From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Mon, 30 Jun 2025 14:56:28 +0000 (+0200)
Subject: MINOR: ssl: Prevent delete on certificate used by jwt_verify
X-Git-Tag: v3.3-dev3~62
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=093a3ad7f2e2f526cdda7481a830b46a6afaf722;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Prevent delete on certificate used by jwt_verify

A ckch_store used in JWT verification might not have any ckch instances
or crt-list entries linked but we don't want to be able to remove it via
the CLI anyway since it would make all future jwt_verify calls using
this certificate fail.
---

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index b22522681..c920f2209 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -3192,6 +3192,9 @@ static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx,
 	if (!LIST_ISEMPTY(&store->ckch_inst)) {
 		memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename);
 		goto error;
+	} else if (store->jwt_entry) {
+		memprintf(&err, "certificate '%s' in use for JWT validation, can't be deleted!\n", filename);
+		goto error;
 	}
 
 	ebmb_delete(&store->node);