Skip to content
Branch: master
Commits on Mar 24, 2020
  1. BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL

    wlallemand committed Mar 24, 2020
    Fix an infinite loop which was added in an attempt to fix #558.
    If the peers_fe is NULL, it will loop forever.
    Must be backported with a2cfd7e as far as 1.8.
  2. BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized

    wlallemand committed Mar 24, 2020
    Tim reported that in master-worker mode, if a stick-table is declared
    but not used in the configuration, its associated peers listener won't
    This problem is due the fact that the master-worker and the daemon mode,
    depend on the bind_proc field of the peers proxy to disable the listener.
    Unfortunately the bind_proc is left to 0 if no stick-table were used in
    the configuration, stopping the listener on all processes.
    This fixes sets the bind_proc to the first process if it wasn't
    Should fix bug #558. Should be backported as far as 1.8.
Commits on Mar 20, 2020
  1. BUG/MINOR: ssl/cli: fix a potential NULL dereference

    wlallemand committed Mar 20, 2020
    Fix a potential NULL dereference in "show ssl cert" when we can't
    allocate the <out> trash buffer.
    This patch creates a new label so we could jump without trying to do the
    ci_putchk in this case.
    This bug was introduced by ea987ed ("MINOR: ssl/cli: 'new ssl cert'
    command"). 2.2 only.
    This bug was referenced by issue #556.
  2. BUG/MINOR: ssl/cli: free BIO upon error in 'show ssl cert'

    wlallemand committed Mar 20, 2020
    Fix a memory leak that could happen upon a "show ssl cert" if notBefore:
    or notAfter: failed to extract its ASN1 string.
    Introduced by d4f946c ("MINOR: ssl/cli: 'show ssl cert' give information
    on the certificates"). 2.2 only.
  3. BUG/MINOR: ssl: crtlist_dup_filters() must return NULL with fcount == 0

    wlallemand committed Mar 20, 2020
    crtlist_dup_filters() must return a NULL ptr if the fcount number is 0.
    This bug was introduced by 2954c47 ("MEDIUM: ssl: allow crt-list caching").
Commits on Mar 19, 2020
  1. MINOR: ssl/cli: show certificate status in 'show ssl cert'

    wlallemand committed Mar 19, 2020
    Display the status of the certificate in 'show ssl cert'.
      Status: Empty
      Status: Unused
      Status: Used
  2. MINOR: ssl/cli: 'new ssl cert' command

    wlallemand committed Mar 19, 2020
    The CLI command "new ssl cert" allows one to create a new certificate
    store in memory. It can be filed with "set ssl cert" and "commit ssl
    This patch also made a small change in "show ssl cert" to handle an
    empty certificate store.
    Multi-certificate bundles are not supported since they will probably be
    removed soon.
    This feature alone is useless since there is no way to associate the
    store to a crt-list yet.
      $ echo "new ssl cert foobar.pem" | socat /tmp/sock1 -
      New empty certificate store 'foobar.pem'!
      $ printf "set ssl cert foobar.pem <<\n$(cat localhost.pem.rsa)\n\n" | socat /tmp/sock1 -
      Transaction created for certificate foobar.pem!
      $ echo "commit ssl cert foobar.pem" | socat /tmp/sock1 -
      Committing foobar.pem
      $ echo "show ssl cert foobar.pem" | socat /tmp/sock1 -
      Filename: foobar.pem
Commits on Mar 17, 2020
  1. BUG/MINOR: ssl: memleak of struct crtlist_entry

    wlallemand committed Mar 17, 2020
    There is a memleak of the entry structure in crtlist_load_cert_dir(), in
    the case we can't stat the file, or this is not a regular file. Let's
    move the entry allocation so it's done after these tests.
    Fix issue #551.
  2. BUG/MINOR: ssl: memory leak in crtlist_parse_file()

    wlallemand committed Mar 17, 2020
    A memory leak happens in an error case when ckchs_load_cert_file()
    returns NULL in crtlist_parse_file().
    This bug was introduced by commit 2954c47 ("MEDIUM: ssl: allow crt-list caching")
    This patch fixes bug #551.
  3. BUG/MINOR: ssl/cli: free the trash chunk in dump_crtlist

    wlallemand committed Mar 17, 2020
    Free the trash chunk after dumping the crt-lists.
    Introduced by a6ffd5b ("MINOR: ssl/cli: show/dump ssl crt-list").
  4. MINOR: ssl/cli: show/dump ssl crt-list

    wlallemand committed Mar 9, 2020
    Implement 2 new commands on the CLI:
    show ssl crt-list [<filename>]: Without a specified filename, display
    the list of crt-lists used by the configuration. If a filename is
    specified, it will displays the content of this crt-list, with a line
    identifier at the beginning of each line. This output must not be used
    as a crt-list file.
    dump ssl crt-list <filename>: Dump the content of a crt-list, the output
    can be used as a crt-list file.
    Note: It currently displays the default ssl-min-ver and ssl-max-ver
    which are potentialy not in the original file.
Commits on Mar 16, 2020
  1. BUG/MINOR: ssl: can't open directories anymore

    wlallemand committed Mar 16, 2020
    The commit 6be66ec ("MINOR: ssl: directories are loaded like crt-list")
    broke the directory loading of the certificates. The <crtlist> wasn't
    filled by the crtlist_load_cert_dir() function. And the entries were
    not correctly initialized. Leading to a segfault during startup.
  2. MINOR: ssl: directories are loaded like crt-list

    wlallemand committed Mar 6, 2020
    Generate a directory cache with the crtlist and crtlist_entry structures.
    With this new model, directories are a special case of the crt-lists.
    A directory is a crt-list which allows only one occurence of each file,
    without SSL configuration (ssl_bind_conf) and without filters.
  3. MEDIUM: ssl: allow crt-list caching

    wlallemand committed Mar 6, 2020
    The crtlist structure defines a crt-list in the HAProxy configuration.
    It contains crtlist_entry structures which are the lines in a crt-list
    crt-list are now loaded in memory using crtlist and crtlist_entry
    structures. The file is read only once. The generation algorithm changed
    a little bit, new ckch instances are generated from the crtlist
    structures, instead of being generated during the file loading.
    The loading function was split in two, one that loads and caches the
    crt-list and certificates, and one that looks for a crt-list and creates
    the ckch instances.
    Filters are also stored in crtlist_entry->filters as a char ** so we can
    generate the sni_ctx again if needed. I won't be needed anymore to parse
    the sni_ctx to do that.
    A crtlist_entry stores the list of all ckch_inst that were generated
    from this entry.
  4. MINOR: ssl: pass ckch_inst to ssl_sock_load_ckchs()

    wlallemand committed Mar 9, 2020
    Pass a pointer to the struct ckch_inst to the ssl_sock_load_ckchs()
    function so we can manipulate the ckch_inst from
    ssl_sock_load_cert_list_file() and ssl_sock_load_cert().
  5. REORG: ssl: move ssl_sock_load_cert()

    wlallemand committed Mar 16, 2020
    Move the ssl_sock_load_cert() at the right place.
Commits on Mar 10, 2020
  1. CLEANUP: ssl: separate the directory loading in a new function

    wlallemand committed Mar 6, 2020
    In order to store and cache the directory loading, the directory loading
    was separated from ssl_sock_load_cert() and put in a new function
    ssl_sock_load_cert_dir() to be more readable.
    This patch only splits the function in two.
Commits on Mar 9, 2020
  1. BUG/MINOR: ssl/cli: sni_ctx' mustn't always be used as filters

    wlallemand committed Mar 9, 2020
    Since commit 244b070 ("MINOR: ssl/cli: support crt-list filters"),
    HAProxy generates a list of filters based on the sni_ctx in memory.
    However it's not always relevant, sometimes no filters were configured
    and the CN/SAN in the new certificate are not the same.
    This patch fixes the issue by using a flag filters in the ckch_inst, so
    we are able to know if there were filters or not. In the late case it
    uses the CN/SAN of the new certificate to generate the sni_ctx.
    note: filters are still only used in the crt-list atm.
  2. CLEANUP: ssl: is_default is a bit in ckch_inst

    wlallemand committed Mar 9, 2020
    The field is_default becomes a bit in the ckch_inst structure.
Commits on Mar 5, 2020
  1. MINOR: ssl: reach a ckch_store from a sni_ctx

    wlallemand committed Mar 5, 2020
    It was only possible to go down from the ckch_store to the sni_ctx but
    not to go up from the sni_ctx to the ckch_store.
    To allow that, 2 pointers were added:
    - a ckch_inst pointer in the struct sni_ctx
    - a ckckh_store pointer in the struct ckch_inst
  2. MINOR: ssl/cli: support crt-list filters

    wlallemand committed Dec 4, 2019
    Generate a list of the previous filters when updating a certificate
    which use filters in crt-list. Then pass this list to the function
    generating the sni_ctx during the commit.
    This feature allows the update of the crt-list certificates which uses
    the filters with "set ssl cert".
    This function could be probably replaced by creating a new
    ckch_inst_new_load_store() function which take the previous sni_ctx list as
    an argument instead of the char **sni_filter, avoiding the
    allocation/copy during runtime for each filter. But since are still
    handling the multi-cert bundles, it's better this way to avoid code
You can’t perform that action at this time.