Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / bb470aa327c85ddbfebe88475b497ca49b414489^! / .
commitbb470aa327c85ddbfebe88475b497ca49b414489[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Mon Jan 25 17:19:45 2021 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Tue Jan 26 15:19:36 2021 +0100
treeb4894b06d170d684e262a630b3c779b9f4581f1c
parentf3eedfe19592ebcbaa5b97d8c68aa162e7f6f8fa [diff]
MINOR: ssl: Remove client_crt member of the server's ssl context

The client_crt member is not used anymore since the server's ssl context
initialization now behaves the same way as the bind lines one (using
ckch stores and instances).

diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h
index a1f72fd..b29c75c 100644
--- a/include/haproxy/server-t.h
+++ b/include/haproxy/server-t.h

@@ -322,7 +322,6 @@
 		char *verify_host;              /* hostname of certificate must match this host */
 		char *ca_file;			/* CAfile to use on verify */
 		char *crl_file;			/* CRLfile to use on verify */
-		char *client_crt;		/* client certificate to send */
 		struct sample_expr *sni;        /* sample expression for SNI */
 #ifdef OPENSSL_NPN_NEGOTIATED
 		char *npn_str;                  /* NPN protocol string */

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index 55fe084..faacc0e 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c

@@ -1442,17 +1442,25 @@
 /* parse the "crt" server keyword */
 static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
 {
+	int retval = -1;
+	char *path = NULL;
+
 	if (!*args[*cur_arg + 1]) {
 		memprintf(err, "'%s' : missing certificate file path", args[*cur_arg]);
 		return ERR_ALERT | ERR_FATAL;
 	}
 
 	if ((*args[*cur_arg + 1] != '/') && global_ssl.crt_base)
-		memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]);
+		memprintf(&path, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]);
 	else
-		memprintf(&newsrv->ssl_ctx.client_crt, "%s", args[*cur_arg + 1]);
+		memprintf(&path, "%s", args[*cur_arg + 1]);
+
+	if (path) {
+		retval = ssl_sock_load_srv_cert(path, newsrv, err);
+		free(path);
+	}
 
-	return ssl_sock_load_srv_cert(newsrv->ssl_ctx.client_crt, newsrv, err);
+	return retval;
 }
 
 /* parse the "no-check-ssl" server keyword */

diff --git a/src/server.c b/src/server.c
index 9561965..10f5286 100644
--- a/src/server.c
+++ b/src/server.c

@@ -1535,8 +1535,6 @@
 		srv->ssl_ctx.ca_file = strdup(src->ssl_ctx.ca_file);
 	if (src->ssl_ctx.crl_file != NULL)
 		srv->ssl_ctx.crl_file = strdup(src->ssl_ctx.crl_file);
-	if (src->ssl_ctx.client_crt != NULL)
-		srv->ssl_ctx.client_crt = strdup(src->ssl_ctx.client_crt);
 
 	srv->ssl_ctx.verify = src->ssl_ctx.verify;