MINOR: ssl: ignore dotfiles when loading a dir w/ ca-file

Ignore the files starting with a dot when trying to load a directory with the "ca-file directive".
2025-08-07 15:47:01 +02:00 · 2022-05-09 09:29:00 +02:00 · 2022-05-09 09:29:00 +02:00 · e4b93eb947
commit e4b93eb947
parent e979796584
2 changed files with 9 additions and 7 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -13764,7 +13764,7 @@ ca-file <cafile>
  designates a PEM file from which to load CA certificates used to verify
  client's certificate. It is possible to load a directory containing multiple
  CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and
-  .crl" available in the directory.
+  .crl" available in the directory, files starting with a dot are ignored.

 ca-ignore-err [all|<errorID>,...]
  This setting is only available when support for OpenSSL was built in.
@ -14552,7 +14552,7 @@ ca-file <cafile>
  designates a PEM file from which to load CA certificates used to verify
  server's certificate. It is possible to load a directory containing multiple
  CAs, in this case HAProxy will try to load every ".pem", ".crt", ".cer", and
-  .crl" available in the directory.
+  .crl" available in the directory, files starting with a dot are ignored.

  In order to use the trusted CAs of your system, the "@system-ca" parameter
  could be used in place of the cafile. The location of this directory could be
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@ -1216,13 +1216,15 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
 				 * been loaded in an hashed directory loaded by
 				 * X509_LOOKUP_hash_dir, so according to "man 1
 				 * c_rehash", we should load  ".pem", ".crt",
-				 * ".cer", or ".crl"
+				 * ".cer", or ".crl". Files starting with a dot
+				 * are ignored.
 				 */
 				end = strrchr(de->d_name, '.');
-				if (!end || (strcmp(end, ".pem") != 0 &&
-				             strcmp(end, ".crt") != 0 &&
-				             strcmp(end, ".cer") != 0 &&
-				             strcmp(end, ".crl") != 0)) {
+				if (!end || de->d_name[0] == '.' ||
+				    (strcmp(end, ".pem") != 0 &&
+				     strcmp(end, ".crt") != 0 &&
+				     strcmp(end, ".cer") != 0 &&
+				     strcmp(end, ".crl") != 0)) {
 					free(de);
 					continue;
 				}