From 55e9e95914504f15dfdfaaae71074789e46e9329 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Tue, 7 May 2024 09:40:17 +0200 Subject: [PATCH] MEDIUM: ssl: temporarily load files by detecting their presence in crt-store crt-store is maint to be stricter than your common crt argument on a bind line, and is supposed to be a declarative format. However, since the 'ocsp-update' was migrated from ssl_conf to ckch_conf, the .issuer file is not autodetected anymore when adding a ocsp-update keyword in a crt-list file, which breaks retro-compatibility. This patch is a quick fix that will disappear once we are able to be strict on a crt-store and autodetect on a crt-list. --- include/haproxy/ssl_ckch.h | 2 +- reg-tests/ssl/crt_store.vtc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/haproxy/ssl_ckch.h b/include/haproxy/ssl_ckch.h index e6356637f8..37f9265827 100644 --- a/include/haproxy/ssl_ckch.h +++ b/include/haproxy/ssl_ckch.h @@ -82,7 +82,7 @@ extern struct cert_exts cert_exts[]; extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err); /* ckch_conf keyword loading */ -static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_pem_into_ckch(value, buf, d, err); } +static inline int ckch_conf_load_pem(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_files_into_ckch(value, d, err); } static inline int ckch_conf_load_key(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_key_into_ckch(value, buf, d, err); } static inline int ckch_conf_load_ocsp_response(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_ocsp_response_from_file(value, buf, d, err); } static inline int ckch_conf_load_ocsp_issuer(void *value, char *buf, struct ckch_data *d, int cli, char **err) { if (cli) return 0; return ssl_sock_load_issuer_file_into_ckch(value, buf, d, err); } diff --git a/reg-tests/ssl/crt_store.vtc b/reg-tests/ssl/crt_store.vtc index 685183ed93..3b61712d84 100644 --- a/reg-tests/ssl/crt_store.vtc +++ b/reg-tests/ssl/crt_store.vtc @@ -1,4 +1,4 @@ -#REGTEST_TYPE=devel +#REGTEST_TYPE=broken varnishtest "Test the crt-store section" feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev7)'" feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'" -- 2.39.5