MEDIUM: ssl: ignored file names ending as '.issuer' or '.ocsp'.

We don't want to load these files found in directories specified in "crt" or
"crt-list".

These suffixes are reserved for OCSP stapling.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8fb8b5f037a94eebe89bc0d4549bae77e87d7b67..2bbad178de1525263be93b04fc741a0719139c33 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -868,6 +868,10 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, struct proxy *cu
                *end = 0;
 
        while ((de = readdir(dir))) {
+               end = strrchr(de->d_name, '.');
+               if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp")))
+                       continue;
+
                snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);
                if (stat(fp, &buf) != 0) {
                        memprintf(err, "%sunable to stat SSL certificate from file '%s' : %s.\n",