mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-12-08 03:01:14 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: load .key in a directory only after PEM

Browse Source 
Don't try to load a .key in a directory without loading its associated
certificate file.

This patch ignores the .key files when iterating over the files in a
directory.

Introduced by 4c5adbf ("MINOR: ssl: load the key from a dedicated
file").
This commit is contained in:
William Lallemand 2020-02-24 16:30:12 +01:00 committed by William Lallemand
parent 4c5adbf595
commit 3f25ae31bd
2 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/configuration.txt
View File

@ -11341,13 +11341,13 @@ crt <cert>
are loaded.
If a directory name is used instead of a PEM file, then all files found in
that directory will be loaded in alphabetic order unless their name ends with
'.issuer', '.ocsp' or '.sctl' (reserved extensions). This directive may be
specified multiple times in order to load certificates from multiple files or
directories. The certificates will be presented to clients who provide a
valid TLS Server Name Indication field matching one of their CN or alt
subjects. Wildcards are supported, where a wildcard character '*' is used
instead of the first hostname component (e.g. *.example.org matches
that directory will be loaded in alphabetic order unless their name ends
with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This
directive may be specified multiple times in order to load certificates from
multiple files or directories. The certificates will be presented to clients
who provide a valid TLS Server Name Indication field matching one of their
CN or alt subjects. Wildcards are supported, where a wildcard character '*'
is used instead of the first hostname component (e.g. *.example.org matches
www.example.org but not www.sub.example.org).
If no SNI is provided by the client or if the SSL library does not support

2
src/ssl_sock.c
View File

@ -4416,7 +4416,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
struct dirent *de = de_list[i];
end = strrchr(de->d_name, '.');
if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl")))
if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl") || !strcmp(end, ".key")))
goto ignore_entry;
snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);