MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt

Ignore the files starting with a dot when trying to load a directory
with the "crt" directive.

Should fix issue #1689.
This commit is contained in:
William Lallemand 2022-05-09 10:30:51 +02:00
parent e4b93eb947
commit 589570df1f
2 changed files with 11 additions and 8 deletions

View File

@ -13833,13 +13833,14 @@ crt <cert>
If a directory name is used instead of a PEM file, then all files found in If a directory name is used instead of a PEM file, then all files found in
that directory will be loaded in alphabetic order unless their name ends that directory will be loaded in alphabetic order unless their name ends
with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). Files
directive may be specified multiple times in order to load certificates from starting with a dot are also ignored. This directive may be specified multiple
multiple files or directories. The certificates will be presented to clients times in order to load certificates from multiple files or directories. The
who provide a valid TLS Server Name Indication field matching one of their certificates will be presented to clients who provide a valid TLS Server Name
CN or alt subjects. Wildcards are supported, where a wildcard character '*' Indication field matching one of their CN or alt subjects. Wildcards are
is used instead of the first hostname component (e.g. *.example.org matches supported, where a wildcard character '*' is used instead of the first
www.example.org but not www.sub.example.org). hostname component (e.g. *.example.org matches www.example.org but not
www.sub.example.org).
If no SNI is provided by the client or if the SSL library does not support If no SNI is provided by the client or if the SSL library does not support
TLS extensions, or if the client provides an SNI hostname which does not TLS extensions, or if the client provides an SNI hostname which does not

View File

@ -696,7 +696,9 @@ int crtlist_load_cert_dir(char *path, struct bind_conf *bind_conf, struct crtlis
struct dirent *de = de_list[i]; struct dirent *de = de_list[i];
end = strrchr(de->d_name, '.'); end = strrchr(de->d_name, '.');
if (end && (strcmp(end, ".issuer") == 0 || strcmp(end, ".ocsp") == 0 || strcmp(end, ".sctl") == 0 || strcmp(end, ".key") == 0)) if (end && (de->d_name[0] == '.' ||
strcmp(end, ".issuer") == 0 || strcmp(end, ".ocsp") == 0 ||
strcmp(end, ".sctl") == 0 || strcmp(end, ".key") == 0))
goto ignore_entry; goto ignore_entry;
snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name); snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);