From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 25 Mar 2026 10:54:09 +0000 (+0100)
Subject: BUG/MEDIUM: ssl/cli: tls-keys commands are missing permission checks
X-Git-Tag: v3.4-dev8~78
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=453a01387be1304d9d89e597dd915cf1501da14b;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl/cli: tls-keys commands are missing permission checks

Both 'set ssl tls-key' and 'show tls-keys' command are missing the
permission checks so the commands can be used only in admin mode.

Must be backported to 3.3. This can be a breaking change for some users.

Initially reported by Cameron Brown.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 41619bef5..23ad58cbe 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -8086,8 +8086,8 @@ static int cli_parse_show_tlskeys(char **args, char *payload, struct appctx *app
 {
 	struct show_keys_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
 
-	if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
-		ha_warning("'%s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1]);
+	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+		return 1;
 
 	/* no parameter, shows only file list */
 	if (!*args[2]) {
@@ -8113,8 +8113,8 @@ static int cli_parse_set_tlskeys(char **args, char *payload, struct appctx *appc
 	struct tls_keys_ref *ref;
 	int ret;
 
-	if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
-		ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
+	if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
+		return 1;
 
 	/* Expect two parameters: the filename and the new new TLS key in encoding */
 	if (!*args[3] || !*args[4])