MINOR: ssl: support ca-file arg for dynamic servers

File-access through ssl_store_load_locations_file is deactivated if srv_parse_ca_file is used at runtime for a dynamic server. The ca-file must have already been loaded either in the config or through the 'ssl ca-file' CLI commands.
2025-04-04 23:29:42 +00:00 · 2021-05-19 09:46:59 +02:00 · 2021-05-19 09:46:59 +02:00 · 482550280a
commit 482550280a
parent 7addf56b72
1 changed files with 5 additions and 2 deletions
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@ -1351,6 +1351,8 @@ static int srv_parse_check_alpn(char **args, int *cur_arg, struct proxy *px, str
 /* parse the "ca-file" server keyword */
 static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
+	const int create_if_none = newsrv->flags & SRV_F_DYNAMIC ? 0 : 1;
+
 	if (!*args[*cur_arg + 1]) {
 		memprintf(err, "'%s' : missing CAfile path", args[*cur_arg]);
 		return ERR_ALERT | ERR_FATAL;
@ -1361,10 +1363,11 @@ static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct
 	else
 		memprintf(&newsrv->ssl_ctx.ca_file, "%s", args[*cur_arg + 1]);

-	if (!ssl_store_load_locations_file(newsrv->ssl_ctx.ca_file, 1, CAFILE_CERT)) {
+	if (!ssl_store_load_locations_file(newsrv->ssl_ctx.ca_file, create_if_none, CAFILE_CERT)) {
 		memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.ca_file);
 		return ERR_ALERT | ERR_FATAL;
 	}
+
 	return 0;
 }

@ -1875,7 +1878,7 @@ INITCALL1(STG_REGISTER, bind_register_keywords, &bind_kws);
 static struct srv_kw_list srv_kws = { "SSL", { }, {
 	{ "allow-0rtt",              srv_parse_allow_0rtt,         0, 1, 0 }, /* Allow using early data on this server */
 	{ "alpn",                    srv_parse_alpn,               1, 1, 0 }, /* Set ALPN supported protocols */
-	{ "ca-file",                 srv_parse_ca_file,            1, 1, 0 }, /* set CAfile to process verify server cert */
+	{ "ca-file",                 srv_parse_ca_file,            1, 1, 1 }, /* set CAfile to process verify server cert */
 	{ "check-alpn",              srv_parse_check_alpn,         1, 1, 0 }, /* Set ALPN used for checks */
 	{ "check-sni",               srv_parse_check_sni,          1, 1, 0 }, /* set SNI */
 	{ "check-ssl",               srv_parse_check_ssl,          0, 1, 0 }, /* enable SSL for health checks */