From: William Lallemand Date: Tue, 10 Feb 2026 20:31:07 +0000 (+0100) Subject: BUG/MINOR: ssl: SSL_CERT_DIR environment variable doesn't affect haproxy X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea92b0ef01899ba5e515c3a0f3f10b2827b39893;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl: SSL_CERT_DIR environment variable doesn't affect haproxy The documentation of @system-ca specifies that one can overwrite the value provided by the SSL Library using SSL_CERT_DIR. However it seems like X509_get_default_cert_dir() is not affected by this environment variable, and X509_get_default_cert_dir_env() need to be used in order to get the variable name, and get the value manually. This could be backported in every stable branches. Note that older branches don't have the memprintf in ssl_sock.c. --- diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index 35f1cdc53..1faa6c14c 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -80,6 +80,7 @@ void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e); int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf, int append); int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type); int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror); +const char *ha_default_cert_dir(); extern struct cert_exts cert_exts[]; extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err); diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 7753fb718..6a60d64f7 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1490,6 +1490,25 @@ end: return retval; } +/* + * return the default verify cert directory. + * + * It might provided by the SSL library or set in an environment variable + * (commonly SSL_CERT_DIR) + */ +const char *ha_default_cert_dir() +{ + const char *dir = NULL; + const char *certdir_varname = X509_get_default_cert_dir_env(); + + if (certdir_varname) + dir = getenv(certdir_varname); + if (dir == NULL) + dir = X509_get_default_cert_dir(); + + return dir; +} + /* * Try to load a ca-file from disk into the ca-file cache. * allows you to to stop emitting the errors. @@ -1519,7 +1538,7 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ } if (strcmp(path, "@system-ca") == 0) { - dir = X509_get_default_cert_dir(); + dir = ha_default_cert_dir(); if (!dir) { if (!shuterror) ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n"); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7a75d7c5b..b566c85a3 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -8554,7 +8554,7 @@ static void ssl_register_build_options() #if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL) memprintf(&ptr, "%s\nSSL library FIPS mode : %s", ptr, FIPS_mode() ? "yes" : "no"); #endif - memprintf(&ptr, "%s\nSSL library default verify directory : %s", ptr, X509_get_default_cert_dir()); + memprintf(&ptr, "%s\nSSL library default verify directory : %s", ptr, ha_default_cert_dir()); memprintf(&ptr, "%s\nSSL library supports :", ptr); for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) if (methodVersions[i].option)