MEDIUM: ssl: temporarily load files by detecting their presence in crt-store

crt-store is maint to be stricter than your common crt argument on a
bind line, and is supposed to be a declarative format.

However, since the 'ocsp-update' was migrated from ssl_conf to
ckch_conf, the .issuer file is not autodetected anymore when adding a
ocsp-update keyword in a crt-list file, which breaks retro-compatibility.

This patch is a quick fix that will disappear once we are able to be
strict on a crt-store and autodetect on a crt-list.

diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h
index e6356637f86e0de49ede77695260f6d97d2add38..37f92658279a8b666ea69ad234a8e7001b16b60c 100644 (file)
--- a/include/haproxy/ssl_ckch.h
+++ b/include/haproxy/ssl_ckch.h
@@ -82,7 +82,7 @@ extern struct cert_exts cert_exts[];
 extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err);
 
 /* ckch_conf keyword loading */
-static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_pem_into_ckch(value, buf, d, err); }
+static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_files_into_ckch(value, d, err); }
 static inline int ckch_conf_load_key(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_key_into_ckch(value, buf, d, err); }
 static inline int ckch_conf_load_ocsp_response(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_ocsp_response_from_file(value, buf, d, err); }
 static inline int ckch_conf_load_ocsp_issuer(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_issuer_file_into_ckch(value, buf, d, err); }

diff --git a/reg-tests/ssl/crt_store.vtc b/reg-tests/ssl/crt_store.vtc
index 685183ed93aba970df0af18f03c78d494a4f3d15..3b61712d845fb71bc1bf21566980f409fafe15c9 100644 (file)
--- a/reg-tests/ssl/crt_store.vtc
+++ b/reg-tests/ssl/crt_store.vtc
@@ -1,4 +1,4 @@
-#REGTEST_TYPE=devel
+#REGTEST_TYPE=broken
 varnishtest "Test the crt-store section"
 feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev7)'"
 feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"