mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-25 06:02:08 +00:00
e6657fd108
In commit 55e9e9591
("MEDIUM: ssl: temporarily load files by detecting
their presence in crt-store"), ssl_sock_load_pem_into_ckch() was
replaced by ssl_sock_load_files_into_ckch() in the crt-store loading.
But the side effect was that we always try to autodetect, and this is
not what we want. This patch reverse this, and add specific code in the
crt-list loading, so we could autodetect in crt-list like it was done
before, but still try to load files when a crt-store filename keyword is
specified.
Example:
These crt-list lines won't autodetect files:
foobar.crt [key foobar.key issuer foobar.issuer ocsp-update on] *.foo.bar
foobar.crt [key foobar.key] *.foo.bar
These crt-list lines will autodect files:
foobar.pem [ocsp-update on] *.foo.bar
foobar.pem
32 lines
753 B
Plaintext
32 lines
753 B
Plaintext
#REGTEST_TYPE=devel
|
|
varnishtest "Test the crt-store section"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(3.0-dev7)'"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
|
|
feature ignore_unknown_macro
|
|
|
|
#
|
|
# Basic check for the crt-store, ensure that loading works and that we can't
|
|
# load a crt which was used before
|
|
#
|
|
|
|
|
|
haproxy h1 -arg -V -conf-OK {
|
|
crt-store
|
|
load crt "${testdir}/common.crt" key "${testdir}/common.key"
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.crt strict-sni
|
|
|
|
}
|
|
|
|
haproxy h2 -arg -V -conf-BAD {} {
|
|
|
|
listen ssl-lst
|
|
bind "${tmpdir}/ssl.sock" ssl crt ${testdir}/common.pem strict-sni
|
|
|
|
crt-store
|
|
load crt "${testdir}/common.pem" key "${testdir}/common.key"
|
|
|
|
}
|
|
|