upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-19 02:29:31 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 16

BUG/MINOR: ssl: SSL_CERT_DIR environment variable doesn't affect haproxy
Some checks are pending
Contrib / build (push) Waiting to run
Details
alpine/musl / gcc (push) Waiting to run
Details
VTest / Generate Build Matrix (push) Waiting to run
Details
VTest / (push) Blocked by required conditions
Details
Windows / Windows, gcc, all features (push) Waiting to run
Details

Browse source 
The documentation of @system-ca specifies that one can overwrite the
value provided by the SSL Library using SSL_CERT_DIR.

However it seems like X509_get_default_cert_dir() is not affected by
this environment variable, and X509_get_default_cert_dir_env() need to
be used in order to get the variable name, and get the value manually.

This could be backported in every stable branches. Note that older
branches don't have the memprintf in ssl_sock.c.
This commit is contained in:
William Lallemand 2026-02-10 21:31:07 +01:00
parent 2ac0d12790
commit ea92b0ef01
3 changed files with 22 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
include/haproxy/ssl_ckch.h
View file

@ -80,6 +80,7 @@ void ssl_store_delete_cafile_entry(struct cafile_entry *ca_e);
int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf, int append);
int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type);
int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_type type, int shuterror);
const char *ha_default_cert_dir();
extern struct cert_exts cert_exts[];
extern int (*ssl_commit_crlfile_cb)(const char *path, X509_STORE *ctx, char **err);

21
src/ssl_ckch.c
View file

@ -1490,6 +1490,25 @@ end:
return retval;
}
/*
* return the default verify cert directory.
*
* It might provided by the SSL library or set in an environment variable
* (commonly SSL_CERT_DIR)
*/
const char *ha_default_cert_dir()
{
const char *dir = NULL;
const char *certdir_varname = X509_get_default_cert_dir_env();
if (certdir_varname)
dir = getenv(certdir_varname);
if (dir == NULL)
dir = X509_get_default_cert_dir();
return dir;
}
/*
* Try to load a ca-file from disk into the ca-file cache.
* <shuterror> allows you to to stop emitting the errors.
@ -1519,7 +1538,7 @@ int __ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_
}
if (strcmp(path, "@system-ca") == 0) {
dir = X509_get_default_cert_dir();
dir = ha_default_cert_dir();
if (!dir) {
if (!shuterror)
ha_alert("Couldn't get the system CA directory from X509_get_default_cert_dir().\n");

2
src/ssl_sock.c
View file

@ -8554,7 +8554,7 @@ static void ssl_register_build_options()
#if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER < 0x3000000fL)
memprintf(&ptr, "%s\nSSL library FIPS mode : %s", ptr, FIPS_mode() ? "yes" : "no");
#endif
memprintf(&ptr, "%s\nSSL library default verify directory : %s", ptr, X509_get_default_cert_dir());
memprintf(&ptr, "%s\nSSL library default verify directory : %s", ptr, ha_default_cert_dir());
memprintf(&ptr, "%s\nSSL library supports :", ptr);
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
if (methodVersions[i].option)