mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 06:11:32 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: accept 'verify' bind option with 'set ssl cert'

Browse Source 
Since patches initiated with d4f9a60e "MINOR: ssl: deduplicate ca-file",
no more file access is done for 'verify' bind options (crl/ca file).
Remove conditional restriction for "set ssl cert" CLI commands.
This commit is contained in:
Emmanuel Hocdet 2020-01-20 17:18:00 +01:00 committed by William Lallemand
parent a5afb0bf36
commit ebf840bf37
1 changed files with 0 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/ssl_sock.c
View File

@ -10493,7 +10493,6 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
/* walk through the old ckch_inst and creates new ckch_inst using the updated ckchs */
list_for_each_entry_from(ckchi, &old_ckchs->ckch_inst, by_ckchs) {
struct ckch_inst *new_inst;
int verify = 0;
/* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
if (y >= 10) {
@ -10502,15 +10501,6 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
goto yield;
}
/* prevent ssl_sock_prepare_ctx() to do file access which is only for verify (crl/ca file) */
verify = (ckchi->ssl_conf && ckchi->ssl_conf->verify) ? ckchi->ssl_conf->verify : ckchi->bind_conf->ssl_conf.verify;
if (verify & SSL_VERIFY_PEER) {
memprintf(&err, "%sCan't commit a certificate which use the 'verify' bind SSL option [%s:%d]\n", err ? err : "", ckchi->bind_conf->file, ckchi->bind_conf->line);
errcode |= ERR_FATAL | ERR_ABORT;
goto error;
}
if (new_ckchs->multi)
errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, NULL, 0, &new_inst, &err);
else