MINOR: ssl: Prevent delete on certificate used by jwt_verify

A ckch_store used in JWT verification might not have any ckch instances
or crt-list entries linked but we don't want to be able to remove it via
the CLI anyway since it would make all future jwt_verify calls using
this certificate fail.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index b22522681366f5b054e53a0224cc74b019067475..c920f22098f2d1812c81fbb4bddc5c86f3c2e16f 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -3192,6 +3192,9 @@ static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx,
        if (!LIST_ISEMPTY(&store->ckch_inst)) {
                memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename);
                goto error;
+       } else if (store->jwt_entry) {
+               memprintf(&err, "certificate '%s' in use for JWT validation, can't be deleted!\n", filename);
+               goto error;
        }
 
        ebmb_delete(&store->node);