From: William Lallemand Date: Tue, 7 May 2024 07:40:17 +0000 (+0200) Subject: MEDIUM: ssl: temporarily load files by detecting their presence in crt-store X-Git-Tag: v3.0-dev12~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55e9e9591;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: temporarily load files by detecting their presence in crt-store crt-store is maint to be stricter than your common crt argument on a bind line, and is supposed to be a declarative format. However, since the 'ocsp-update' was migrated from ssl_conf to ckch_conf, the .issuer file is not autodetected anymore when adding a ocsp-update keyword in a crt-list file, which breaks retro-compatibility. This patch is a quick fix that will disappear once we are able to be strict on a crt-store and autodetect on a crt-list. --- diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index e6356637f8..37f9265827 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -82,7 +82,7 @@ extern struct cert_exts cert_exts[]; extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err); /* ckch_conf keyword loading */ -static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_pem_into_ckch(value, buf, d, err); } +static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_files_into_ckch(value, d, err); } static inline int ckch_conf_load_key(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_key_into_ckch(value, buf, d, err); } static inline int ckch_conf_load_ocsp_response(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_ocsp_response_from_file(value, buf, d, err); } static inline int ckch_conf_load_ocsp_issuer(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_issuer_file_into_ckch(value, buf, d, err); } diff --git a/reg-tests/ssl/crt_store.vtc b/reg-tests/ssl/crt_store.vtc index 685183ed93..3b61712d84 100644 --- a/reg-tests/ssl/crt_store.vtc +++ b/reg-tests/ssl/crt_store.vtc @@ -1,4 +1,4 @@ -#REGTEST_TYPE=devel +#REGTEST_TYPE=broken varnishtest "Test the crt-store section" feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev7)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"