MINOR: ssl: support ca-file arg for dynamic servers
File-access through ssl_store_load_locations_file is deactivated if
srv_parse_ca_file is used at runtime for a dynamic server. The ca-file
must have already been loaded either in the config or through the 'ssl
ca-file' CLI commands.
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index e4b6989..56ca129 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1351,6 +1351,8 @@
/* parse the "ca-file" server keyword */
static int srv_parse_ca_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
+ const int create_if_none = newsrv->flags & SRV_F_DYNAMIC ? 0 : 1;
+
if (!*args[*cur_arg + 1]) {
memprintf(err, "'%s' : missing CAfile path", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
@@ -1361,10 +1363,11 @@
else
memprintf(&newsrv->ssl_ctx.ca_file, "%s", args[*cur_arg + 1]);
- if (!ssl_store_load_locations_file(newsrv->ssl_ctx.ca_file, 1, CAFILE_CERT)) {
+ if (!ssl_store_load_locations_file(newsrv->ssl_ctx.ca_file, create_if_none, CAFILE_CERT)) {
memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.ca_file);
return ERR_ALERT | ERR_FATAL;
}
+
return 0;
}
@@ -1875,7 +1878,7 @@
static struct srv_kw_list srv_kws = { "SSL", { }, {
{ "allow-0rtt", srv_parse_allow_0rtt, 0, 1, 0 }, /* Allow using early data on this server */
{ "alpn", srv_parse_alpn, 1, 1, 0 }, /* Set ALPN supported protocols */
- { "ca-file", srv_parse_ca_file, 1, 1, 0 }, /* set CAfile to process verify server cert */
+ { "ca-file", srv_parse_ca_file, 1, 1, 1 }, /* set CAfile to process verify server cert */
{ "check-alpn", srv_parse_check_alpn, 1, 1, 0 }, /* Set ALPN used for checks */
{ "check-sni", srv_parse_check_sni, 1, 1, 0 }, /* set SNI */
{ "check-ssl", srv_parse_check_ssl, 0, 1, 0 }, /* enable SSL for health checks */