From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 9 May 2025 16:52:09 +0000 (+0200)
Subject: BUG/MINOR: ssl: prevent multiple 'crt' on the same ssl-f-use line
X-Git-Tag: v3.2-dev16~46
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ce3fb35a234dd268738c6e8e1f29290dcf006e1;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: prevent multiple 'crt' on the same ssl-f-use line

The 'ssl-f-use' implementation doesn't prevent to have multiple time the
'crt' keyword, which overwrite the previous value. Letting users think
that is it possible to use multiple certificates on the same line, which
is not the case.

This patch emits an alert when setting the 'crt' keyword multiple times
on the same ssl-f-use line.

Should fix issue #2966.

No backport needed.
---

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index c71e070d6..3192121d6 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -2208,6 +2208,10 @@ static int proxy_parse_ssl_f_use(char **args, int section_type, struct proxy *cu
 			char path[MAXPATHLEN+1];
 			const char *arg = args[cur_arg+1];
 
+			if (ckch_conf->crt) {
+				memprintf(err, "'%s' already specified, aborting.", "crt");
+				goto error;
+			}
 			if (*arg != '@' && *arg != '/' && global_ssl.crt_base) {
 				if ((strlen(global_ssl.crt_base) + 1 + strlen(arg)) > sizeof(path) ||
 				     snprintf(path, sizeof(path), "%s/%s",  global_ssl.crt_base, arg) > sizeof(path)) {