From 43f1242f1e1c71a7e21cb0f7173414237429137a Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Mon, 15 Jun 2020 14:37:19 +0200 Subject: [PATCH] BUG/MEDIUM: ssl: crt-list must continue parsing on ERR_WARN The original crt-list parsing was stopping at any non-zero value in the cfgerr variable, even warnings. This is an issue as it could lead to a crt-list parsing stopped at the first warning, then HAProxy launched with a partial crt-list. A ERR_WARN must continue the parsing. The parsing must be only stopped on an ERR_CODE. This commit is 2.1 only since it was fixed in 2.2 by commit 2954c47 ("MEDIUM: ssl: allow crt-list caching") and accidently in 2.0 by commit b131c87 ("CLEANUP: ssl: make ssl_sock_load_cert*() return real error codes") as well as in 1.9 and 1.8. --- src/ssl_sock.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index adf06dd..574cd15 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -4364,7 +4364,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct } line++; } - if (cfgerr) + if (cfgerr & ERR_CODE) break; args[arg++] = line; @@ -4409,7 +4409,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct } } - if (cfgerr) { + if (cfgerr & ERR_CODE) { ssl_sock_free_ssl_conf(ssl_conf); free(ssl_conf); ssl_conf = NULL; @@ -4428,7 +4428,7 @@ int ssl_sock_load_cert_list_file(char *file, struct bind_conf *bind_conf, struct else cfgerr |= ssl_sock_load_ckchs(crt_path, ckchs, bind_conf, ssl_conf, &args[cur_arg], arg - cur_arg - 1, err); - if (cfgerr) { + if (cfgerr & ERR_CODE) { memprintf(err, "error processing line %d in file '%s' : %s", linenum, file, *err); break; } -- 1.7.10.4