MINOR: ssl: support crl arg for dynamic servers
File-access through ssl_store_load_locations_file is deactivated if
srv_parse_crl is used at runtime for a dynamic server. The crl must
have already been loaded either in the config or through the 'ssl crl'
CLI commands.
diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index ba2f5e2..eb04c08 100644
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -1471,6 +1471,8 @@
memprintf(err, "'%s' : library does not support CRL verify", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
#else
+ const int create_if_none = newsrv->flags & SRV_F_DYNAMIC ? 0 : 1;
+
if (!*args[*cur_arg + 1]) {
memprintf(err, "'%s' : missing CRLfile path", args[*cur_arg]);
return ERR_ALERT | ERR_FATAL;
@@ -1481,7 +1483,7 @@
else
memprintf(&newsrv->ssl_ctx.crl_file, "%s", args[*cur_arg + 1]);
- if (!ssl_store_load_locations_file(newsrv->ssl_ctx.crl_file, 1, CAFILE_CRL)) {
+ if (!ssl_store_load_locations_file(newsrv->ssl_ctx.crl_file, create_if_none, CAFILE_CRL)) {
memprintf(err, "'%s' : unable to load %s", args[*cur_arg], newsrv->ssl_ctx.crl_file);
return ERR_ALERT | ERR_FATAL;
}
@@ -1887,7 +1889,7 @@
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ "ciphersuites", srv_parse_ciphersuites, 1, 1, 0 }, /* select the cipher suite */
#endif
- { "crl-file", srv_parse_crl_file, 1, 1, 0 }, /* set certificate revocation list file use on server cert verify */
+ { "crl-file", srv_parse_crl_file, 1, 1, 1 }, /* set certificate revocation list file use on server cert verify */
{ "crt", srv_parse_crt, 1, 1, 1 }, /* set client certificate */
{ "force-sslv3", srv_parse_tls_method_options, 0, 1, 0 }, /* force SSLv3 */
{ "force-tlsv10", srv_parse_tls_method_options, 0, 1, 0 }, /* force TLSv10 */