BUG/MEDIUM: ssl/crt-list: bad behavior with "commit ssl cert"
In issue #1004, it was reported that it is not possible to remove
correctly a certificate after updating it when it came from a crt-list.
Indeed the "commit ssl cert" command on the CLI does not update the list
of ckch_inst in the crtlist_entry. Because of this, the "del ssl
crt-list" command does not remove neither the instances nor the SNIs
because they were never linked to the crtlist_entry.
This patch fixes the issue by inserting the ckch_inst in the
crtlist_entry once generated.
Must be backported as far as 2.2.
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 198ac63..4a85a5d 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1337,6 +1337,9 @@
if (ckchi->is_default)
new_inst->is_default = 1;
+ /* create the link to the crtlist_entry */
+ new_inst->crtlist_entry = ckchi->crtlist_entry;
+
/* we need to initialize the SSL_CTX generated */
/* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) {
@@ -1374,6 +1377,12 @@
ebpt_insert(&entry->crtlist->entries, &entry->node);
}
+ /* insert the new ckch_insts in the crtlist_entry */
+ list_for_each_entry(ckchi, &new_ckchs->ckch_inst, by_ckchs) {
+ if (ckchi->crtlist_entry)
+ LIST_ADD(&ckchi->crtlist_entry->ckch_inst, &ckchi->by_crtlist_entry);
+ }
+
/* First, we insert every new SNIs in the trees, also replace the default_ctx */
list_for_each_entry_safe(ckchi, ckchis, &new_ckchs->ckch_inst, by_ckchs) {
HA_RWLOCK_WRLOCK(SNI_LOCK, &ckchi->bind_conf->sni_lock);