From 7b3b3d7146905167d5353feb70f7277b0b9f2de4 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Thu, 21 Aug 2025 14:45:53 +0200 Subject: [PATCH] BUG/MEDIUM: ssl: apply ssl-f-use on every "ssl" bind This patch introduces a change of behavior in the configuration parsing. Previously the "ssl-f-use" lines were only applied on "ssl" bind lines that does not have any "crt" configured. Since there is no warning and you could mix bind lines with and without crt, this is really confusing. This patch applies the "ssl-f-use" lines on every "ssl" bind lines. This was discussed in ticket #3082. Must be backported in 3.2. --- doc/configuration.txt | 5 +++-- src/cfgparse-ssl.c | 10 ++++------ 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index adfd0e672..795694227 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12205,8 +12205,9 @@ ssl-f-use [ ...]* Assignate a certificate to a crt-list created automatically with the frontend name and prefixed by @ (ex: '@frontend1'). - This implicit crt-list will be assigned to every "ssl" bind lines in a - frontend that does not already have the "crt" or the "crt-list" line. + This implicit crt-list will be assigned to every "ssl" bind lines in the + current frontend. + crt-list commands from the stats socket are effective with this crt-list, so one could replace, remove or add certificates and SSL options to it. diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index e1bb7096e..1f3e0d966 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -2442,14 +2442,12 @@ static int post_section_frontend_crt_init() goto error; } - /* look for "ssl" bind lines without any crt nor crt-line */ + /* look for "ssl" bind lines */ list_for_each_entry(b, &curproxy->conf.bind, by_fe) { if (b->options & BC_O_USE_SSL) { - if (eb_is_empty(&b->sni_ctx) && eb_is_empty(&b->sni_w_ctx)) { - err_code |= ssl_sock_load_cert_list_file(crtlist_name, 0, b, curproxy, &err); - if (err_code & ERR_CODE) - goto error; - } + err_code |= ssl_sock_load_cert_list_file(crtlist_name, 0, b, curproxy, &err); + if (err_code & ERR_CODE) + goto error; } } }