From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 27 Aug 2025 13:56:38 +0000 (+0200)
Subject: MEDIUM: ssl: convert diag to warning for strict-sni + default-crt
X-Git-Tag: v3.3-dev8~96
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ab7358b366911464f5034e4afe8c264187305ad1;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl: convert diag to warning for strict-sni + default-crt

Previous patch emits a diag warning when both 'strict-sni' +
'default-crt' are used on the same bind line.

This patch converts this diagnostic warning to a real warning, so the
previous patch could be backported without breaking configurations.

This was discussed in #3082.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 347256d35..fc4e5a602 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5048,7 +5048,7 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
 		}
 
 		if (is_default ==  CKCH_INST_EXPL_DEFAULT) {
-			ha_diag_warning("Proxy '%s': both 'default-crt' and 'strict-sni' keywords are used in bind '%s' at [%s:%d], certificates won't be used as fallback (use 'crt' instead).\n",
+			ha_warning("Proxy '%s': both 'default-crt' and 'strict-sni' keywords are used in bind '%s' at [%s:%d], certificates won't be used as fallback (use 'crt' instead).\n",
 				   px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
 		}