mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 07:37:02 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Allow 'commit ssl cert' with no privkey

Browse Source 
The ckch_stores might be used to store public certificates only so in
this case we won't provide private keys when updating the certificate
via the CLI.
If the ckch_store is actually used in a bind or server line an error
will still be raised if the private key is missing.
This commit is contained in:
Remi Tricot-Le Breton 2025-06-30 16:56:27 +02:00 committed by William Lallemand
parent 522bca98e1
commit 31955e6e0a
1 changed files with 2 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/ssl_ckch.c
View File

@ -2879,13 +2879,8 @@ static int cli_parse_commit_cert(char **args, char *payload, struct appctx *appc
goto error; goto error;
} }
/* if a certificate is here, a private key must be here too */ if (ckchs_transaction.new_ckchs->data->key &&
if (ckchs_transaction.new_ckchs->data->cert && !ckchs_transaction.new_ckchs->data->key) { !X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) {
memprintf(&err, "The transaction must contain at least a certificate and a private key!\n");
goto error;
}
if (!X509_check_private_key(ckchs_transaction.new_ckchs->data->cert, ckchs_transaction.new_ckchs->data->key)) {
memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path); memprintf(&err, "inconsistencies between private key and certificate loaded '%s'.\n", ckchs_transaction.path);
goto error; goto error;
} }