From aa0d6372922882f58b54f851dfd7ca1f5a71b26d Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet Date: Wed, 9 Aug 2017 11:24:25 +0200 Subject: [PATCH] MINOR: ssl: allow to start without certificate if strict-sni is set With strict-sni, ssl connection will fail if no certificate match. Have no certificate in bind line, fail on all ssl connections. It's ok with the behavior of strict-sni. When 'generate-certificates' is set 'strict-sni' is never used. When 'strict-sni' is set, default_ctx is never used. Allow to start without certificate only in this case. Use case is to start haproxy with ssl before customer start to use certificates. Typically with 'crt' on a empty directory and 'strict-sni' parameters. --- src/ssl_sock.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index d81dd70cb..8d38f2859 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4283,9 +4283,15 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf) return 0; } if (!bind_conf->default_ctx) { - Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n", - px->id, bind_conf->arg, bind_conf->file, bind_conf->line); - return -1; + if (bind_conf->strict_sni && !bind_conf->generate_certs) { + Warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d], ssl connections will fail (use 'crt').\n", + px->id, bind_conf->arg, bind_conf->file, bind_conf->line); + } + else { + Alert("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d] (use 'crt').\n", + px->id, bind_conf->arg, bind_conf->file, bind_conf->line); + return -1; + } } alloc_ctx = shared_context_init(global.tune.sslcachesize, (!global_ssl.private_cache && (global.nbproc > 1)) ? 1 : 0); -- 2.47.3