mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-12-11 04:31:01 +01:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: load .key in a directory only after PEM

Browse Source 
Don't try to load a .key in a directory without loading its associated
certificate file.

This patch ignores the .key files when iterating over the files in a
directory.

Introduced by 4c5adbf ("MINOR: ssl: load the key from a dedicated
file").
This commit is contained in:
William Lallemand 2020-02-24 16:30:12 +01:00 committed by William Lallemand
parent 4c5adbf595
commit 3f25ae31bd
2 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/configuration.txt
View File

@ -11341,13 +11341,13 @@ crt <cert>
are loaded. are loaded.
If a directory name is used instead of a PEM file, then all files found in If a directory name is used instead of a PEM file, then all files found in
that directory will be loaded in alphabetic order unless their name ends with that directory will be loaded in alphabetic order unless their name ends
'.issuer', '.ocsp' or '.sctl' (reserved extensions). This directive may be with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This
specified multiple times in order to load certificates from multiple files or directive may be specified multiple times in order to load certificates from
directories. The certificates will be presented to clients who provide a multiple files or directories. The certificates will be presented to clients
valid TLS Server Name Indication field matching one of their CN or alt who provide a valid TLS Server Name Indication field matching one of their
subjects. Wildcards are supported, where a wildcard character '*' is used CN or alt subjects. Wildcards are supported, where a wildcard character '*'
instead of the first hostname component (e.g. *.example.org matches is used instead of the first hostname component (e.g. *.example.org matches
www.example.org but not www.sub.example.org). www.example.org but not www.sub.example.org).
If no SNI is provided by the client or if the SSL library does not support If no SNI is provided by the client or if the SSL library does not support

2
src/ssl_sock.c
View File

@ -4416,7 +4416,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
struct dirent *de = de_list[i]; struct dirent *de = de_list[i];
end = strrchr(de->d_name, '.'); end = strrchr(de->d_name, '.');
if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl"))) if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl") || !strcmp(end, ".key")))
goto ignore_entry; goto ignore_entry;
snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name); snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);