BUG/MEDIUM: ssl: fix error path on generate-certificates

It was reported by Przemyslaw Bromber that using the "generate-certificates" option combined with AWS-LC would crash HAProxy when a request is done with a SNI longer than 64 bytes. The problem is that the certificate is generated with a CN greater than 64 bytes which results in ssl_sock_do_create_cert() returning NULL. This NULL value being passed to SSL_set_SSL_CTX. With OpenSSL, passing a NULL SSL_CTX does not seem to be an issue as it would just ignore it. With AWS_LC, passing a NULL seems to crash the function. This was reported to upstream AWS-LC and fixed in patch 7487ad1dcd8 https://github.com/aws/aws-lc/pull/2946. This must be backported in every branches.
2026-02-03 20:39:41 -05:00 · 2026-01-21 07:03:03 +01:00 · 2026-01-21 07:03:03 +01:00 · fbc98ebcda
commit fbc98ebcda
parent 2d8d2b4247
1 changed files with 5 additions and 0 deletions
--- a/src/ssl_gencert.c
+++ b/src/ssl_gencert.c
@ -352,6 +352,8 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind
 			ssl_ctx = (SSL_CTX *)lru->data;
 		if (!ssl_ctx && lru) {
 			ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
+			if (!ssl_ctx)
+				goto error;
 			lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free);
 		}
 		SSL_set_SSL_CTX(ssl, ssl_ctx);
@ -360,11 +362,14 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind
 	}
 	else {
 		ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
+		if (!ssl_ctx)
+			goto error;
 		SSL_set_SSL_CTX(ssl, ssl_ctx);
 		/* No LRU cache, this CTX will be released as soon as the session dies */
 		SSL_CTX_free(ssl_ctx);
 		return 1;
 	}
+error:
 	return 0;
 }
 int ssl_sock_generate_certificate_from_conn(struct bind_conf *bind_conf, SSL *ssl)