From: William Lallemand Date: Mon, 11 Aug 2025 15:24:11 +0000 (+0200) Subject: MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory X-Git-Tag: v3.3-dev7~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=55d561042c81f8853364a62b4d5eaba2555c2673;p=thirdparty%2Fhaproxy.git MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory In previous versions of haproxy, insertions of certificates in a crt-list from the CLI would require to have the path of the directory, in the path of the certificate. This would help avoiding that the certificate wasn't loaded upon a reload because it is not at the right place. However, since version 3.0 and crt-store, the name stored in the tree could be an alias and not a path, so that does not make sense anymore. Even though path would be right, the check is not right anymore in this case. The tool or user inserting the certificate must now check itself that the certificate was placed at the right spot on the filesystem. Reported in issue #3053. Could be backported as far as haproxy 3.0. --- diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index f98424400..baa074cec 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -1390,24 +1390,6 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc goto error; } - if (eb_gettag(crtlist->entries.b[EB_RGHT])) { - char *slash; - - slash = strrchr(cert_path, '/'); - if (!slash) { - memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path); - goto error; - } - /* temporary replace / by 0 to do an strcmp */ - *slash = '\0'; - if (strcmp(cert_path, (char*)crtlist->node.key) != 0) { - *slash = '/'; - memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path); - goto error; - } - *slash = '/'; - } - if (*cert_path != '@' && *cert_path != '/' && global_ssl.crt_base) { if ((strlen(global_ssl.crt_base) + 1 + strlen(cert_path)) > sizeof(path) || snprintf(path, sizeof(path), "%s/%s", global_ssl.crt_base, cert_path) > sizeof(path)) {