RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-05-08 10:48:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

MEDIUM: ssl/crt-list: warn on negative wildcard filters

Browse Source 
negative wildcard filters were always a noop, and are not useful for
anything unless you want to use !* alone to remove every name from a
certificate.

This is confusing and the documentation never stated it correctly. This
patch adds a warning during the bind initialization if it founds one,
only !* does not emit a warning.

This patch was done during the debugging of issue #2900.
This commit is contained in:
William Lallemand 2025-04-04 17:13:51 +02:00
parent ce6951d6f9
commit a9ae6b516d
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/ssl_sock.c
View File

@ -2465,8 +2465,11 @@ static int ckch_inst_add_cert_sni(SSL_CTX *ctx, struct ckch_inst *ckch_inst,
default_crt = 1;
}
/* !* filter is a nop */
if (neg && wild)
if (neg && wild) {
if (*name)
ha_warning("parsing [%s:%d]: crt-list: Unsupported exclusion (!) on a wildcard filter \"!*%s\"\n", s->file, s->line, name);
return order;
}
if (*name || default_crt) {
int j, len;
len = strlen(name);