mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-13 23:14:46 +00:00
fb00f31af4
If an unknown CA file was first mentioned in an "add ssl crt-list" CLI command, it would result in a call to X509_STORE_load_locations which performs a disk access which is forbidden during runtime. The same would happen if a "ca-verify-file" or "crl-file" was specified. This was due to the fact that the crt-list file parsing and the crt-list related CLI commands parsing use the same functions. The patch simply adds a new parameter to all the ssl_bind parsing functions so that they know if the call is made during init or by the CLI, and the ssl_store_load_locations function can then reject any new cafile_entry creation coming from a CLI call. It can be backported as far as 2.2. |
||
|---|---|---|
| .. | ||
| add_ssl_crt-list.vtc | ||
| ca-auth.crt | ||
| client1.pem | ||
| client2_expired.pem | ||
| client3_revoked.pem | ||
| common.crt | ||
| common.key | ||
| common.pem | ||
| crl-auth.pem | ||
| ecdsa.crt | ||
| ecdsa.key | ||
| ecdsa.pem | ||
| filters.crt-list | ||
| localhost.crt-list | ||
| README | ||
| set_ssl_cert_noext.vtc | ||
| set_ssl_cert.vtc | ||
| set_ssl_server_cert.vtc | ||
| simple.crt-list | ||
| ssl_client_auth.vtc | ||
| ssl_client_samples.vtc | ||
| ssl_crt-list_filters.vtc | ||
| ssl_frontend_samples.vtc | ||
| ssl_server_samples.vtc | ||
| ssl_simple_crt-list.vtc | ||
| wrong_ctx_storage.vtc | ||
File list: - common.pem: PEM file which may be used by most of the VTC files.