mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 15:47:01 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file

Browse Source 
Ignore the files starting with a dot when trying to load a directory
with the "ca-file directive".
This commit is contained in:
William Lallemand 2022-05-09 09:29:00 +02:00
parent e979796584
commit e4b93eb947
2 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/configuration.txt
View File

@ -13764,7 +13764,7 @@ ca-file <cafile>
designates a PEM file from which to load CA certificates used to verify designates a PEM file from which to load CA certificates used to verify
client's certificate. It is possible to load a directory containing multiple client's certificate. It is possible to load a directory containing multiple
CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and
.crl" available in the directory. .crl" available in the directory, files starting with a dot are ignored.
ca-ignore-err [all|<errorID>,...] ca-ignore-err [all|<errorID>,...]
This setting is only available when support for OpenSSL was built in. This setting is only available when support for OpenSSL was built in.
@ -14552,7 +14552,7 @@ ca-file <cafile>
designates a PEM file from which to load CA certificates used to verify designates a PEM file from which to load CA certificates used to verify
server's certificate. It is possible to load a directory containing multiple server's certificate. It is possible to load a directory containing multiple
CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and
.crl" available in the directory. .crl" available in the directory, files starting with a dot are ignored.
In order to use the trusted CAs of your system, the "@system-ca" parameter In order to use the trusted CAs of your system, the "@system-ca" parameter
could be used in place of the cafile. The location of this directory could be could be used in place of the cafile. The location of this directory could be

12
src/ssl_ckch.c
View File

@ -1216,13 +1216,15 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
* been loaded in an hashed directory loaded by * been loaded in an hashed directory loaded by
* X509_LOOKUP_hash_dir, so according to "man 1 * X509_LOOKUP_hash_dir, so according to "man 1
* c_rehash", we should load ".pem", ".crt", * c_rehash", we should load ".pem", ".crt",
* ".cer", or ".crl" * ".cer", or ".crl". Files starting with a dot
* are ignored.
*/ */
end = strrchr(de->d_name, '.'); end = strrchr(de->d_name, '.');
if (!end || (strcmp(end, ".pem") != 0 && if (!end || de->d_name[0] == '.' ||
strcmp(end, ".crt") != 0 && (strcmp(end, ".pem") != 0 &&
strcmp(end, ".cer") != 0 && strcmp(end, ".crt") != 0 &&
strcmp(end, ".crl") != 0)) { strcmp(end, ".cer") != 0 &&
strcmp(end, ".crl") != 0)) {
free(de); free(de);
continue; continue;
} }