From 40b4677eadad88c80bdf117940beb62bb2d640c7 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Mon, 11 Aug 2025 17:24:11 +0200 Subject: [PATCH] MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory In previous versions of haproxy, insertions of certificates in a crt-list from the CLI would require to have the path of the directory, in the path of the certificate. This would help avoiding that the certificate wasn't loaded upon a reload because it is not at the right place. However, since version 3.0 and crt-store, the name stored in the tree could be an alias and not a path, so that does not make sense anymore. Even though path would be right, the check is not right anymore in this case. The tool or user inserting the certificate must now check itself that the certificate was placed at the right spot on the filesystem. Reported in issue #3053. Could be backported as far as haproxy 3.0. (cherry picked from commit 55d561042c81f8853364a62b4d5eaba2555c2673) Signed-off-by: William Lallemand (cherry picked from commit 780f1e8a3301b49d74d336c2dbf3400a2d8d1cfb) Signed-off-by: Christopher Faulet (cherry picked from commit 4e364f2a6dd6fba914dcc3c53976ea6a037fc7aa) Signed-off-by: Christopher Faulet --- src/ssl_crtlist.c | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index f19864f..3c4e49b 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -1368,24 +1368,6 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc goto error; } - if (eb_gettag(crtlist->entries.b[EB_RGHT])) { - char *slash; - - slash = strrchr(cert_path, '/'); - if (!slash) { - memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path); - goto error; - } - /* temporary replace / by 0 to do an strcmp */ - *slash = '\0'; - if (strcmp(cert_path, (char*)crtlist->node.key) != 0) { - *slash = '/'; - memprintf(&err, "'%s' is a directory, certificate path '%s' must contain the directory path", (char *)crtlist->node.key, cert_path); - goto error; - } - *slash = '/'; - } - if (*cert_path != '@' && *cert_path != '/' && global_ssl.crt_base) { if ((strlen(global_ssl.crt_base) + 1 + strlen(cert_path)) > sizeof(path) || snprintf(path, sizeof(path), "%s/%s", global_ssl.crt_base, cert_path) > sizeof(path)) { -- 1.7.10.4