]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 67e0e61)
MINOR: server: Make 'default-server' support 'ca-file', 'crl-file' and 'crt' settings.
authorFrédéric Lécaille <flecaille@haproxy.com>
Tue, 14 Mar 2017 14:52:04 +0000 (15:52 +0100)
committerWilly Tarreau <w@1wt.eu>
Mon, 27 Mar 2017 12:37:01 +0000 (14:37 +0200)
This patch makes 'default-server' directives support 'ca-file', 'crl-file' and
'crt' settings.

src/server.c patch | blob | blame | history
src/ssl_sock.c patch | blob | blame | history

diff --git a/src/server.c b/src/server.c
index 78b1dc7a92f3ebd0dbd0521ee51d0580eb79d293..71abf365063458f29e34ad1d0802aa13ad767aab 100644 (file)
--- a/src/server.c
+++ b/src/server.c
@@ -1338,6 +1338,12 @@ int parse_server(const char *file, int linenum, char **args, struct proxy *curpr
                        newsrv->init_addr         = curproxy->defsrv.init_addr;
 #if defined(USE_OPENSSL)
                        /* SSL config. */
+                       if (curproxy->defsrv.ssl_ctx.ca_file != NULL)
+                               newsrv->ssl_ctx.ca_file = strdup(curproxy->defsrv.ssl_ctx.ca_file);
+                       if (curproxy->defsrv.ssl_ctx.crl_file != NULL)
+                               newsrv->ssl_ctx.crl_file = strdup(curproxy->defsrv.ssl_ctx.crl_file);
+                       if (curproxy->defsrv.ssl_ctx.client_crt != NULL)
+                               newsrv->ssl_ctx.client_crt = strdup(curproxy->defsrv.ssl_ctx.crl_file);
                        newsrv->ssl_ctx.verify = curproxy->defsrv.ssl_ctx.verify;
                        if (curproxy->defsrv.ssl_ctx.verify_host != NULL)
                                newsrv->ssl_ctx.verify_host = strdup(curproxy->defsrv.ssl_ctx.verify_host);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 34860fe4e9104d21fcf52c53be2b61322b459552..72b32599df3707adf3c6fa38dce53fe77848d20c 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -7485,11 +7485,11 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
  * not enabled.
  */
 static struct srv_kw_list srv_kws = { "SSL", { }, {
-       { "ca-file",                 srv_parse_ca_file,           1, 0 }, /* set CAfile to process verify server cert */
+       { "ca-file",                 srv_parse_ca_file,           1, 1 }, /* set CAfile to process verify server cert */
        { "check-ssl",               srv_parse_check_ssl,         0, 1 }, /* enable SSL for health checks */
        { "ciphers",                 srv_parse_ciphers,           1, 0 }, /* select the cipher suite */
-       { "crl-file",                srv_parse_crl_file,          1, 0 }, /* set certificate revocation list file use on server cert verify */
-       { "crt",                     srv_parse_crt,               1, 0 }, /* set client certificate */
+       { "crl-file",                srv_parse_crl_file,          1, 1 }, /* set certificate revocation list file use on server cert verify */
+       { "crt",                     srv_parse_crt,               1, 1 }, /* set client certificate */
        { "force-sslv3",             srv_parse_force_sslv3,       0, 1 }, /* force SSLv3 */
        { "force-tlsv10",            srv_parse_force_tlsv10,      0, 1 }, /* force TLSv10 */
        { "force-tlsv11",            srv_parse_force_tlsv11,      0, 1 }, /* force TLSv11 */
Mirror of https://github.com/haproxy/haproxy.git