mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-04-01 09:01:56 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: ssl/cli: tls-keys commands warn when accessed without admin level

Browse Source 
This commit adds an ha_warning() when 'show tls-keys' or 'set ssl
tls-key' are accessed without admin level. This is to warn users that
these commands will be restricted to admin only in HAProxy 3.3.

Must be backported in every stable branches.

Initially reported by Cameron Brown.
This commit is contained in:
William Lallemand 2026-03-31 11:34:43 +02:00
parent 226bb4bd28
commit 14a4168a84
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/ssl_sock.c
View File

@ -8086,6 +8086,9 @@ static int cli_parse_show_tlskeys(char **args, char *payload, struct appctx *app
{
struct show_keys_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
ha_warning("'%s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1]);
/* no parameter, shows only file list */
if (!*args[2]) {
ctx->names_only = 1;
@ -8110,6 +8113,9 @@ static int cli_parse_set_tlskeys(char **args, char *payload, struct appctx *appc
struct tls_keys_ref *ref;
int ret;
if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
/* Expect two parameters: the filename and the new new TLS key in encoding */
if (!*args[3] || !*args[4])
return cli_err(appctx, "'set ssl tls-key' expects a filename and the new TLS key in base64 encoding.\n");