RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: ssl/cli: 'set ssl cert' does not check the transaction name correctly 

Since commit  089c13850f ("MEDIUM: ssl: ssl-load-extra-del-ext work
only with .crt"), the 'set ssl cert' CLI command does not check
correctly if the transaction you are trying to update is the right one.

The consequence is that you could commit accidentaly a transaction on
the wrong certificate.

The fix introduces the check again in case you are not using
ssl-load-extra-del-ext.

This must be backported in all stable versions.
This commit is contained in:
William Lallemand 2024-10-29 15:31:00 +01:00
parent 18582ede05
commit 984d2cfb61
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/ssl_ckch.c
View File

@ -2600,7 +2600,7 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
/* check again with the right extension */
if (strcmp(ckchs_transaction.path, buf->area) != 0) { if (strcmp(ckchs_transaction.path, buf->area) != 0) {
/* remove .crt of the error message */ /* remove .crt of the error message */
*(b_orig(buf) + b_data(buf) + strlen(".crt")) = '\0'; *(b_orig(buf) + b_data(buf) + strlen(".crt")) = '\0';
@ -2610,6 +2610,11 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
} else {
/* without del-ext the error is definitive */
memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", ckchs_transaction.path, buf->area);
errcode |= ERR_ALERT | ERR_FATAL;
goto end;
} }
} }