From: William Lallemand Date: Tue, 15 Dec 2020 13:57:46 +0000 (+0100) Subject: BUG/MEDIUM: ssl/crt-list: bad behavior with "commit ssl cert" X-Git-Tag: v2.3.3~35 X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=9f714695d07aac3c20cf1470b4b6df9b1f6dabb8;p=haproxy-2.3.git BUG/MEDIUM: ssl/crt-list: bad behavior with "commit ssl cert" In issue #1004, it was reported that it is not possible to remove correctly a certificate after updating it when it came from a crt-list. Indeed the "commit ssl cert" command on the CLI does not update the list of ckch_inst in the crtlist_entry. Because of this, the "del ssl crt-list" command does not remove neither the instances nor the SNIs because they were never linked to the crtlist_entry. This patch fixes the issue by inserting the ckch_inst in the crtlist_entry once generated. Must be backported as far as 2.2. (cherry picked from commit a55685bfea0c95fd311b9bd0478950e534305786) Signed-off-by: Christopher Faulet --- diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index 198ac63..4a85a5d 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -1337,6 +1337,9 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) if (ckchi->is_default) new_inst->is_default = 1; + /* create the link to the crtlist_entry */ + new_inst->crtlist_entry = ckchi->crtlist_entry; + /* we need to initialize the SSL_CTX generated */ /* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */ list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) { @@ -1374,6 +1377,12 @@ static int cli_io_handler_commit_cert(struct appctx *appctx) ebpt_insert(&entry->crtlist->entries, &entry->node); } + /* insert the new ckch_insts in the crtlist_entry */ + list_for_each_entry(ckchi, &new_ckchs->ckch_inst, by_ckchs) { + if (ckchi->crtlist_entry) + LIST_ADD(&ckchi->crtlist_entry->ckch_inst, &ckchi->by_crtlist_entry); + } + /* First, we insert every new SNIs in the trees, also replace the default_ctx */ list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) { HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);