From: William Lallemand Date: Mon, 24 Feb 2020 15:30:12 +0000 (+0100) Subject: BUG/MINOR: ssl: load .key in a directory only after PEM X-Git-Tag: v2.2-dev3~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3f25ae31bdc0e7a178e75e2cd08e8deb6bfe101e;p=thirdparty%2Fhaproxy.git BUG/MINOR: ssl: load .key in a directory only after PEM Don't try to load a .key in a directory without loading its associated certificate file. This patch ignores the .key files when iterating over the files in a directory. Introduced by 4c5adbf ("MINOR: ssl: load the key from a dedicated file"). --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 61c7d5cea0..c20311d3de 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -11341,13 +11341,13 @@ crt are loaded. If a directory name is used instead of a PEM file, then all files found in - that directory will be loaded in alphabetic order unless their name ends with - '.issuer', '.ocsp' or '.sctl' (reserved extensions). This directive may be - specified multiple times in order to load certificates from multiple files or - directories. The certificates will be presented to clients who provide a - valid TLS Server Name Indication field matching one of their CN or alt - subjects. Wildcards are supported, where a wildcard character '*' is used - instead of the first hostname component (e.g. *.example.org matches + that directory will be loaded in alphabetic order unless their name ends + with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This + directive may be specified multiple times in order to load certificates from + multiple files or directories. The certificates will be presented to clients + who provide a valid TLS Server Name Indication field matching one of their + CN or alt subjects. Wildcards are supported, where a wildcard character '*' + is used instead of the first hostname component (e.g. *.example.org matches www.example.org but not www.sub.example.org). If no SNI is provided by the client or if the SSL library does not support diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 1b3cf55ab5..22985d5b34 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4416,7 +4416,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err) struct dirent *de = de_list[i]; end = strrchr(de->d_name, '.'); - if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl"))) + if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl") || !strcmp(end, ".key"))) goto ignore_entry; snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);