From 1274c21a42aef878cb6ba1941982827fadb5c501 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 16 Feb 2026 18:41:40 +0100
Subject: [PATCH] BUG/MINOR: ssl: error with ssl-f-use when no "crt"

ssl-f-use lines tries to load a crt file, but the "crt" keyword is not
mandatory. That could lead to crtlist_load_crt() being called with a
NULL path, and trying to do a stat.

In this particular case we don't need to try anything and it's better to
leave with an actual error.

Must be backported as far as 3.2.
---
 src/ssl_crtlist.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index baa074cec..7319b1307 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -515,6 +515,13 @@ int crtlist_load_crt(char *crt_path, struct ckch_conf *cc, struct crtlist *newli
 	struct stat st;
 	int cfgerr = 0;
 
+	if (!crt_path) {
+		memprintf(err, "%sTrying to load a certificate but no 'crt' keyword specified.\n",
+		         err && *err ? *err : "");
+		cfgerr |= ERR_ALERT | ERR_FATAL;
+		goto error;
+	}
+
 	/* Look for a ckch_store or create one */
 	ckchs = ckchs_lookup(crt_path);
 	if (ckchs == NULL) {