From: William Lallemand Date: Tue, 29 Oct 2024 14:31:00 +0000 (+0100) Subject: BUG/MINOR: ssl/cli: 'set ssl cert' does not check the transaction name correctly X-Git-Tag: v3.0.6~31 X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=0309e93dbdbcb29c0ee484ba2c9522c6ca7afeb6;p=haproxy-3.0.git BUG/MINOR: ssl/cli: 'set ssl cert' does not check the transaction name correctly Since commit 089c13850f ("MEDIUM: ssl: ssl-load-extra-del-ext work only with .crt"), the 'set ssl cert' CLI command does not check correctly if the transaction you are trying to update is the right one. The consequence is that you could commit accidentaly a transaction on the wrong certificate. The fix introduces the check again in case you are not using ssl-load-extra-del-ext. This must be backported in all stable versions. (cherry picked from commit 984d2cfb61744bed29ce92cdc5360155cbd8ca44) Signed-off-by: Christopher Faulet --- diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index b178078..3e8b7a2 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -2435,7 +2435,7 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, errcode |= ERR_ALERT | ERR_FATAL; goto end; } - + /* check again with the right extension */ if (strcmp(ckchs_transaction.path, buf->area) != 0) { /* remove .crt of the error message */ *(b_orig(buf) + b_data(buf) + strlen(".crt")) = '\0'; @@ -2445,6 +2445,11 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx, errcode |= ERR_ALERT | ERR_FATAL; goto end; } + } else { + /* without del-ext the error is definitive */ + memprintf(&err, "The ongoing transaction is about '%s' but you are trying to set '%s'\n", ckchs_transaction.path, buf->area); + errcode |= ERR_ALERT | ERR_FATAL; + goto end; } }