In previous versions of haproxy, insertions of certificates in a
crt-list from the CLI would require to have the path of the directory,
in the path of the certificate. This would help avoiding that the
certificate wasn't loaded upon a reload because it is not at the right
place.
However, since version 3.0 and crt-store, the name stored in the tree
could be an alias and not a path, so that does not make sense anymore.
Even though path would be right, the check is not right anymore in this
case.
The tool or user inserting the certificate must now check itself that
the certificate was placed at the right spot on the filesystem.
Reported in issue #3053.
Could be backported as far as haproxy 3.0.
(cherry picked from commit
55d561042c81f8853364a62b4d5eaba2555c2673)
Signed-off-by: William Lallemand <wlallemand@haproxy.com>
(cherry picked from commit
780f1e8a3301b49d74d336c2dbf3400a2d8d1cfb)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit
4e364f2a6dd6fba914dcc3c53976ea6a037fc7aa)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
goto error;
}
- if (eb_gettag(crtlist->entries.b[EB_RGHT])) {
- char *slash;
-
- slash = strrchr(cert_path, '/');
- if (!slash) {
- memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
- goto error;
- }
- /* temporary replace / by 0 to do an strcmp */
- *slash = '\0';
- if (strcmp(cert_path, (char*)crtlist->node.key) != 0) {
- *slash = '/';
- memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path);
- goto error;
- }
- *slash = '/';
- }
-
if (*cert_path != '@' && *cert_path != '/' && global_ssl.crt_base) {
if ((strlen(global_ssl.crt_base) + 1 + strlen(cert_path)) > sizeof(path) ||
snprintf(path, sizeof(path), "%s/%s", global_ssl.crt_base, cert_path) > sizeof(path)) {
projects / haproxy-3.0.git / commitdiff