BUG/MEDIUM: ssl/crt-list: bad behavior with "commit ssl cert"

In issue #1004, it was reported that it is not possible to remove
correctly a certificate after updating it when it came from a crt-list.

Indeed the "commit ssl cert" command on the CLI does not update the list
of ckch_inst in the crtlist_entry. Because of this, the "del ssl
crt-list" command does not remove neither the instances nor the SNIs
because they were never linked to the crtlist_entry.

This patch fixes the issue by inserting the ckch_inst in the
crtlist_entry once generated.

Must be backported as far as 2.2.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 198ac634ac22dc47f5a4f569f7f2984b747ac893..4a85a5dc68e434c314231af3c1348166ec03e137 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1337,6 +1337,9 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
                                        if (ckchi->is_default)
                                                new_inst->is_default = 1;
 
+                                       /* create the link to the crtlist_entry */
+                                       new_inst->crtlist_entry = ckchi->crtlist_entry;
+
                                        /* we need to initialize the SSL_CTX generated */
                                        /* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
                                        list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) {
@@ -1374,6 +1377,12 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
                                        ebpt_insert(&entry->crtlist->entries, &entry->node);
                                }
 
+                               /* insert the new ckch_insts in the crtlist_entry */
+                               list_for_each_entry(ckchi, &new_ckchs->ckch_inst, by_ckchs) {
+                                       if (ckchi->crtlist_entry)
+                                               LIST_ADD(&ckchi->crtlist_entry->ckch_inst, &ckchi->by_crtlist_entry);
+                               }
+
                                /* First, we insert every new SNIs in the trees, also replace the default_ctx */
                                list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
                                        HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);