1
0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-02-24 14:46:56 +00:00

BUG/MEDIUM: ssl/crt-list: bad behavior with "commit ssl cert"

In issue , it was reported that it is not possible to remove
correctly a certificate after updating it when it came from a crt-list.

Indeed the "commit ssl cert" command on the CLI does not update the list
of ckch_inst in the crtlist_entry. Because of this, the "del ssl
crt-list" command does not remove neither the instances nor the SNIs
because they were never linked to the crtlist_entry.

This patch fixes the issue by inserting the ckch_inst in the
crtlist_entry once generated.

Must be backported as far as 2.2.
This commit is contained in:
William Lallemand 2020-12-15 14:57:46 +01:00 committed by William Lallemand
parent cc043f66b7
commit a55685bfea

View File

@ -1337,6 +1337,9 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
if (ckchi->is_default)
new_inst->is_default = 1;
/* create the link to the crtlist_entry */
new_inst->crtlist_entry = ckchi->crtlist_entry;
/* we need to initialize the SSL_CTX generated */
/* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) {
@ -1374,6 +1377,12 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
ebpt_insert(&entry->crtlist->entries, &entry->node);
}
/* insert the new ckch_insts in the crtlist_entry */
list_for_each_entry(ckchi, &new_ckchs->ckch_inst, by_ckchs) {
if (ckchi->crtlist_entry)
LIST_ADD(&ckchi->crtlist_entry->ckch_inst, &ckchi->by_crtlist_entry);
}
/* First, we insert every new SNIs in the trees, also replace the default_ctx */
list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);