From: William Lallemand Date: Wed, 8 Apr 2020 10:05:39 +0000 (+0200) Subject: MINOR: ssl/cli: 'del ssl cert' deletes a certificate X-Git-Tag: v2.2-dev6~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=419e6349f6d64c8b4999a930e127452a6d7763eb;p=thirdparty%2Fhaproxy.git MINOR: ssl/cli: 'del ssl cert' deletes a certificate Delete a certificate store from HAProxy and free its memory. The certificate must be unused and removed from any crt-list or directory. The deletion doesn't work with a certificate referenced directly with the "crt" directive in the configuration. --- diff --git a/doc/management.txt b/doc/management.txt index 43e3524c0b..4da9a03b04 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -1524,6 +1524,12 @@ del map [|#] listing the content of the map. Note that if the reference is a file and is shared with a acl, the entry will be also deleted in the map. +del ssl cert + Delete a certificate store from HAProxy. The certificate must be unused and + removed from any crt-list or directory. "show ssl cert" displays the status + of the certificate. The deletion doesn't work with a certificate referenced + directly with the "crt" directive in the configuration. + del ssl crt-list Delete an entry in a crt-list. This will delete every SNIs used for this entry in the frontends. If a certificate is used several time in a crt-list, diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f359e720ef..14ee25199d 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -12550,6 +12550,50 @@ error: return cli_dynerr(appctx, err); } +/* parsing function of 'del ssl cert' */ +static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx, void *private) +{ + struct ckch_store *store; + char *err = NULL; + char *filename; + + if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) + return 1; + + if (!*args[3]) + return cli_err(appctx, "'del ssl cert' expects a certificate name\n"); + + if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock)) + return cli_err(appctx, "Can't delete the certificate!\nOperations on certificates are currently locked!\n"); + + filename = args[3]; + + store = ckchs_lookup(filename); + if (store == NULL) { + memprintf(&err, "certificate '%s' doesn't exist!\n", filename); + goto error; + } + if (!LIST_ISEMPTY(&store->ckch_inst)) { + memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename); + goto error; + } + + ebmb_delete(&store->node); + ckchs_free(store); + + memprintf(&err, "Certificate '%s' deleted!\n", filename); + + HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock); + return cli_dynmsg(appctx, LOG_NOTICE, err); + +error: + memprintf(&err, "Can't remove the certificate: %s\n", err ? err : ""); + HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock); + return cli_dynerr(appctx, err); +} + + + static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx *appctx, void *private) { #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) @@ -12748,6 +12792,7 @@ static struct cli_kw_list cli_kws = {{ },{ { { "set", "ssl", "cert", NULL }, "set ssl cert : replace a certificate file", cli_parse_set_cert, NULL, NULL }, { { "commit", "ssl", "cert", NULL }, "commit ssl cert : commit a certificate file", cli_parse_commit_cert, cli_io_handler_commit_cert, cli_release_commit_cert }, { { "abort", "ssl", "cert", NULL }, "abort ssl cert : abort a transaction for a certificate file", cli_parse_abort_cert, NULL, NULL }, + { { "del", "ssl", "cert", NULL }, "del ssl cert : delete an unused certificate file", cli_parse_del_cert, NULL, NULL }, { { "show", "ssl", "cert", NULL }, "show ssl cert [] : display the SSL certificates used in memory, or the details of a ", cli_parse_show_cert, cli_io_handler_show_cert, cli_release_show_cert }, { { "add", "ssl", "crt-list", NULL }, "add ssl crt-list [options] : add a line to a crt-list ", cli_parse_add_crtlist, cli_io_handler_add_crtlist, cli_release_add_crtlist }, { { "del", "ssl", "crt-list", NULL }, "del ssl crt-list : delete a line in a crt-list ", cli_parse_del_crtlist, NULL, NULL },