]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a84c267)
MINOR: ssl: Read the file used to generate certificates in any order
authorChristopher Faulet <cfaulet@qualys.com>
Fri, 9 Oct 2015 08:53:31 +0000 (10:53 +0200)
committerWilly Tarreau <w@1wt.eu>
Fri, 9 Oct 2015 10:13:08 +0000 (12:13 +0200)
the file specified by the SSL option 'ca-sign-file' can now contain the CA
certificate used to dynamically generate certificates and its private key in any
order.

src/ssl_sock.c patch | blob | blame | history

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8faa670be18f9db4d00705e3d2845903d1b20673..397e46b33225cbdd5fed340680ec6f8d8e992605 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2510,43 +2510,39 @@ ssl_sock_load_ca(struct bind_conf *bind_conf, struct proxy *px)
                Alert("Proxy '%s': cannot enable certificate generation, "
                      "no CA certificate File configured at [%s:%d].\n",
                      px->id, bind_conf->file, bind_conf->line);
-               err++;
-       }
-
-       if (err)
                goto load_error;
+       }
 
        /* read in the CA certificate */
        if (!(fp = fopen(bind_conf->ca_sign_file, "r"))) {
                Alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d].\n",
                      px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
-               err++;
                goto load_error;
        }
        if (!(cacert = PEM_read_X509(fp, NULL, NULL, NULL))) {
                Alert("Proxy '%s': Failed to read CA certificate file '%s' at [%s:%d].\n",
                      px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
-               fclose (fp);
-               err++;
-               goto load_error;
+               goto read_error;
        }
+       rewind(fp);
        if (!(capkey = PEM_read_PrivateKey(fp, NULL, NULL, bind_conf->ca_sign_pass))) {
                Alert("Proxy '%s': Failed to read CA private key file '%s' at [%s:%d].\n",
                      px->id, bind_conf->ca_sign_file, bind_conf->file, bind_conf->line);
-               fclose (fp);
-               err++;
-               goto load_error;
+               goto read_error;
        }
-       fclose (fp);
 
+       fclose (fp);
        bind_conf->ca_sign_cert = cacert;
        bind_conf->ca_sign_pkey = capkey;
        return err;
 
load_error:
-       bind_conf->generate_certs = 0;
read_error:
+       fclose (fp);
        if (capkey) EVP_PKEY_free(capkey);
        if (cacert) X509_free(cacert);
+ load_error:
+       bind_conf->generate_certs = 0;
+       err++;
        return err;
 }
 
Mirror of https://github.com/haproxy/haproxy.git