Skip to content
Permalink
Branch: master
Commits on Feb 10, 2020
  1. DOC: schematic of the SSL certificates architecture

    wlallemand committed Feb 10, 2020
    This patch provides a schematic of the new architecture based on the
    struct cert_key_and_chain which appeared with haproxy 2.1.
    
    Could be backported in 2.1
Commits on Feb 7, 2020
  1. BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init

    wlallemand committed Feb 7, 2020
    The code which is supposed to apply the bind_conf configuration on the
    SSL_CTX was not called correctly. Indeed it was called with the previous
    SSL_CTX so the new ones were left with default settings. For example the
    ciphers were not changed.
    
    This patch fixes #429.
    
    Must be backported in 2.1.
Commits on Feb 5, 2020
  1. BUG/MINOR: ssl: clear the SSL errors on DH loading failure

    wlallemand committed Feb 5, 2020
    In ssl_sock_load_dh_params(), if haproxy failed to apply the dhparam
    with SSL_CTX_set_tmp_dh(), it will apply the DH with
    SSL_CTX_set_dh_auto().
    
    The problem is that we don't clean the OpenSSL errors when leaving this
    function so it could fail to load the certificate, even if it's only a
    warning.
    
    Fixes bug #483.
    
    Must be backported in 2.1.
Commits on Feb 3, 2020
  1. MINOR: ssl: ssl-load-extra-files configure loading of files

    wlallemand committed Feb 3, 2020
    This new setting in the global section alters the way HAProxy will look
    for unspecified files (.ocsp, .sctl, .issuer, bundles) during the
    loading of the SSL certificates.
    
    By default, HAProxy discovers automatically a lot of files not specified
    in the configuration, and you may want to disable this behavior if you
    want to optimize the startup time.
    
    This patch sets flags in global_ssl.extra_files and then check them
    before trying to load an extra file.
You can’t perform that action at this time.