From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 31 Mar 2026 09:34:43 +0000 (+0200)
Subject: BUG/MEDIUM: ssl/cli: tls-keys commands warn when accessed without admin level
X-Git-Tag: v3.4-dev8~81
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=14a4168a847cedc98ad1137839ffb03e2bdb4d3b;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl/cli: tls-keys commands warn when accessed without admin level

This commit adds an ha_warning() when 'show tls-keys' or 'set ssl
tls-key' are accessed without admin level. This is to warn users that
these commands will be restricted to admin only in HAProxy 3.3.

Must be backported in every stable branches.

Initially reported by Cameron Brown.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2b1daa748..41619bef5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -8086,6 +8086,9 @@ static int cli_parse_show_tlskeys(char **args, char *payload, struct appctx *app
 {
 	struct show_keys_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
 
+	if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
+		ha_warning("'%s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1]);
+
 	/* no parameter, shows only file list */
 	if (!*args[2]) {
 		ctx->names_only = 1;
@@ -8110,6 +8113,9 @@ static int cli_parse_set_tlskeys(char **args, char *payload, struct appctx *appc
 	struct tls_keys_ref *ref;
 	int ret;
 
+	if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
+		ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
+
 	/* Expect two parameters: the filename and the new new TLS key in encoding */
 	if (!*args[3] || !*args[4])
 		return cli_err(appctx, "'set ssl tls-key' expects a filename and the new TLS key in base64 encoding.\n");