diff --git a/doc/configuration.txt b/doc/configuration.txt index 51aefb1fa..ecd4715ce 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -1278,6 +1278,7 @@ The following keywords are supported in the "global" section : - insecure-fork-wanted - insecure-setuid-wanted - issuers-chain-path + - key-base - localpeer - log - log-send-hostname @@ -2017,6 +2018,11 @@ issuers-chain-path "issuers-chain-path" directory. All other certificates with the same issuer will share the chain in memory. +key-base + Assigns a default directory to fetch SSL private keys from when a relative + path is used with "key" directives. Absolute locations specified prevail and + ignore "key-base". This option only works with a crt-store load line. + limited-quic This setting must be used to explicitly enable the QUIC listener bindings when haproxy is compiled against a TLS/SSL stack without QUIC support, typically diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index 30e81e798..ade177985 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -264,6 +264,7 @@ struct ssl_sock_ctx { struct global_ssl { char *crt_base; /* base directory path for certificates */ + char *key_base; /* base directory path for private keys */ char *ca_base; /* base directory path for CAs and CRLs */ char *issuers_chain_path; /* from "issuers-chain-path" */ int skip_self_issued_ca; diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 0ba31d703..467fbdad9 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -2093,16 +2093,23 @@ static int ssl_parse_default_server_options(char **args, int section_type, struc return 0; } -/* parse the "ca-base" / "crt-base" keywords in global section. +/* parse the "ca-base" / "crt-base" / "key-base" keywords in global section. * Returns <0 on alert, >0 on warning, 0 on success. */ -static int ssl_parse_global_ca_crt_base(char **args, int section_type, struct proxy *curpx, +static int ssl_parse_global_path_base(char **args, int section_type, struct proxy *curpx, const struct proxy *defpx, const char *file, int line, char **err) { char **target; - target = (args[0][1] == 'a') ? &global_ssl.ca_base : &global_ssl.crt_base; + if (args[0][1] == 'a') + target = &global_ssl.ca_base; + else if (args[0][1] == 'r') + target = &global_ssl.crt_base; + else if (args[0][1] == 'e') + target = &global_ssl.key_base; + else + return -1; if (too_many_args(1, args, err, NULL)) return -1; @@ -2387,8 +2394,9 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { INITCALL1(STG_REGISTER, srv_register_keywords, &srv_kws); static struct cfg_kw_list cfg_kws = {ILH, { - { CFG_GLOBAL, "ca-base", ssl_parse_global_ca_crt_base }, - { CFG_GLOBAL, "crt-base", ssl_parse_global_ca_crt_base }, + { CFG_GLOBAL, "ca-base", ssl_parse_global_path_base }, + { CFG_GLOBAL, "crt-base", ssl_parse_global_path_base }, + { CFG_GLOBAL, "key-base", ssl_parse_global_path_base }, { CFG_GLOBAL, "issuers-chain-path", ssl_load_global_issuers_from_path }, { CFG_GLOBAL, "maxsslconn", ssl_parse_global_int }, { CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options }, diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 11ccb0350..bd2ffe24f 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -3998,7 +3998,7 @@ INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws); struct ckch_conf_kws ckch_conf_kws[] = { { "crt", offsetof(struct ckch_conf, crt), PARSE_TYPE_STR, ssl_sock_load_pem_into_ckch, &global_ssl.crt_base }, - { "key", offsetof(struct ckch_conf, key), PARSE_TYPE_STR, ssl_sock_load_key_into_ckch, &global_ssl.crt_base }, + { "key", offsetof(struct ckch_conf, key), PARSE_TYPE_STR, ssl_sock_load_key_into_ckch, &global_ssl.key_base }, { "ocsp", offsetof(struct ckch_conf, ocsp), PARSE_TYPE_STR, ssl_sock_load_ocsp_response_from_file, &global_ssl.crt_base }, { "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ssl_sock_load_issuer_file_into_ckch, &global_ssl.crt_base }, { "sctl", offsetof(struct ckch_conf, sctl), PARSE_TYPE_STR, ssl_sock_load_sctl_from_file, &global_ssl.crt_base },