify none - server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem + server s1 "${tmpdir}/ssl.sock" + server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem + server s3 "${tmpdir}/ssl.sock" + server s4 "${tmpdir}/ssl.sock" backend fourth_be default-server ssl crt client1.pem verify none @@ -106,9 +109,25 @@ client c1 -connect ${h1_clearlst_sock} { txreq rxresp expect resp.status == 200 + expect resp.http.x-ssl == "Ok" +} -run + +client c1 -connect ${h1_clearlst_sock} { + txreq -url "/third" + txreq + rxresp + expect resp.status == 200 expect resp.http.x-ssl == "Expired" } -run +client c1 -connect ${h1_clearlst_sock} -repeat 2 { + txreq -url "/third" + txreq + rxresp + expect resp.status == 200 + expect resp.http.x-ssl == "Ok" +} -run + client c1 -connect ${h1_clearlst_sock} { txreq -url "/fourth" txreq --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -1450,25 +1450,17 @@ static int srv_parse_crl_file(char **arg /* parse the "crt" server keyword */ static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) { - int retval = -1; - char *path = NULL; - if (!*args[*cur_arg + 1]) { memprintf(err, "'%s' : missing certificate file path", args[*cur_arg]); return ERR_ALERT | ERR_FATAL; } if ((*args[*cur_arg + 1] != '/') && global_ssl.crt_base) - memprintf(&path, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]); + memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]); else - memprintf(&path, "%s", args[*cur_arg + 1]); - - if (path) { - retval = ssl_sock_load_srv_cert(path, newsrv, err); - free(path); - } + memprintf(&newsrv->ssl_ctx.client_crt, "%s", args[*cur_arg + 1]); - return retval; + return 0; } /* parse the "no-check-ssl" server keyword */ --- a/src/server.c +++ b/src/server.c @@ -2063,6 +2063,8 @@ static void srv_conn_src_cpy(struct serv static void srv_ssl_settings_cpy(struct server *srv, struct server *src) { /* is the current proxy's default server and SSL is enabled */ + BUG_ON(src->ssl_ctx.ctx != NULL); /* the SSL_CTX must never be initialized in a default-server */ + if (src == &srv->proxy->defsrv && src->use_ssl == 1) srv->flags |= SRV_F_DEFSRV_USE_SSL; @@ -2070,10 +2072,11 @@ static void srv_ssl_settings_cpy(struct srv->ssl_ctx.ca_file = strdup(src->ssl_ctx.ca_file); if (src->ssl_ctx.crl_file != NULL) srv->ssl_ctx.crl_file = strdup(src->ssl_ctx.crl_file); + if (src->ssl_ctx.client_crt != NULL) + srv->ssl_ctx.client_crt = strdup(src->ssl_ctx.client_crt); srv->ssl_ctx.verify = src->ssl_ctx.verify; - srv->ssl_ctx.ctx = src->ssl_ctx.ctx; if (src->ssl_ctx.verify_host != NULL) srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host); --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4669,7 +4669,7 @@ int ssl_sock_prepare_srv_ctx(struct serv { struct proxy *curproxy = srv->proxy; int cfgerr = 0; - SSL_CTX *ctx = srv->ssl_ctx.ctx; + SSL_CTX *ctx; /* Make sure openssl opens /dev/urandom before the chroot */ if (!ssl_initialize_random()) { @@ -4693,6 +4693,26 @@ int ssl_sock_prepare_srv_ctx(struct serv if (srv->use_ssl == 1) srv->xprt = &ssl_sock; + if (srv->ssl_ctx.client_crt) { + char *err = NULL; + int err_code = 0; + + /* If there is a crt keyword there, the SSL_CTX will be created here. */ + err_code = ssl_sock_load_srv_cert(srv->ssl_ctx.client_crt, srv, &err); + if (err_code != ERR_NONE) { + if ((err_code & ERR_WARN) && !(err_code & ERR_ALERT)) + ha_warning("%s", err); + else + ha_alert("%s", err); + + if (err_code & (ERR_FATAL|ERR_ABORT)) + cfgerr++; + } + ha_free(&err); + } + + ctx = srv->ssl_ctx.ctx; + /* The context will be uninitialized if there wasn't any "cert" option * in the server line. */ if (!ctx) {