From 14a4168a847cedc98ad1137839ffb03e2bdb4d3b Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Tue, 31 Mar 2026 11:34:43 +0200 Subject: [PATCH] BUG/MEDIUM: ssl/cli: tls-keys commands warn when accessed without admin level This commit adds an ha_warning() when 'show tls-keys' or 'set ssl tls-key' are accessed without admin level. This is to warn users that these commands will be restricted to admin only in HAProxy 3.3. Must be backported in every stable branches. Initially reported by Cameron Brown. --- src/ssl_sock.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 2b1daa748..41619bef5 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -8086,6 +8086,9 @@ static int cli_parse_show_tlskeys(char **args, char *payload, struct appctx *app { struct show_keys_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx)); + if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN) + ha_warning("'%s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1]); + /* no parameter, shows only file list */ if (!*args[2]) { ctx->names_only = 1; @@ -8110,6 +8113,9 @@ static int cli_parse_set_tlskeys(char **args, char *payload, struct appctx *appc struct tls_keys_ref *ref; int ret; + if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN) + ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]); + /* Expect two parameters: the filename and the new new TLS key in encoding */ if (!*args[3] || !*args[4]) return cli_err(appctx, "'set ssl tls-key' expects a filename and the new TLS key in base64 encoding.\n");