From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 16 Feb 2026 17:41:40 +0000 (+0100)
Subject: BUG/MINOR: ssl: error with ssl-f-use when no "crt"
X-Git-Tag: v3.4-dev5~67
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1274c21a42aef878cb6ba1941982827fadb5c501;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: error with ssl-f-use when no "crt"

ssl-f-use lines tries to load a crt file, but the "crt" keyword is not
mandatory. That could lead to crtlist_load_crt() being called with a
NULL path, and trying to do a stat.

In this particular case we don't need to try anything and it's better to
leave with an actual error.

Must be backported as far as 3.2.
---

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index baa074cec..7319b1307 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -515,6 +515,13 @@ int crtlist_load_crt(char *crt_path, struct ckch_conf *cc, struct crtlist *newli
 	struct stat st;
 	int cfgerr = 0;
 
+	if (!crt_path) {
+		memprintf(err, "%sTrying to load a certificate but no 'crt' keyword specified.\n",
+		         err && *err ? *err : "");
+		cfgerr |= ERR_ALERT | ERR_FATAL;
+		goto error;
+	}
+
 	/* Look for a ckch_store or create one */
 	ckchs = ckchs_lookup(crt_path);
 	if (ckchs == NULL) {