upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-03-10 01:50:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
haproxy/include/proto
History
Christopher Faulet 96c7b8dbd2 BUG/MINOR: ssl: Fix check against SNI during server certificate verification 
This patch fixes the commit 2ab8867 ("MINOR: ssl: compare server certificate
names to the SNI on outgoing connections")

When we check the certificate sent by a server, in the verify callback, we get
the SNI from the session (SSL_SESSION object). In OpenSSL, tlsext_hostname value
for this session is copied from the ssl connection (SSL object). But the copy is
done only if the "server_name" extension is found in the server hello
message. This means the server has found a certificate matching the client's
SNI.

When the server returns a default certificate not matching the client's SNI, it
doesn't set any "server_name" extension in the server hello message. So no SNI
is set on the SSL session and SSL_SESSION_get0_hostname always returns NULL.

To fix the problemn, we get the SNI directly from the SSL connection. It is
always defined with the value set by the client.

If the commit 2ab8867 is backported in 1.7 and/or 1.6, this one must be
backported too.

Note: it's worth mentionning that by making the SNI check work, we
      introduce another problem by which failed SNI checks can cause
      long connection retries on the server, and in certain cases the
      SNI value used comes from the client. So this patch series must
      not be backported until this issue is resolved.
2017-07-26 19:43:33 +02:00
..
acl.h MAJOR: sample: pass a pointer to the session to each sample fetch function 2015-04-06 11:37:25 +02:00
action.h MINOR: http/tcp: fill the avalaible actions 2015-10-02 22:56:11 +02:00
applet.h MAJOR: applet: applet scheduler rework. 2017-06-27 14:38:02 +02:00
arg.h MINOR: sample: Moves ARGS underlying type from 32 to 64 bits. 2016-03-15 22:11:52 +01:00
auth.h MEDIUM: pattern: The match function browse itself the list or the tree. 2014-03-17 18:06:07 +01:00
backend.h MINOR: backends: Change get_server_sh/get_server_uh into private function 2017-06-27 14:38:02 +02:00
channel.h CLEANUP: http: Remove channel_congested function 2017-03-31 14:38:08 +02:00
checks.h MAJOR/REORG: dns: DNS resolution task and requester queues 2017-06-02 11:58:54 +02:00
cli.h MINOR: cli: create new function cli_has_level() to validate permissions 2016-11-24 16:59:27 +01:00
compression.h REORG: filters: Prepare creation of the HTTP compression filter 2016-02-09 14:53:15 +01:00
connection.h MINOR: connection: add a .get_alpn() method to xprt_ops 2017-06-27 14:38:02 +02:00
dns.h MAJOR/REORG: dns: DNS resolution task and requester queues 2017-06-02 11:58:54 +02:00
fd.h MINOR: proxy: Don't close FDs if not our proxy. 2017-04-13 19:15:17 +02:00
filters.h CLEANUP: filters: use the function registration to initialize all proxies 2016-12-21 21:30:54 +01:00
flt_http_comp.h MAJOR: filters/http: Rewrite the HTTP compression as a filter 2016-02-09 14:53:15 +01:00
freq_ctr.h BUG/MINOR: freq-ctr: make swrate_add() support larger values 2016-11-25 11:55:10 +01:00
frontend.h REORG/MAJOR: session: rename the "session" entity to "stream" 2015-04-06 11:23:56 +02:00
hdr_idx.h CLEANUP: hdr_idx: make some function arguments const where possible 2017-07-17 21:11:30 +02:00
hlua.h BUILD/MINOR: lua: ensure that hlua_ctx_destroy is properly defined 2015-06-17 20:18:54 +02:00
hlua_fcn.h MINOR: lua: add utility function for check boolean argument 2016-11-24 21:35:10 +01:00
lb_chash.h [MEDIUM] backend: implement consistent hashing variation 2009-10-09 07:17:58 +02:00
lb_fas.h MEDIUM: backend: add the 'first' balancing algorithm 2012-02-21 22:27:27 +01:00
lb_fwlc.h [CLEANUP] backend: move LB algos to individual files 2009-10-01 11:19:37 +02:00
lb_fwrr.h [CLEANUP] backend: move LB algos to individual files 2009-10-01 11:19:37 +02:00
lb_map.h [MINOR] lb_map: reorder code in order to ease integration of new hash functions 2009-10-01 21:11:15 +02:00
listener.h MINOR: proxy: Don't close FDs if not our proxy. 2017-04-13 19:15:17 +02:00
log.h MEDIUM: log-format: Use standard HAProxy log system to report errors 2016-11-25 07:32:58 +01:00
map.h MINOR: samples: rename some struct member from "smp" to "data" 2015-08-20 17:13:46 +02:00
obj_type.h CLEANUP: applet: rename struct si_applet to applet 2015-04-23 17:56:16 +02:00
openssl-compat.h BUG/MINOR: ssl: Fix check against SNI during server certificate verification 2017-07-26 19:43:33 +02:00
pattern.h BUG/MEDIUM: map/acl: fix unwanted flags inheritance. 2017-07-04 10:45:53 +02:00
payload.h REORG/MAJOR: session: rename the "session" entity to "stream" 2015-04-06 11:23:56 +02:00
peers.h MAJOR: peers: peers protocol version 2.0 2015-05-29 15:50:33 +02:00
pipe.h [MEDIUM] introduce pipe pools 2009-01-25 13:49:53 +01:00
port_range.h [MEDIUM] add support for binding to source port ranges during connect 2009-06-10 12:23:32 +02:00
proto_http.h DOC: update RFC references 2017-04-28 18:58:11 +02:00
proto_tcp.h REORG: tcp-rules: move tcp rules processing to their own file 2016-11-25 15:57:38 +01:00
proto_udp.h CLEANUP: fix inconsistency between fd->iocb, proto->accept and accept() 2016-04-14 11:18:22 +02:00
proto_uxst.h REORG/MAJOR: session: rename the "session" entity to "stream" 2015-04-06 11:23:56 +02:00
protocol.h MEDIUM: protocol: use a family array to index the protocol handlers 2015-02-28 23:12:31 +01:00
proxy.h MINOR: proxy: Don't close FDs if not our proxy. 2017-04-13 19:15:17 +02:00
queue.h MINOR: queue: Change pendconn_from_srv/pendconn_from_px into private functions 2017-06-27 14:38:02 +02:00
raw_sock.h CLEANUP: connection: unexport raw_sock and ssl_sock 2016-12-22 23:26:38 +01:00
sample.h MINOR: samples: Handle the type SMP_T_METH in smp_is_safe and smp_is_rw 2017-07-24 17:16:00 +02:00
server.h MAJOR/REORG: dns: DNS resolution task and requester queues 2017-06-02 11:58:54 +02:00
session.h MINOR: session: introduce session_new() 2015-04-06 11:37:33 +02:00
shctx.h BUG/MAJOR: ssl: Fallback to private session cache if current lock mode is not supported. 2014-05-08 22:46:32 +02:00
signal.h CLEANUP: includes: fix includes for a number of users of fd.h 2012-09-03 20:49:14 +02:00
spoe.h REORG: spoe: move spoe_encode_varint / spoe_decode_varint from spoe to common 2017-04-27 11:50:41 +02:00
ssl_sock.h MEDIUM: ssl: add basic support for OpenSSL crypto engine 2017-05-27 07:05:00 +02:00
stats.h BUG/MINOR: stats: make field_str() return an empty string on NULL 2016-11-26 15:58:37 +01:00
stick_table.h REORG: stkctr: move all the stick counters processing to stick-tables.c 2016-11-25 16:10:05 +01:00
stream.h BUG/MINOR: stream: flag TASK_WOKEN_RES not set if task in runqueue 2017-06-27 14:37:52 +02:00
stream_interface.h CLEANUP: connection: completely remove CO_FL_WAKE_DATA 2017-03-19 12:18:27 +01:00
task.h MINOR: task: always preinitialize the task's timeout in task_init() 2017-07-24 17:52:58 +02:00
tcp_rules.h REORG: tcp-rules: move tcp rules processing to their own file 2016-11-25 15:57:38 +01:00
template.h [CLEANUP] included common/version.h everywhere 2006-06-29 18:54:54 +02:00
vars.h MINOR: vars: Add 'unset-var' action/converter 2016-11-09 22:57:01 +01:00