mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 15:17:01 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: 'key-base' allows to load a 'key' from a specific path

Browse Source 
The global 'key-base' keyword allows to read the 'key' parameter of a
crt-store load line using a path prefix.

This is the equivalent of the 'crt-base' keyword but for 'key'.

It only applies on crt-store.
This commit is contained in:
William Lallemand 2024-04-15 14:33:24 +02:00
parent 6567d09af5
commit fa5c4cc6ce
4 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/configuration.txt
View File

@ -1278,6 +1278,7 @@ The following keywords are supported in the "global" section :
- insecure-fork-wanted - insecure-fork-wanted
- insecure-setuid-wanted - insecure-setuid-wanted
- issuers-chain-path - issuers-chain-path
- key-base
- localpeer - localpeer
- log - log
- log-send-hostname - log-send-hostname
@ -2017,6 +2018,11 @@ issuers-chain-path <dir>
"issuers-chain-path" directory. All other certificates with the same issuer "issuers-chain-path" directory. All other certificates with the same issuer
will share the chain in memory. will share the chain in memory.
key-base <dir>
Assigns a default directory to fetch SSL private keys from when a relative
path is used with "key" directives. Absolute locations specified prevail and
ignore "key-base". This option only works with a crt-store load line.
limited-quic limited-quic
This setting must be used to explicitly enable the QUIC listener bindings when This setting must be used to explicitly enable the QUIC listener bindings when
haproxy is compiled against a TLS/SSL stack without QUIC support, typically haproxy is compiled against a TLS/SSL stack without QUIC support, typically

1
include/haproxy/ssl_sock-t.h
View File

@ -264,6 +264,7 @@ struct ssl_sock_ctx {
struct global_ssl { struct global_ssl {
char *crt_base; /* base directory path for certificates */ char *crt_base; /* base directory path for certificates */
char *key_base; /* base directory path for private keys */
char *ca_base; /* base directory path for CAs and CRLs */ char *ca_base; /* base directory path for CAs and CRLs */
char *issuers_chain_path; /* from "issuers-chain-path" */ char *issuers_chain_path; /* from "issuers-chain-path" */
int skip_self_issued_ca; int skip_self_issued_ca;

18
src/cfgparse-ssl.c
View File

@ -2093,16 +2093,23 @@ static int ssl_parse_default_server_options(char **args, int section_type, struc
return 0; return 0;
} }
/* parse the "ca-base" / "crt-base" keywords in global section. /* parse the "ca-base" / "crt-base" / "key-base" keywords in global section.
* Returns <0 on alert, >0 on warning, 0 on success. * Returns <0 on alert, >0 on warning, 0 on success.
*/ */
static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct proxy *curpx, static int ssl_parse_global_path_base(char **args, int section_type, struct proxy *curpx,
const struct proxy *defpx, const char *file, int line, const struct proxy *defpx, const char *file, int line,
char **err) char **err)
{ {
char **target; char **target;
target = (args[0][1] == 'a') ? &global_ssl.ca_base : &global_ssl.crt_base; if (args[0][1] == 'a')
target = &global_ssl.ca_base;
else if (args[0][1] == 'r')
target = &global_ssl.crt_base;
else if (args[0][1] == 'e')
target = &global_ssl.key_base;
else
return -1;
if (too_many_args(1, args, err, NULL)) if (too_many_args(1, args, err, NULL))
return -1; return -1;
@ -2387,8 +2394,9 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
INITCALL1(STG_REGISTER, srv_register_keywords, &srv_kws); INITCALL1(STG_REGISTER, srv_register_keywords, &srv_kws);
static struct cfg_kw_list cfg_kws = {ILH, { static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "ca-base", ssl_parse_global_ca_crt_base }, { CFG_GLOBAL, "ca-base", ssl_parse_global_path_base },
{ CFG_GLOBAL, "crt-base", ssl_parse_global_ca_crt_base }, { CFG_GLOBAL, "crt-base", ssl_parse_global_path_base },
{ CFG_GLOBAL, "key-base", ssl_parse_global_path_base },
{ CFG_GLOBAL, "issuers-chain-path", ssl_load_global_issuers_from_path }, { CFG_GLOBAL, "issuers-chain-path", ssl_load_global_issuers_from_path },
{ CFG_GLOBAL, "maxsslconn", ssl_parse_global_int }, { CFG_GLOBAL, "maxsslconn", ssl_parse_global_int },
{ CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options }, { CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options },

2
src/ssl_ckch.c
View File

@ -3998,7 +3998,7 @@ INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws);
struct ckch_conf_kws ckch_conf_kws[] = { struct ckch_conf_kws ckch_conf_kws[] = {
{ "crt", offsetof(struct ckch_conf, crt), PARSE_TYPE_STR, ssl_sock_load_pem_into_ckch, &global_ssl.crt_base }, { "crt", offsetof(struct ckch_conf, crt), PARSE_TYPE_STR, ssl_sock_load_pem_into_ckch, &global_ssl.crt_base },
{ "key", offsetof(struct ckch_conf, key), PARSE_TYPE_STR, ssl_sock_load_key_into_ckch, &global_ssl.crt_base }, { "key", offsetof(struct ckch_conf, key), PARSE_TYPE_STR, ssl_sock_load_key_into_ckch, &global_ssl.key_base },
{ "ocsp", offsetof(struct ckch_conf, ocsp), PARSE_TYPE_STR, ssl_sock_load_ocsp_response_from_file, &global_ssl.crt_base }, { "ocsp", offsetof(struct ckch_conf, ocsp), PARSE_TYPE_STR, ssl_sock_load_ocsp_response_from_file, &global_ssl.crt_base },
{ "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ssl_sock_load_issuer_file_into_ckch, &global_ssl.crt_base }, { "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ssl_sock_load_issuer_file_into_ckch, &global_ssl.crt_base },
{ "sctl", offsetof(struct ckch_conf, sctl), PARSE_TYPE_STR, ssl_sock_load_sctl_from_file, &global_ssl.crt_base }, { "sctl", offsetof(struct ckch_conf, sctl), PARSE_TYPE_STR, ssl_sock_load_sctl_from_file, &global_ssl.crt_base },