From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 4 Apr 2025 15:13:51 +0000 (+0200)
Subject: MEDIUM: ssl/crt-list: warn on negative wildcard filters
X-Git-Tag: v3.2-dev10~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9ae6b516decf82186fdc715d9931d19d76db084;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl/crt-list: warn on negative wildcard filters

negative wildcard filters were always a noop, and are not useful for
anything unless you want to use !* alone to remove every name from a
certificate.

This is confusing and the documentation never stated it correctly. This
patch adds a warning during the bind initialization if it founds one,
only !* does not emit a warning.

This patch was done during the debugging of issue #2900.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 15ca095e9..3257f5564 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2465,8 +2465,11 @@ static int ckch_inst_add_cert_sni(SSL_CTX *ctx, struct ckch_inst *ckch_inst,
 			default_crt = 1;
 	}
 	/* !* filter is a nop */
-	if (neg && wild)
+	if (neg && wild) {
+		if (*name)
+			ha_warning("parsing [%s:%d]: crt-list: Unsupported exclusion (!) on a wildcard filter \"!*%s\"\n", s->file, s->line, name);
 		return order;
+	}
 	if (*name || default_crt) {
 		int j, len;
 		len = strlen(name);