Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 62043c98a631eb6d085cc8114bb621cd253f20ea^! / . / doc / configuration.txt
commit62043c98a631eb6d085cc8114bb621cd253f20ea[log] [tgz]
authorCyril Bonté <cyril.bonte@free.fr>Sun Jan 25 00:16:08 2015 +0100
committerWilly Tarreau <w@1wt.eu>Sun Jan 25 00:49:16 2015 +0100
tree8a7763ca927c2e2a344c799b79b7d3c66994cbaa
parent8eccbf741c63e8583d6fbedffb9d725f46e49ee6 [diff] [blame]
MINOR: ssl: load certificates in alphabetical order

As reported by Raphaël Enrici, certificates loaded from a directory are loaded
in a non predictive order. If no certificate was first loaded from a file, it
can result in different behaviours when haproxy is used in cluster.
We can also imagine other cases which weren't met yet.

Instead of using readdir(), we can use scandir() and sort files alphabetically.
This will ensure a predictive behaviour.

This patch should also be backported to 1.5.
(cherry picked from commit 3180f7b55434f19ba65f262dea450c93c769228b)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 51f2964..55c3e2f 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -8323,20 +8323,21 @@
   are loaded.
 
   If a directory name is used instead of a PEM file, then all files found in
-  that directory will be loaded unless their name ends with '.issuer' or
-  '.ocsp' (reserved extensions). This directive may be specified multiple times
-  in order to load certificates from multiple files or directories. The
-  certificates will be presented to clients who provide a valid TLS Server Name
-  Indication field matching one of their CN or alt subjects. Wildcards are
-  supported, where a wildcard character '*' is used instead of the first
-  hostname component (eg: *.example.org matches www.example.org but not
+  that directory will be loaded in alphabetic order unless their name ends with
+  '.issuer' or '.ocsp' (reserved extensions). This directive may be specified
+  multiple times in order to load certificates from multiple files or
+  directories. The certificates will be presented to clients who provide a valid
+  TLS Server Name Indication field matching one of their CN or alt subjects.
+  Wildcards are supported, where a wildcard character '*' is used instead of the
+  first hostname component (eg: *.example.org matches www.example.org but not
   www.sub.example.org).
 
   If no SNI is provided by the client or if the SSL library does not support
   TLS extensions, or if the client provides an SNI hostname which does not
   match any certificate, then the first loaded certificate will be presented.
   This means that when loading certificates from a directory, it is highly
-  recommended to load the default one first as a file.
+  recommended to load the default one first as a file or to ensure that it will
+  always be the first one in the directory.
 
   Note that the same cert may be loaded multiple times without side effects.