MINOR: ssl: render file-access optional on server crt loading
The function ssl_sock_load_srv_cert will be used at runtime for dynamic
servers. If the cert is not loaded on ckch tree, we try to access it
from the file-system.
Now this access operation is rendered optional by a new function
argument. It is only allowed at parsing time, but will be disabled for
dynamic servers at runtime.
diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index cb9c0b8..5593a93 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -118,7 +118,7 @@
struct issuer_chain* ssl_get0_issuer_chain(X509 *cert);
int ssl_load_global_issuer_from_BIO(BIO *in, char *fp, char **err);
int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err);
-int ssl_sock_load_srv_cert(char *path, struct server *server, char **err);
+int ssl_sock_load_srv_cert(char *path, struct server *server, int create_if_none, char **err);
void ssl_free_global_issuers(void);
int ssl_initialize_random(void);
int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_conf, struct proxy *curproxy, char **err);
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 11af3aa..ce84fe3 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1491,7 +1491,7 @@
memprintf(&path, "%s", args[*cur_arg + 1]);
if (path) {
- retval = ssl_sock_load_srv_cert(path, newsrv, err);
+ retval = ssl_sock_load_srv_cert(path, newsrv, 1, err);
free(path);
}
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 4ebf56f..e276115 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3718,7 +3718,7 @@
* backend server (server configuration line).
* Returns a set of ERR_* flags possibly with an error in <err>.
*/
-int ssl_sock_load_srv_cert(char *path, struct server *server, char **err)
+int ssl_sock_load_srv_cert(char *path, struct server *server, int create_if_none, char **err)
{
struct stat buf;
int cfgerr = 0;
@@ -3729,14 +3729,23 @@
/* we found the ckchs in the tree, we can use it directly */
cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, server, &server->ssl_ctx.inst, err);
found++;
- } else if (stat(path, &buf) == 0) {
- /* We do not manage directories on backend side. */
- if (S_ISDIR(buf.st_mode) == 0) {
- ++found;
- ckchs = ckchs_load_cert_file(path, err);
- if (!ckchs)
- cfgerr |= ERR_ALERT | ERR_FATAL;
- cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, server, &server->ssl_ctx.inst, err);
+ } else {
+ if (!create_if_none) {
+ memprintf(err, "%sunable to stat SSL certificate '%s'.\n",
+ err && *err ? *err : "", path);
+ cfgerr |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+
+ if (stat(path, &buf) == 0) {
+ /* We do not manage directories on backend side. */
+ if (S_ISDIR(buf.st_mode) == 0) {
+ ++found;
+ ckchs = ckchs_load_cert_file(path, err);
+ if (!ckchs)
+ cfgerr |= ERR_ALERT | ERR_FATAL;
+ cfgerr |= ssl_sock_load_srv_ckchs(path, ckchs, server, &server->ssl_ctx.inst, err);
+ }
}
}
if (!found) {
@@ -3745,6 +3754,7 @@
cfgerr |= ERR_ALERT | ERR_FATAL;
}
+out:
return cfgerr;
}