diff --git a/haproxy-1.6.0-ssl.crash.patch b/haproxy-1.6.0-ssl.crash.patch new file mode 100644 index 0000000..18e5832 --- /dev/null +++ b/haproxy-1.6.0-ssl.crash.patch @@ -0,0 +1,53 @@ +diff --git a/include/types/connection.h b/include/types/connection.h +index dfbff6a..070d779 100644 +--- a/include/types/connection.h ++++ b/include/types/connection.h +@@ -122,7 +122,10 @@ enum { + /* This connection may not be shared between clients */ + CO_FL_PRIVATE = 0x10000000, + +- /* unused : 0x20000000, 0x40000000 */ ++ /* A dynamically generated SSL certificate was used for this connection */ ++ CO_FL_DYN_SSL_CTX = 0x20000000, ++ ++ /* unused : 0x40000000 */ + + /* This last flag indicates that the transport layer is used (for instance + * by logs) and must not be cleared yet. The last call to conn_xprt_close() +diff --git a/src/ssl_sock.c b/src/ssl_sock.c +index 5319532..2829af8 100644 +--- a/src/ssl_sock.c ++++ b/src/ssl_sock.c +@@ -1232,6 +1232,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s) + ctx = ssl_sock_get_generated_cert(serial, s); + if (ctx) { + /* switch ctx */ ++ conn->flags |= CO_FL_DYN_SSL_CTX; + SSL_set_SSL_CTX(ssl, ctx); + return SSL_TLSEXT_ERR_OK; + } +@@ -1271,6 +1272,9 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s) + if (s->generate_certs && + (ctx = ssl_sock_generate_certificate(servername, s, ssl))) { + /* switch ctx */ ++ struct connection *conn = (struct connection *)SSL_get_app_data(ssl); ++ ++ conn->flags |= CO_FL_DYN_SSL_CTX; + SSL_set_SSL_CTX(ssl, ctx); + return SSL_TLSEXT_ERR_OK; + } +@@ -3124,11 +3128,11 @@ static void ssl_sock_close(struct connection *conn) { + + if (conn->xprt_ctx) { + #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +- if (!ssl_ctx_lru_tree && objt_listener(conn->target)) { ++ if ((conn->flags & CO_FL_DYN_SSL_CTX) && !ssl_ctx_lru_tree) { + SSL_CTX *ctx = SSL_get_SSL_CTX(conn->xprt_ctx); +- if (ctx != objt_listener(conn->target)->bind_conf->default_ctx) +- SSL_CTX_free(ctx); ++ SSL_CTX_free(ctx); + } ++ conn->flags &= ~CO_FL_DYN_SSL_CTX, + #endif + SSL_free(conn->xprt_ctx); + conn->xprt_ctx = NULL; diff --git a/haproxy.changes b/haproxy.changes index 6088230..af11f54 100644 --- a/haproxy.changes +++ b/haproxy.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Oct 16 17:16:40 UTC 2015 - mrueckert@suse.de + +- added haproxy-1.6.0-ssl.crash.patch: fix SNI related crash + ------------------------------------------------------------------- Thu Oct 15 23:19:33 UTC 2015 - mrueckert@suse.de diff --git a/haproxy.spec b/haproxy.spec index 87214c6..129ff4a 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -71,6 +71,7 @@ Source4: haproxy.cfg Patch1: haproxy-1.6.0_config_haproxy_user.patch Patch2: haproxy-1.6.0-makefile_lib.patch Patch3: haproxy-1.6.0-sec-options.patch +Patch4: haproxy-1.6.0-ssl.crash.patch # Source99: haproxy-rpmlintrc # @@ -104,6 +105,7 @@ the most work done from every CPU cycle. %patch1 -p1 %patch2 %patch3 +%patch4 -p1 %build %{__make} \