From d73f30cb52d066cac47f35f8fe4920b60c414a95 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 15 Nov 2016 20:57:28 +1300
Subject: [PATCH] TLS: Make key= before cert= an error instead of quietly
 hiding the issue

This squid.conf setup is fatal in Squid-4. So best to fix these installations.
Even though Squdi-3 can cope with it.
---
 src/cache_cf.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 630f3e9786..ce4af39a52 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -2257,6 +2257,9 @@ parse_peer(CachePeer ** head)
             safe_free(p->sslcert);
             p->sslcert = xstrdup(token + 8);
         } else if (strncmp(token, "sslkey=", 7) == 0) {
+            if (!p->sslcert) {
+                debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": sslcert= option must be set before sslkey= is used.");
+            }
             safe_free(p->sslkey);
             p->sslkey = xstrdup(token + 7);
         } else if (strncmp(token, "sslversion=", 11) == 0) {
@@ -3729,6 +3732,9 @@ parse_port_option(AnyP::PortCfgPointer &s, char *token)
         safe_free(s->cert);
         s->cert = xstrdup(token + 5);
     } else if (strncmp(token, "key=", 4) == 0) {
+        if (!s->cert) {
+            debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": cert= option must be set before key= is used.");
+        }
         safe_free(s->key);
         s->key = xstrdup(token + 4);
     } else if (strncmp(token, "version=", 8) == 0) {
-- 
2.47.2