From: William Lallemand <wlallemand@haproxy.org>
Date: Fri, 20 Nov 2020 17:23:40 +0000 (+0100)
Subject: BUG/MINOR: ssl/crt-list: load bundle in crt-list only if activated
X-Git-Tag: v2.3.2~25
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=69d90d7686efa566f6a34b101875abf4b0896fb4;p=haproxy-2.3.git

BUG/MINOR: ssl/crt-list: load bundle in crt-list only if activated

Don't try to load a bundle from a crt-list if the bundle support was
disabled with ssl-load-extra-files.

Must be backported to 2.3.

(cherry picked from commit 7340457158b20fa89d9eba0e231b3a122f5620d3)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index ac2d849..8e9e5a1 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -550,7 +550,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 				LIST_ADDQ(&newlist->ord_entries, &entry->by_crtlist);
 				LIST_ADDQ(&ckchs->crtlist_entry, &entry->by_ckch_store);
 
-			} else {
+			} else if (global_ssl.extra_files & SSL_GF_BUNDLE) {
 				/* If we didn't find the file, this could be a
 				bundle, since 2.3 we don't support multiple
 				certificate in the same OpenSSL store, so we