mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-02-24 14:46:56 +00:00
BUG/MEDIUM: ssl/crt-list: bad behavior with "commit ssl cert"
In issue #1004, it was reported that it is not possible to remove correctly a certificate after updating it when it came from a crt-list. Indeed the "commit ssl cert" command on the CLI does not update the list of ckch_inst in the crtlist_entry. Because of this, the "del ssl crt-list" command does not remove neither the instances nor the SNIs because they were never linked to the crtlist_entry. This patch fixes the issue by inserting the ckch_inst in the crtlist_entry once generated. Must be backported as far as 2.2.
This commit is contained in:
parent
cc043f66b7
commit
a55685bfea
@ -1337,6 +1337,9 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
|
||||
if (ckchi->is_default)
|
||||
new_inst->is_default = 1;
|
||||
|
||||
/* create the link to the crtlist_entry */
|
||||
new_inst->crtlist_entry = ckchi->crtlist_entry;
|
||||
|
||||
/* we need to initialize the SSL_CTX generated */
|
||||
/* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
|
||||
list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) {
|
||||
@ -1374,6 +1377,12 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
|
||||
ebpt_insert(&entry->crtlist->entries, &entry->node);
|
||||
}
|
||||
|
||||
/* insert the new ckch_insts in the crtlist_entry */
|
||||
list_for_each_entry(ckchi, &new_ckchs->ckch_inst, by_ckchs) {
|
||||
if (ckchi->crtlist_entry)
|
||||
LIST_ADD(&ckchi->crtlist_entry->ckch_inst, &ckchi->by_crtlist_entry);
|
||||
}
|
||||
|
||||
/* First, we insert every new SNIs in the trees, also replace the default_ctx */
|
||||
list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
|
||||
HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);
|
||||
|
Loading…
Reference in New Issue
Block a user