]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
projects / thirdparty / haproxy.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a5afb0b)
MINOR: ssl: accept 'verify' bind option with 'set ssl cert'
authorEmmanuel Hocdet <manu@gandi.net>
Mon, 20 Jan 2020 16:18:00 +0000 (17:18 +0100)
committerWilliam Lallemand <wlallemand@haproxy.org>
Tue, 21 Jan 2020 08:58:41 +0000 (09:58 +0100)
Since patches initiated with d4f9a60e "MINOR: ssl: deduplicate ca-file",
no more file access is done for 'verify' bind options (crl/ca file).
Remove conditional restriction for "set ssl cert" CLI commands.

src/ssl_sock.c patch | blob | blame | history

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 95dbe4c891384d79aa5ed6f3bf50f54f755b069b..fd350f39c0999bdbf9b3bb88506a42adc4d5db33 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -10493,7 +10493,6 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
                                /* walk through the old ckch_inst and creates new ckch_inst using the updated ckchs */
                                list_for_each_entry_from(ckchi, &old_ckchs->ckch_inst, by_ckchs) {
                                        struct ckch_inst *new_inst;
-                                       int verify = 0;
 
                                        /* it takes a lot of CPU to creates SSL_CTXs, so we yield every 10 CKCH instances */
                                        if (y >= 10) {
@@ -10502,15 +10501,6 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
                                                goto yield;
                                        }
 
-                                       /* prevent ssl_sock_prepare_ctx() to do file access which is only for verify (crl/ca file) */
-                                       verify = (ckchi->ssl_conf && ckchi->ssl_conf->verify) ? ckchi->ssl_conf->verify : ckchi->bind_conf->ssl_conf.verify;
-                                       if (verify & SSL_VERIFY_PEER) {
-                                               memprintf(&err, "%sCan't commit a certificate which use the 'verify' bind SSL option [%s:%d]\n", err ? err : "", ckchi->bind_conf->file, ckchi->bind_conf->line);
-                                               errcode |= ERR_FATAL | ERR_ABORT;
-                                               goto error;
-                                       }
-
-
                                        if (new_ckchs->multi)
                                                errcode |= ckch_inst_new_load_multi_store(new_ckchs->path, new_ckchs, ckchi->bind_conf, ckchi->ssl_conf, NULL, 0, &new_inst, &err);
                                        else
Mirror of https://github.com/haproxy/haproxy.git