MEDIUM: ssl/crt-list: warn on negative wildcard filters

negative wildcard filters were always a noop, and are not useful for
anything unless you want to use !* alone to remove every name from a
certificate.

This is confusing and the documentation never stated it correctly. This
patch adds a warning during the bind initialization if it founds one,
only !* does not emit a warning.

This patch was done during the debugging of issue #2900.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 15ca095e9ef7221fdc080a587dc3739d84ef4ffc..3257f5564a1ccb57ca2e318efc8c8d375f8d41dd 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2465,8 +2465,11 @@ static int ckch_inst_add_cert_sni(SSL_CTX *ctx, struct ckch_inst *ckch_inst,
                        default_crt = 1;
        }
        /* !* filter is a nop */
-       if (neg && wild)
+       if (neg && wild) {
+               if (*name)
+                       ha_warning("parsing [%s:%d]: crt-list: Unsupported exclusion (!) on a wildcard filter \"!*%s\"\n", s->file, s->line, name);
                return order;
+       }
        if (*name || default_crt) {
                int j, len;
                len = strlen(name);