mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 07:07:04 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Allow 'commit ssl cert' with no privkey

Browse Source 
The ckch_stores might be used to store public certificates only so in
this case we won't provide private keys when updating the certificate
via the CLI.
If the ckch_store is actually used in a bind or server line an error
will still be raised if the private key is missing.
This commit is contained in:
Remi Tricot-Le Breton 2025-06-30 16:56:27 +02:00 committed by William Lallemand
parent 522bca98e1
commit 31955e6e0a
1 changed files with 2 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/ssl_ckch.c
View File

@ -2879,13 +2879,8 @@ static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appc
goto error;
}
/* if a certificate is here, a private key must be here too */
if (ckchs_transaction.new_ckchs->data->cert && !ckchs_transaction.new_ckchs->data->key) {
memprintf(&err, "The transaction must contain at least a certificate and a private key!\n");
goto error;
}
if (!X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) {
if (ckchs_transaction.new_ckchs->data->key &&
!X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) {
memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path);
goto error;
}