From 093a3ad7f2e2f526cdda7481a830b46a6afaf722 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Mon, 30 Jun 2025 16:56:28 +0200 Subject: [PATCH] MINOR: ssl: Prevent delete on certificate used by jwt_verify A ckch_store used in JWT verification might not have any ckch instances or crt-list entries linked but we don't want to be able to remove it via the CLI anyway since it would make all future jwt_verify calls using this certificate fail. --- src/ssl_ckch.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index b22522681..c920f2209 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -3192,6 +3192,9 @@ static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx, if (!LIST_ISEMPTY(&store->ckch_inst)) { memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename); goto error; + } else if (store->jwt_entry) { + memprintf(&err, "certificate '%s' in use for JWT validation, can't be deleted!\n", filename); + goto error; } ebmb_delete(&store->node);