BUG/MEDIUM: ssl: apply ssl-f-use on every "ssl" bind

This patch introduces a change of behavior in the configuration parsing. Previously the "ssl-f-use" lines were only applied on "ssl" bind lines that does not have any "crt" configured. Since there is no warning and you could mix bind lines with and without crt, this is really confusing. This patch applies the "ssl-f-use" lines on every "ssl" bind lines. This was discussed in ticket #3082. Must be backported in 3.2.
2025-09-20 21:31:28 +02:00 · 2025-08-21 14:45:53 +02:00 · 2025-08-21 14:45:53 +02:00 · 7b3b3d7146
commit 7b3b3d7146
parent e513620c72
2 changed files with 7 additions and 8 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -12205,8 +12205,9 @@ ssl-f-use [<sslbindconf> ...]*
  Assignate a certificate <crtname> to a crt-list created automatically with the
  frontend name and prefixed by @ (ex: '@frontend1').

-  This implicit crt-list will be assigned to every "ssl" bind lines in a
-  frontend that does not already have the "crt" or the "crt-list" line.
+  This implicit crt-list will be assigned to every "ssl" bind lines in the
+  current frontend.
+
  crt-list commands from the stats socket are effective with this crt-list, so
  one could replace, remove or add certificates and SSL options to it.

--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@ -2442,17 +2442,15 @@ static int post_section_frontend_crt_init()
 			goto error;
 		}

-		/* look for "ssl" bind lines without any crt nor crt-line */
+		/* look for "ssl" bind lines */
 		list_for_each_entry(b, &curproxy->conf.bind, by_fe) {
 			if (b->options & BC_O_USE_SSL) {
-				if (eb_is_empty(&b->sni_ctx) && eb_is_empty(&b->sni_w_ctx)) {
 				err_code |= ssl_sock_load_cert_list_file(crtlist_name, 0, b, curproxy, &err);
 				if (err_code & ERR_CODE)
 					goto error;
 			}
 		}
 	}
-	}

 	return err_code;
 error: