When using multicertificate bundles (i.e. .rsa, .ecdsa and .dsa files) HAProxy fails to load certificates at random.
This is caused by an attempt to load the DH parameters from the NULL pointer
instead of the corresponding bundle which leaves an error in the queue.
This patch makes ssl_sock_load_mutli_cert use instead the correct bundle
identifier which in turn prevents the error (after the BIO tries to
open NULL in read only mode).
For any legal matters, please consider this contribution on the public domain.
Please backport to 1.8 and 1.7 it will apply correctly at least on 1.8.
--- src/ssl_sock.c
+++ src/ssl_sock.c
@@ -3131,11 +3131,11 @@ static int ssl_sock_load_multi_cert(const char *path,
struct bind_conf *bind_con
if (ssl_dh_ptr_index >= 0)
SSL_CTX_set_ex_data(cur_ctx, ssl_dh_ptr_index,
NULL);
- rv = ssl_sock_load_dh_params(cur_ctx, NULL);
+ rv = ssl_sock_load_dh_params(cur_ctx, cur_file);
if (rv < 0) {
if (err)
memprintf(err, "%sunable to load DH
parameters from file '%s'.\n",
- *err ? *err : "", path);
+ *err ? *err : "",
cur_file);
rv = 1;
goto end;
}
signature.asc
Description: OpenPGP digital signature
