From: William Lallemand <wlallemand@haproxy.org>
Date: Fri, 20 Nov 2020 17:23:40 +0000 (+0100)
Subject: BUG/MINOR: ssl/crt-list: load bundle in crt-list only if activated
X-Git-Tag: v2.4-dev1~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7340457158b20fa89d9eba0e231b3a122f5620d3;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl/crt-list: load bundle in crt-list only if activated

Don't try to load a bundle from a crt-list if the bundle support was
disabled with ssl-load-extra-files.

Must be backported to 2.3.
---

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index ac2d849f60..8e9e5a11f3 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -550,7 +550,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 				LIST_ADDQ(&newlist->ord_entries, &entry->by_crtlist);
 				LIST_ADDQ(&ckchs->crtlist_entry, &entry->by_ckch_store);
 
-			} else {
+			} else if (global_ssl.extra_files & SSL_GF_BUNDLE) {
 				/* If we didn't find the file, this could be a
 				bundle, since 2.3 we don't support multiple
 				certificate in the same OpenSSL store, so we