]> git.ipfire.org Git - thirdparty/haproxy.git/commit
projects / thirdparty / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8218aed) | patch
BUG/MINOR: ssl: Prevent removal of crt-list line if the instance is a default one
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>
Fri, 26 Mar 2021 09:47:50 +0000 (10:47 +0100)
committerWilliam Lallemand <wlallemand@haproxy.org>
Fri, 26 Mar 2021 12:06:39 +0000 (13:06 +0100)
commitbc2c386992decb1ec8b0096f0b2ffd860e9cd559
tree9ba5292233b953de957373e23d09d52ff62c4e3etree | snapshot
parent8218aed90e862ed01c2a8bb9bf81e6d1a90f14dbcommit | diff
BUG/MINOR: ssl: Prevent removal of crt-list line if the instance is a default one

If the first active line of a crt-list file is also the first mentioned
certificate of a frontend that does not have the strict-sni option
enabled, then its certificate will be used as the default one. We then
do not want this instance to be removable since it would make a frontend
lose its default certificate.
Considering that a crt-list file can be used by multiple frontends, and
that its first mentioned certificate can be used as default certificate
for only a subset of those frontends, we do not want the line to be
removable for some frontends and not the others. So if any of the ckch
instances corresponding to a crt-list line is a default instance, the
removal of the crt-list line will be forbidden.

It can be backported as far as 2.2.
reg-tests/ssl/del_ssl_crt-list.vtc [new file with mode: 0644] blob
src/ssl_crtlist.c diff | blob | blame | history
Mirror of https://github.com/haproxy/haproxy.git