From d22badec85ecdc29510b96b3edea484d2bb2116a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 31 Jul 2017 22:42:55 +0200
Subject: [PATCH] net/haproxy: merge version 1.17 from master

---
 net/haproxy/Makefile                          |  2 +-
 .../scripts/OPNsense/HAProxy/exportCerts.php  | 23 +++++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 16 +++----------
 3 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index a58cc14fe..754cb2054 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		1.16
+PLUGIN_VERSION=		1.17
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index 1e6b29024..4ac6f7f62 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -51,6 +51,9 @@ foreach ($configNodes as $key => $value) {
     // lookup all config nodes
     if (isset($configObj->OPNsense->HAProxy->$key)) {
         foreach ($configObj->OPNsense->HAProxy->$key->children() as $child) {
+            // generate a crt-list for every child node
+            $crtlist = array();
+            $crtlist_filename = "/var/etc/haproxy/ssl/" . (string)$child->id . ".crtlist";
             // search in all matching child elements for ssl data
             foreach ($configNodes[$key] as $sslchild) {
                 if (isset($child->$sslchild)) {
@@ -85,11 +88,31 @@ foreach ($configNodes as $key => $value) {
                                         file_put_contents($output_pem_filename, $pem_content);
                                         chmod($output_pem_filename, 0600);
                                         echo "exported $type to " . $output_pem_filename . "\n";
+                                        // add pem file to crt-list
+                                        $crtlist[] = $output_pem_filename;
                                     }
                                 }
                             }
                         }
                     }
+                    // generate crt-list file
+                    // (this makes only sense for frontends)
+                    if ( $key == 'frontends' ) {
+                        // ignore if crt-list is empty
+                        if (empty($crtlist)) { continue; }
+                        // check if a default certificate is configured
+                        if (isset($child->ssl_default_certificate) and (string)$child->ssl_default_certificate != "") {
+                            $default_cert = (string)$child->ssl_default_certificate;
+                            $default_cert_filename = "/var/etc/haproxy/ssl/" . $default_cert . ".pem";
+                            // ensure default certificate is the first entry on the list
+                            unset($crtlist[$default_cert]);
+                            array_unshift($crtlist, $default_cert_filename);
+                        }
+                        $crtlist_content = implode("\n", $crtlist) . "\n";
+                        file_put_contents($crtlist_filename, $crtlist_content);
+                        chmod($crtlist_filename, 0600);
+                        echo "exported crt-list to " . $crtlist_filename . "\n";
+                    }
                 }
             }
         }
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index dca4b93e6..aad1fcba0 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -562,20 +562,10 @@ defaults
 frontend {{frontend.name}}
 {%       set ssl_certs = [] %}
 {%       if frontend.ssl_enabled == '1' %}
-{#         # collect ssl certs (if configured) #}
+{#         # check if ssl certs are configured #}
 {%         if frontend.ssl_certificates|default("") != "" %}
-{#           # check if a default certificate is configured #}
-{%           if frontend.ssl_default_certificate|default("") != "" %}
-{%             do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ frontend.ssl_default_certificate ~ '.pem') %}
-{%           endif %}
-{%           for cert in frontend.ssl_certificates.split(",") %}
-{#             # skip default certificate, it was already added to the list #}
-{%             if frontend.ssl_default_certificate|default("") != "" and cert == frontend.ssl_default_certificate %}
-{#               # do nothing  #}
-{%             else %}
-{%               do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ cert ~ '.pem') %}
-{%             endif %}
-{%           endfor %}
+{#           # NOTE: Cert lists are generated by exportCerts.php #}
+{%           do ssl_certs.append('crt-list /var/etc/haproxy/ssl/' ~ frontend.id ~ '.crtlist') %}
 {%         endif %}
 {#         # advanced ssl options #}
 {%         if frontend.ssl_customOptions|default("") != "" %}