From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 10 Dec 2024 10:19:15 +0000 (+0100)
Subject: MINOR: ssl/cli: add negative filters to "show ssl sni"
X-Git-Tag: v3.2-dev1~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a6b3080966402123fb4dca95620aea1b40ebc2c8;p=thirdparty%2Fhaproxy.git

MINOR: ssl/cli: add negative filters to "show ssl sni"

The 'show ssl sni' output can be confusing when using crt-list, because
the wildcards can be completed with negative filters, and they need to
be associated to the same line.

Having a negative filter on its line alone does not make much sense,
this patch adds a new 'Negative Filter' column that show the exception
applied on a wildcard from a crt-list line.
---

diff --git a/doc/management.txt b/doc/management.txt
index 90e953fcdf..2228d6616a 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -3777,6 +3777,10 @@ show ssl sni [-f <frontend>]
   explicitely by 'default-crt' or is implicitely the first certificate of a bind
   line when no 'strict-sni' is used) shows the '*' character in the SNI column.
 
+  The 'Negative Filter' column is the list of negative filters associated to a
+  wildcard, this will show all negatives filters that are on the same crt-list
+  line. A dash character is displayed if there are none.
+
   The 'Type' column shows the encryption algorithm type, it can be "rsa", "ecdsa" or "dsa".
 
   The 'Filename' column can be either a filename from the configuration, or an
@@ -3787,12 +3791,14 @@ show ssl sni [-f <frontend>]
 
   Example:
     $ echo "@1 show ssl sni" | socat /var/run/haproxy-master.sock - | column -t -s $'\t'
-    # Frontend/Bind        SNI        Type   Filename             NotAfter                  NotBefore
-    li1/haproxy.cfg:10021  machine10  rsa    machine10.pem.rsa    Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
-    li1/haproxy.cfg:10021  machine10  ecdsa  machine10.pem.ecdsa  Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
-    li1/haproxy.cfg:10021  localhost  rsa    localhost.pem.rsa    Jun 13 13:37:11 2024 GMT  May 14 13:37:11 2024 GMT
-    li1/haproxy.cfg:10021  localhost  ecdsa  localhost.pem.ecdsa  Jun 13 13:37:10 2024 GMT  May 14 13:37:10 2024 GMT
-    li1/haproxy.cfg:10021  *          rsa    localhost.pem.rsa    Jun 13 13:37:11 2024 GMT  May 14 13:37:11 2024 GMT
+    # Frontend/Bind        SNI        Negative Filter  Type   Filename             NotAfter                  NotBefore
+    li1/haproxy.cfg:10021  *.ex.lan   !m1.ex.lan       rsa    example.lan.pem      Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
+    li1/haproxy.cfg:10021  machine10  -                ecdsa  machine10.pem.ecdsa  Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
+    li1/haproxy.cfg:10021  machine10  -                rsa    machine10.pem.rsa    Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
+    li1/haproxy.cfg:10021  machine10  -                ecdsa  machine10.pem.ecdsa  Jun 13 13:37:21 2024 GMT  May 14 13:37:21 2024 GMT
+    li1/haproxy.cfg:10021  localhost  -                rsa    localhost.pem.rsa    Jun 13 13:37:11 2024 GMT  May 14 13:37:11 2024 GMT
+    li1/haproxy.cfg:10021  localhost  -                ecdsa  localhost.pem.ecdsa  Jun 13 13:37:10 2024 GMT  May 14 13:37:10 2024 GMT
+    li1/haproxy.cfg:10021  *          -                rsa    localhost.pem.rsa    Jun 13 13:37:11 2024 GMT  May 14 13:37:11 2024 GMT
 
 show startup-logs
   Dump all messages emitted during the startup of the current haproxy process,
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index a0eb1ecfa3..193e22cdc6 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1571,7 +1571,7 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
 	/* ctx->bind is NULL only once we finished dumping a frontend or when starting
 	 * so let's dump the header in these cases*/
 	if (ctx->bind == NULL && (ctx->onefrontend == 1 || (ctx->onefrontend == 0 && ctx->px == proxies_list)))
-		chunk_appendf(trash, "# Frontend/Bind\tSNI\tType\tFilename\tNotAfter\tNotBefore\n");
+		chunk_appendf(trash, "# Frontend/Bind\tSNI\tNegative Filter\tType\tFilename\tNotAfter\tNotBefore\n");
 	if (applet_putchk(appctx, trash) == -1)
 		goto yield;
 
@@ -1605,19 +1605,35 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
 				if (!n)
 					continue;
 
-				while (n) {
+				for (; n; n = ebmb_next(n)) {
 					struct sni_ctx *sni;
 					const char *name;
 					const char *certalg;
-
-					chunk_appendf(trash, "%s/%s:%d\t", bind->frontend->id, bind->file, bind->line);
+					int isneg = 0; /* is there any negative filters associated to this node */
 
 					sni = ebmb_entry(n, struct sni_ctx, name);
 
+					if (sni->neg)
+						continue;
+
+					chunk_appendf(trash, "%s/%s:%d\t", bind->frontend->id, bind->file, bind->line);
+
 					name = (char *)sni->name.key;
 
 					chunk_appendf(trash, "%s%s%s\t", sni->neg ? "!" : "", type ? "*" : "",  name);
 
+					/* we are looking at wildcards, let's check the negative filters */
+					if (type == 1) {
+						struct sni_ctx *sni_tmp;
+						list_for_each_entry(sni_tmp, &sni->ckch_inst->sni_ctx, by_ckch_inst) {
+							if (sni_tmp->neg) {
+								chunk_appendf(trash, "%s%s ", sni_tmp->neg ? "!" : "",  (char *)sni_tmp->name.key);
+								isneg = 1;
+							}
+						}
+					}
+					chunk_appendf(trash, "%s\t", isneg ? "" : "-");
+
 					switch (sni->kinfo.sig) {
 						case TLSEXT_signature_ecdsa:
 							certalg = "ecdsa";
@@ -1642,7 +1658,6 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
 						goto yield;
 					}
 
-					n = ebmb_next(n);
 				}
 				ctx->n = NULL;
 			}