Bug#908413: haproxy: HAProxy can't load more than one multicert bundle.

Sun, 09 Sep 2018 09:37:01 -0700 

Package: haproxy
Version: 1.8.13-1~bpo9+1

Dear maintainer,

I have found that haproxy (both stable and backported) is unable to load 
correctly multiple certificate bundles using multicert setups.
The application reports errors loading the certificate chain but I could 
pinpoint the issue to the way in which dhparams are loaded.
Sadly, this is the only way to provide both an ECDSA and RSA key to connecting 
users on systems like Debian Stretch where openssl-1.1.1 isn't available.
I have wrotten, compiled and tested the attached patch. I would be very 
thankful if it could be included on your next backports build.
I have also submitted the patch to upstream for consideration.

I am using Debian 9.0 and the haproxy package from the stretch-backports.

Yours truly,
Francisco Izquierdo (klondike)


From: Francisco Blas Izquierdo Riera (klondike) <klond...@klondike.es>
Subject: BUG/MEDIUM ssl: Fix loading of dhaparams in multicert setups.
MIME-Version: 1.0
Content-Type: text/plain
Content-Language: en-US; charset=utf-8
Content-Transfer-Encoding: 7bit

When using multicertificate bundles (i.e. .rsa, .ecdsa and .dsa files) HAProxy
fails to load certificates at random.

This is caused by an attempt to load the DH parameters from the NULL pointer
instead of the corresponding bundle which leaves an error in the queue.

This patch makes ssl_sock_load_mutli_cert use instead the correct bundle
identifier which in turn prevents the error (after the BIO tries to
open NULL in read only mode).

For any legal matters, please consider this contribution on the public domain.

Please backport to 1.8 and 1.7 it will apply correctly at least on 1.8.

--- src/ssl_sock.c
+++ src/ssl_sock.c
@@ -3131,11 +3131,11 @@ static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_con
 			if (ssl_dh_ptr_index >= 0)
 				SSL_CTX_set_ex_data(cur_ctx, ssl_dh_ptr_index, NULL);
 
-			rv = ssl_sock_load_dh_params(cur_ctx, NULL);
+			rv = ssl_sock_load_dh_params(cur_ctx, cur_file);
 			if (rv < 0) {
 				if (err)
 					memprintf(err, "%sunable to load DH parameters from file '%s'.\n",
-							*err ? *err : "", path);
+							*err ? *err : "", cur_file);
 				rv = 1;
 				goto end;
 			}

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to