From: William Lallemand Date: Mon, 9 May 2022 08:30:51 +0000 (+0200) Subject: MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt X-Git-Tag: v2.6-dev10~73 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=589570df1fafa2ce68720a64b7ffe1ebcd91666c;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: ignore dotfiles when loading a dir w/ crt Ignore the files starting with a dot when trying to load a directory with the "crt" directive. Should fix issue #1689. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index f4aba096d9..cab37b3d31 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -13833,13 +13833,14 @@ crt If a directory name is used instead of a PEM file, then all files found in that directory will be loaded in alphabetic order unless their name ends - with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This - directive may be specified multiple times in order to load certificates from - multiple files or directories. The certificates will be presented to clients - who provide a valid TLS Server Name Indication field matching one of their - CN or alt subjects. Wildcards are supported, where a wildcard character '*' - is used instead of the first hostname component (e.g. *.example.org matches - www.example.org but not www.sub.example.org). + with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). Files + starting with a dot are also ignored. This directive may be specified multiple + times in order to load certificates from multiple files or directories. The + certificates will be presented to clients who provide a valid TLS Server Name + Indication field matching one of their CN or alt subjects. Wildcards are + supported, where a wildcard character '*' is used instead of the first + hostname component (e.g. *.example.org matches www.example.org but not + www.sub.example.org). If no SNI is provided by the client or if the SSL library does not support TLS extensions, or if the client provides an SNI hostname which does not diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index 37f2e6f0ae..1615ac51db 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -696,7 +696,9 @@ int crtlist_load_cert_dir(char *path, struct bind_conf *bind_conf, struct crtlis struct dirent *de = de_list[i]; end = strrchr(de->d_name, '.'); - if (end && (strcmp(end, ".issuer") == 0 || strcmp(end, ".ocsp") == 0 || strcmp(end, ".sctl") == 0 || strcmp(end, ".key") == 0)) + if (end && (de->d_name[0] == '.' || + strcmp(end, ".issuer") == 0 || strcmp(end, ".ocsp") == 0 || + strcmp(end, ".sctl") == 0 || strcmp(end, ".key") == 0)) goto ignore_entry; snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);