]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f4f93c5)
MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory
authorWilliam Lallemand <wlallemand@haproxy.com>
Mon, 11 Aug 2025 15:24:11 +0000 (17:24 +0200)
committerWilliam Lallemand <wlallemand@haproxy.com>
Mon, 11 Aug 2025 15:42:16 +0000 (17:42 +0200)
In previous versions of haproxy, insertions of certificates in a
crt-list from the CLI would require to have the path of the directory,
in the path of the certificate. This would help avoiding that the
certificate wasn't loaded upon a reload because it is not at the right
place.

However, since version 3.0 and crt-store, the name stored in the tree
could be an alias and not a path, so that does not make sense anymore.
Even though path would be right, the check is not right anymore in this
case.

The tool or user inserting the certificate must now check itself that
the certificate was placed at the right spot on the filesystem.

Reported in issue #3053.

Could be backported as far as haproxy 3.0.

src/ssl_crtlist.c patch | blob | blame | history

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index f984244003ef3a646d64c0664e24e67a2cc71ce3..baa074cece78c00d14d32d56474dae3c43d667f2 100644 (file)
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -1390,24 +1390,6 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc
                goto error;
        }
 
-       if (eb_gettag(crtlist->entries.b[EB_RGHT])) {
-               char *slash;
-
-               slash = strrchr(cert_path, '/');
-               if (!slash) {
-                       memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
-                       goto error;
-               }
-               /* temporary replace / by 0 to do an strcmp */
-               *slash = '\0';
-               if (strcmp(cert_path, (char*)crtlist->node.key) != 0) {
-                       *slash = '/';
-                       memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
-                       goto error;
-               }
-               *slash = '/';
-       }
-
        if (*cert_path != '@' && *cert_path != '/' && global_ssl.crt_base) {
                if ((strlen(global_ssl.crt_base) + 1 + strlen(cert_path)) > sizeof(path) ||
                    snprintf(path, sizeof(path), "%s/%s",  global_ssl.crt_base, cert_path) > sizeof(path)) {
Mirror of https://github.com/haproxy/haproxy.git