MINOR: ssl: Add 'ssl-provider-path' global option

When loading providers with 'ssl-provider' global options, this ssl-provider-path option can be used to set the search path that is to be used by openssl. It behaves the same way as the OPENSSL_MODULES environment variable.
2026-04-20 22:01:49 -04:00 · 2022-05-17 15:18:37 +02:00 · 2022-05-17 15:18:37 +02:00 · ccc0355c41
commit ccc0355c41
parent 96816b0755
2 changed files with 29 additions and 1 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -1052,6 +1052,7 @@ The following keywords are supported in the "global" section :
   - ssl-dh-param-file
   - ssl-propquery
   - ssl-provider
+   - ssl-provider-path
   - ssl-server-verify
   - ssl-skip-self-issued-ca
   - unix-bind
@ -2090,7 +2091,16 @@ ssl-provider <name>
  "openssl version -a" command. If the provider is in another directory, you
  can set the OPENSSL_MODULES environment variable, which takes the directory
  where your provider can be found.
-  See also "ssl-propquery".
+  See also "ssl-propquery" and "ssl-provider-path".
+
+ssl-provider-path <path>
+  This setting is only available when support for OpenSSL was built in and when
+  OpenSSL's version is at least 3.0. It allows to specify the search path that
+  is to be used by OpenSSL for looking for providers. It behaves the same way
+  as the OPENSSL_MODULES environment variable. It will be used for any
+  following 'ssl-provider' option or until a new 'ssl-provider-path' is
+  defined.
+  See also "ssl-provider".

 ssl-load-extra-del-ext
  This setting allows to configure the way HAProxy does the lookup for the
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@ -220,6 +220,23 @@ static int ssl_parse_global_ssl_provider(char **args, int section_type, struct p

 	return ret;
 }
+
+/* parse the "ssl-provider-path" keyword in global section.
+ * Returns <0 on alert, >0 on warning, 0 on success.
+ */
+static int ssl_parse_global_ssl_provider_path(char **args, int section_type, struct proxy *curpx,
+					      const struct proxy *defpx, const char *file, int line,
+					      char **err)
+{
+	if (*(args[1]) == 0) {
+		memprintf(err, "global statement '%s' expects a directory path as an argument.", args[0]);
+		return -1;
+	}
+
+	OSSL_PROVIDER_set_default_search_path(NULL, args[1]);
+
+	return 0;
+}
 #endif

 /* parse the "ssl-default-bind-ciphers" / "ssl-default-server-ciphers" keywords
@ -1981,6 +1998,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
 #ifdef HAVE_SSL_PROVIDERS
 	{ CFG_GLOBAL, "ssl-propquery",  ssl_parse_global_ssl_propquery },
 	{ CFG_GLOBAL, "ssl-provider",  ssl_parse_global_ssl_provider },
+	{ CFG_GLOBAL, "ssl-provider-path",  ssl_parse_global_ssl_provider_path },
 #endif
 	{ CFG_GLOBAL, "ssl-skip-self-issued-ca", ssl_parse_skip_self_issued_ca },
 	{ CFG_GLOBAL, "tune.ssl.cachesize", ssl_parse_global_int },