From 3f25ae31bdc0e7a178e75e2cd08e8deb6bfe101e Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Mon, 24 Feb 2020 16:30:12 +0100 Subject: [PATCH] BUG/MINOR: ssl: load .key in a directory only after PEM Don't try to load a .key in a directory without loading its associated certificate file. This patch ignores the .key files when iterating over the files in a directory. Introduced by 4c5adbf ("MINOR: ssl: load the key from a dedicated file"). --- doc/configuration.txt | 14 +++++++------- src/ssl_sock.c | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 61c7d5cea0..c20311d3de 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -11341,13 +11341,13 @@ crt are loaded. If a directory name is used instead of a PEM file, then all files found in - that directory will be loaded in alphabetic order unless their name ends with - '.issuer', '.ocsp' or '.sctl' (reserved extensions). This directive may be - specified multiple times in order to load certificates from multiple files or - directories. The certificates will be presented to clients who provide a - valid TLS Server Name Indication field matching one of their CN or alt - subjects. Wildcards are supported, where a wildcard character '*' is used - instead of the first hostname component (e.g. *.example.org matches + that directory will be loaded in alphabetic order unless their name ends + with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This + directive may be specified multiple times in order to load certificates from + multiple files or directories. The certificates will be presented to clients + who provide a valid TLS Server Name Indication field matching one of their + CN or alt subjects. Wildcards are supported, where a wildcard character '*' + is used instead of the first hostname component (e.g. *.example.org matches www.example.org but not www.sub.example.org). If no SNI is provided by the client or if the SSL library does not support diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 1b3cf55ab5..22985d5b34 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4416,7 +4416,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err) struct dirent *de = de_list[i]; end = strrchr(de->d_name, '.'); - if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl"))) + if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl") || !strcmp(end, ".key"))) goto ignore_entry; snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name); -- 2.47.3