mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-01-29 09:32:49 +00:00
MINOR: ssl: render file-access optional on server crt loading
The function ssl_sock_load_srv_cert will be used at runtime for dynamic servers. If the cert is not loaded on ckch tree, we try to access it from the file-system. Now this access operation is rendered optional by a new function argument. It is only allowed at parsing time, but will be disabled for dynamic servers at runtime.
This commit is contained in:
parent
b89d3d3de7
commit
36aa451a4e
@ -118,7 +118,7 @@ void ssl_async_fd_free(int fd);
|
||||
struct issuer_chain* ssl_get0_issuer_chain(X509 *cert);
|
||||
int ssl_load_global_issuer_from_BIO(BIO *in, char *fp, char **err);
|
||||
int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err);
|
||||
int ssl_sock_load_srv_cert(char *path, struct server *server, char **err);
|
||||
int ssl_sock_load_srv_cert(char *path, struct server *server, int create_if_none, char **err);
|
||||
void ssl_free_global_issuers(void);
|
||||
int ssl_initialize_random(void);
|
||||
int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_conf, struct proxy *curproxy, char **err);
|
||||
|
@ -1491,7 +1491,7 @@ static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct ser
|
||||
memprintf(&path, "%s", args[*cur_arg + 1]);
|
||||
|
||||
if (path) {
|
||||
retval = ssl_sock_load_srv_cert(path, newsrv, err);
|
||||
retval = ssl_sock_load_srv_cert(path, newsrv, 1, err);
|
||||
free(path);
|
||||
}
|
||||
|
||||
|
@ -3718,7 +3718,7 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
|
||||
* backend server (server configuration line).
|
||||
* Returns a set of ERR_* flags possibly with an error in <err>.
|
||||
*/
|
||||
int ssl_sock_load_srv_cert(char *path, struct server *server, char **err)
|
||||
int ssl_sock_load_srv_cert(char *path, struct server *server, int create_if_none, char **err)
|
||||
{
|
||||
struct stat buf;
|
||||
int cfgerr = 0;
|
||||
@ -3729,14 +3729,23 @@ int ssl_sock_load_srv_cert(char *path, struct server *server, char **err)
|
||||
/* we found the ckchs in the tree, we can use it directly */
|
||||
cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, server, &server->ssl_ctx.inst, err);
|
||||
found++;
|
||||
} else if (stat(path, &buf) == 0) {
|
||||
/* We do not manage directories on backend side. */
|
||||
if (S_ISDIR(buf.st_mode) == 0) {
|
||||
++found;
|
||||
ckchs = ckchs_load_cert_file(path, err);
|
||||
if (!ckchs)
|
||||
cfgerr |= ERR_ALERT | ERR_FATAL;
|
||||
cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, server, &server->ssl_ctx.inst, err);
|
||||
} else {
|
||||
if (!create_if_none) {
|
||||
memprintf(err, "%sunable to stat SSL certificate '%s'.\n",
|
||||
err && *err ? *err : "", path);
|
||||
cfgerr |= ERR_ALERT | ERR_FATAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (stat(path, &buf) == 0) {
|
||||
/* We do not manage directories on backend side. */
|
||||
if (S_ISDIR(buf.st_mode) == 0) {
|
||||
++found;
|
||||
ckchs = ckchs_load_cert_file(path, err);
|
||||
if (!ckchs)
|
||||
cfgerr |= ERR_ALERT | ERR_FATAL;
|
||||
cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, server, &server->ssl_ctx.inst, err);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!found) {
|
||||
@ -3745,6 +3754,7 @@ int ssl_sock_load_srv_cert(char *path, struct server *server, char **err)
|
||||
cfgerr |= ERR_ALERT | ERR_FATAL;
|
||||
}
|
||||
|
||||
out:
|
||||
return cfgerr;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user