RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-05-08 18:57:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

MEDIUM: ssl/crt-list: warn on negative filters only

Browse Source 
negative SNI filters on crt-list lines only have a meaning when they
match a positive wildcard filter. This patch adds a warning which
is emitted when trying to use negative filters without any wildcard on
the same line.

This was discovered in ticket #2900.
This commit is contained in:
William Lallemand 2025-04-04 18:00:46 +02:00
parent a9ae6b516d
commit ab4cd49c04
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/ssl_sock.c
View File

@ -2508,6 +2508,7 @@ void ssl_sock_load_cert_sni(struct ckch_inst *ckch_inst, struct bind_conf *bind_
struct sni_ctx *sc0, *sc0b, *sc1; struct sni_ctx *sc0, *sc0b, *sc1;
struct ebmb_node *node; struct ebmb_node *node;
int nb_neg = 0, nb_wild = 0;
list_for_each_entry_safe(sc0, sc0b, &ckch_inst->sni_ctx, by_ckch_inst) { list_for_each_entry_safe(sc0, sc0b, &ckch_inst->sni_ctx, by_ckch_inst) {
@ -2537,11 +2538,21 @@ void ssl_sock_load_cert_sni(struct ckch_inst *ckch_inst, struct bind_conf *bind_
if (!sc0) if (!sc0)
continue; continue;
if (sc0->wild && sc0->name.key[0]) /* count wildcard but exclude the default */
nb_wild++;
if (sc0->neg)
nb_neg++;
if (sc0->wild) if (sc0->wild)
ebst_insert(&bind_conf->sni_w_ctx, &sc0->name); ebst_insert(&bind_conf->sni_w_ctx, &sc0->name);
else else
ebst_insert(&bind_conf->sni_ctx, &sc0->name); ebst_insert(&bind_conf->sni_ctx, &sc0->name);
} }
if (nb_neg > 0 && nb_wild == 0) {
ha_warning("parsing [%s:%d]: crt-list: negative filters on crt-list line \"%s\" without a positive wildcard filter won't do anything!\n", bind_conf->file, bind_conf->line, ckch_inst->ckch_store->node.key);
}
} }
/* /*