From: Remi Tricot-Le Breton Date: Mon, 25 Jan 2021 16:19:45 +0000 (+0100) Subject: MINOR: ssl: Remove client_crt member of the server's ssl context X-Git-Tag: v2.4-dev7~131 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb470aa327c85ddbfebe88475b497ca49b414489;p=thirdparty%2Fhaproxy.git MINOR: ssl: Remove client_crt member of the server's ssl context The client_crt member is not used anymore since the server's ssl context initialization now behaves the same way as the bind lines one (using ckch stores and instances). --- diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h index a1f72fd00a..b29c75c0b9 100644 --- a/include/haproxy/server-t.h +++ b/include/haproxy/server-t.h @@ -322,7 +322,6 @@ struct server { char *verify_host; /* hostname of certificate must match this host */ char *ca_file; /* CAfile to use on verify */ char *crl_file; /* CRLfile to use on verify */ - char *client_crt; /* client certificate to send */ struct sample_expr *sni; /* sample expression for SNI */ #ifdef OPENSSL_NPN_NEGOTIATED char *npn_str; /* NPN protocol string */ diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 55fe084637..faacc0ee04 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -1442,17 +1442,25 @@ static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struc /* parse the "crt" server keyword */ static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) { + int retval = -1; + char *path = NULL; + if (!*args[*cur_arg + 1]) { memprintf(err, "'%s' : missing certificate file path", args[*cur_arg]); return ERR_ALERT | ERR_FATAL; } if ((*args[*cur_arg + 1] != '/') && global_ssl.crt_base) - memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]); + memprintf(&path, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]); else - memprintf(&newsrv->ssl_ctx.client_crt, "%s", args[*cur_arg + 1]); + memprintf(&path, "%s", args[*cur_arg + 1]); + + if (path) { + retval = ssl_sock_load_srv_cert(path, newsrv, err); + free(path); + } - return ssl_sock_load_srv_cert(newsrv->ssl_ctx.client_crt, newsrv, err); + return retval; } /* parse the "no-check-ssl" server keyword */ diff --git a/src/server.c b/src/server.c index 956196528b..10f5286401 100644 --- a/src/server.c +++ b/src/server.c @@ -1535,8 +1535,6 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src) srv->ssl_ctx.ca_file = strdup(src->ssl_ctx.ca_file); if (src->ssl_ctx.crl_file != NULL) srv->ssl_ctx.crl_file = strdup(src->ssl_ctx.crl_file); - if (src->ssl_ctx.client_crt != NULL) - srv->ssl_ctx.client_crt = strdup(src->ssl_ctx.client_crt); srv->ssl_ctx.verify = src->ssl_ctx.verify;