git.ipfire.org Git - thirdparty/haproxy.git/commit

author	William Lallemand <wlallemand@haproxy.com>
	Tue, 21 May 2024 14:50:59 +0000 (16:50 +0200)
committer	William Lallemand <wlallemand@haproxy.com>
	Tue, 21 May 2024 16:30:45 +0000 (18:30 +0200)
commit	e6657fd1085ef5c5430524a45c1cd4fff95fce5d
tree	a1afc2980c6036a7541b375c0cdaabf68e6b28bf	tree
parent	22ec2ad8b026cbd2dcfe606b222edbba1be18748	commit \| diff

MEDIUM: ssl: don't load file by discovering them in crt-store

In commit 55e9e9591 ("MEDIUM: ssl: temporarily load files by detecting
their presence in crt-store"), ssl_sock_load_pem_into_ckch() was
replaced by ssl_sock_load_files_into_ckch() in the crt-store loading.

But the side effect was that we always try to autodetect, and this is
not what we want. This patch reverse this, and add specific code in the
crt-list loading, so we could autodetect in crt-list like it was done
before, but still try to load files when a crt-store filename keyword is
specified.

Example:

These crt-list lines won't autodetect files:

    foobar.crt [key foobar.key issuer foobar.issuer ocsp-update on] *.foo.bar
    foobar.crt [key foobar.key] *.foo.bar

These crt-list lines will autodect files:

    foobar.pem [ocsp-update on] *.foo.bar
    foobar.pem

include/haproxy/ssl_ckch.h		diff \| blob \| blame \| history
reg-tests/ssl/crt_store.vtc		diff \| blob \| blame \| history
src/ssl_ckch.c		diff \| blob \| blame \| history
src/ssl_crtlist.c		diff \| blob \| blame \| history