mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 07:37:02 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Prevent delete on certificate used by jwt_verify

Browse Source 
A ckch_store used in JWT verification might not have any ckch instances
or crt-list entries linked but we don't want to be able to remove it via
the CLI anyway since it would make all future jwt_verify calls using
this certificate fail.
This commit is contained in:
Remi Tricot-Le Breton 2025-06-30 16:56:28 +02:00 committed by William Lallemand
parent 31955e6e0a
commit 093a3ad7f2
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/ssl_ckch.c
View File

@ -3192,6 +3192,9 @@ static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx,
if (!LIST_ISEMPTY(&store->ckch_inst)) { if (!LIST_ISEMPTY(&store->ckch_inst)) {
memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename); memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename);
goto error; goto error;
} else if (store->jwt_entry) {
memprintf(&err, "certificate '%s' in use for JWT validation, can't be deleted!\n", filename);
goto error;
} }
ebmb_delete(&store->node); ebmb_delete(&store->node);