Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 3f25ae31bdc0e7a178e75e2cd08e8deb6bfe101e^! / .
commit3f25ae31bdc0e7a178e75e2cd08e8deb6bfe101e[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.com>Mon Feb 24 16:30:12 2020 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Mon Feb 24 16:34:16 2020 +0100
tree04b0394451b4342ee9f05b947188423ef6f425d4
parent4c5adbf595b8cca4722724a5613e23b1ecc67252 [diff]
BUG/MINOR: ssl: load .key in a directory only after PEM

Don't try to load a .key in a directory without loading its associated
certificate file.

This patch ignores the .key files when iterating over the files in a
directory.

Introduced by 4c5adbf ("MINOR: ssl: load the key from a dedicated
file").

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 61c7d5c..c20311d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -11341,13 +11341,13 @@
   are loaded.
 
   If a directory name is used instead of a PEM file, then all files found in
-  that directory will be loaded in alphabetic order unless their name ends with
-  '.issuer', '.ocsp' or '.sctl' (reserved extensions). This directive may be
-  specified multiple times in order to load certificates from multiple files or
-  directories. The certificates will be presented to clients who provide a
-  valid TLS Server Name Indication field matching one of their CN or alt
-  subjects. Wildcards are supported, where a wildcard character '*' is used
-  instead of the first hostname component (e.g. *.example.org matches
+  that directory will be loaded in alphabetic order unless their name ends
+  with '.key', '.issuer', '.ocsp' or '.sctl' (reserved extensions). This
+  directive may be specified multiple times in order to load certificates from
+  multiple files or directories. The certificates will be presented to clients
+  who provide a valid TLS Server Name Indication field matching one of their
+  CN or alt subjects. Wildcards are supported, where a wildcard character '*'
+  is used instead of the first hostname component (e.g. *.example.org matches
   www.example.org but not www.sub.example.org).
 
   If no SNI is provided by the client or if the SSL library does not support

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 1b3cf55..22985d5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -4416,7 +4416,7 @@
 				struct dirent *de = de_list[i];
 
 				end = strrchr(de->d_name, '.');
-				if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl")))
+				if (end && (!strcmp(end, ".issuer") || !strcmp(end, ".ocsp") || !strcmp(end, ".sctl") || !strcmp(end, ".key")))
 					goto ignore_entry;
 
 				snprintf(fp, sizeof(fp), "%s/%s", path, de->d_name);