gamzinav/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MINOR: ssl/cli: replace dump/show ssl crt-list by '-n' option

Browse Source 
The dump and show ssl crt-list commands does the same thing, they dump
the content of a crt-list, but the 'show' displays an ID in the first
column. Delete the 'dump' command so it is replaced by the 'show' one.
The old 'show' command is replaced by an '-n' option to dump the ID.
And the ID which was a pointer is replaced by a line number and placed
after colons in the filename.

Example:
  $ echo "show ssl crt-list -n kikyo.crt-list" | socat /tmp/sock1 -
  # kikyo.crt-list
  kikyo.pem.rsa:1 secure.domain.tld
  kikyo.pem.ecdsa:2 secure.domain.tld
This commit is contained in:
William Lallemand 2020-04-06 19:07:03 +02:00 committed by William Lallemand
parent 0a9b9414f0
commit c69f02d0f0
3 changed files with 35 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/management.txt
View File

@ -1595,18 +1595,6 @@ disable server <backend>/<server>
This command is restricted and can only be issued on sockets configured for
level "admin".
dump ssl crt-list <filename>
Dump the content of a crt-list or a directory. Once dumped the output can be
used as a crt-list file.
Example:
echo "dump ssl crt-list localhost.crt-list" | socat /tmp/sock1 -
# localhost.crt-list
common.pem !not.test1.com *.test1.com !localhost
common.pem
ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com
ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3]
enable agent <backend>/<server>
Resume auxiliary agent check that was temporarily stopped.
@ -2582,20 +2570,22 @@ show ssl cert [<filename>]
Filename: *test.local.pem
[...]
show ssl crt-list [<filename>]
show ssl crt-list [-n] [<filename>]
Display the list of crt-list and directories used in the HAProxy
configuration. If a directory or a crt-list is specified, displays its
content. Does not use this command to dump your crt-list configuration as it
provides extra informations not compatible with the crt-list. To dump a
crt-list, use the "dump ssl crt-list" command instead.
configuration. If a filename is specified, dump the content of a crt-list or
a directory. Once dumped the output can be used as a crt-list file.
The '-n' option can be used to display the line number, which is useful when
combined with the 'del ssl crt-list' option when a entry is duplicated. The
output with the '-n' option is not compatible with the crt-list format and
not loadable by haproxy.
Example:
echo "show ssl crt-list localhost.crt-list" | socat /tmp/sock1 -
echo "show ssl crt-list -n localhost.crt-list" | socat /tmp/sock1 -
# localhost.crt-list
0x55db301c29a0 common.pem !not.test1.com *.test1.com !localhost
0x55db301f99e0 common.pem
0x7fb6f40220b0 ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com
0x55db30277070 ecdsa.pem [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3]
common.pem:1 !not.test1.com *.test1.com !localhost
common.pem:2
ecdsa.pem:3 [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3] localhost !www.test1.com
ecdsa.pem:4 [verify none allow-0rtt ssl-min-ver TLSv1.0 ssl-max-ver TLSv1.3]
show resolvers [<resolvers section id>]
Dump statistics for the given resolvers section, or all resolvers sections

1
include/types/ssl_sock.h
View File

@ -156,6 +156,7 @@ struct bind_conf_list {
/* This structure is basically a crt-list or a directory */
struct crtlist {
struct bind_conf_list *bind_conf; /* list of bind_conf which use this crtlist */
unsigned int linecount; /* number of lines */
struct eb_root entries;
struct list ord_entries; /* list to keep the line order of the crt-list file */
struct ebmb_node node; /* key is the filename or directory */

32
src/ssl_sock.c
View File

@ -4567,6 +4567,7 @@ static int crtlist_load_cert_dir(char *path, struct bind_conf *bind_conf, struct
memcpy(dir->node.key, path, strlen(path) + 1);
dir->entries = EB_ROOT_UNIQUE; /* it's a directory, files are unique */
dir->bind_conf = NULL;
dir->linecount = 0;
LIST_INIT(&dir->ord_entries);
n = scandir(path, &de_list, 0, alphasort);
@ -4602,6 +4603,7 @@ static int crtlist_load_cert_dir(char *path, struct bind_conf *bind_conf, struct
}
/* directories don't use ssl_conf and filters */
entry->linenum = 0;
entry->fcount = 0;
entry->filters = NULL;
entry->ssl_conf = NULL;
@ -4804,7 +4806,7 @@ static int crtlist_parse_line(char *line, char **crt_path, struct crtlist_entry
goto error;
}
}
entry->linenum = linenum;
entry->ssl_conf = ssl_conf;
entry->filters = crtlist_dup_filters(&args[cur_arg], arg - cur_arg - 1);
entry->fcount = arg - cur_arg - 1;
@ -4937,6 +4939,8 @@ static int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct pr
if (cfgerr & ERR_CODE)
goto error;
newlist->linecount = linenum;
fclose(f);
*crtlist = newlist;
@ -11155,9 +11159,9 @@ static int cli_io_handler_dump_crtlist_entries(struct appctx *appctx)
store = entry->node.key;
filename = store->path;
if (appctx->ctx.cli.i0 == 's') /* show */
chunk_appendf(trash, "%p ", entry);
chunk_appendf(trash, "%s", filename);
if (appctx->ctx.cli.i0 == 's') /* show */
chunk_appendf(trash, ":%d", entry->linenum);
dump_crtlist_sslconf(trash, entry->ssl_conf);
dump_crtlist_filters(trash, entry);
chunk_appendf(trash, "\n");
@ -11179,6 +11183,7 @@ yield:
static int cli_parse_dump_crtlist(char **args, char *payload, struct appctx *appctx, void *private)
{
struct ebmb_node *lnode;
char *filename = NULL;
int mode;
if (!cli_has_level(appctx, ACCESS_LVL_ADMIN))
@ -11186,13 +11191,20 @@ static int cli_parse_dump_crtlist(char **args, char *payload, struct appctx *app
appctx->ctx.cli.p0 = NULL;
appctx->ctx.cli.p1 = NULL;
mode = (int)args[0][0]; /* 'd' or 's' */
if (mode == 'd' && !*args[3])
return cli_err(appctx, "'dump ssl crt-list' expects a filename or a directory\n");
if (*args[3] && !strcmp(args[3], "-n")) {
mode = 's';
filename = args[4];
} else {
mode = 'd';
filename = args[3];
}
if (*args[3]) {
lnode = ebst_lookup(&crtlists_tree, args[3]);
if (mode == 's' && !*args[4])
return cli_err(appctx, "'show ssl crt-list -n' expects a filename or a directory\n");
if (filename && *filename) {
lnode = ebst_lookup(&crtlists_tree, filename);
if (lnode == NULL)
return cli_err(appctx, "didn't find the specified filename\n");
@ -11320,6 +11332,7 @@ static int cli_io_handler_add_crtlist(struct appctx *appctx)
ssl_sock_load_cert_sni(new_inst, new_inst->bind_conf);
HA_RWLOCK_WRUNLOCK(SNI_LOCK, &new_inst->bind_conf->sni_lock);
}
entry->linenum = ++crtlist->linecount;
appctx->st2 = SETCERT_ST_FIN;
goto end;
}
@ -12722,8 +12735,7 @@ static struct cli_kw_list cli_kws = {{ },{
{ { "show", "ssl", "cert", NULL }, "show ssl cert [<certfile>] : display the SSL certificates used in memory, or the details of a <certfile>", cli_parse_show_cert, cli_io_handler_show_cert, cli_release_show_cert },
{ { "add", "ssl", "crt-list", NULL }, "add ssl crt-list <filename> <certfile> [options] : add a line <certfile> to a crt-list <filename>", cli_parse_add_crtlist, cli_io_handler_add_crtlist, cli_release_add_crtlist },
{ { "del", "ssl", "crt-list", NULL }, "del ssl crt-list <filename> <certfile[:line]> : delete a line <certfile> in a crt-list <filename>", cli_parse_del_crtlist, NULL, NULL },
{ { "dump", "ssl", "crt-list", NULL }, "dump ssl crt-list <filename> : dump the content of a crt-list <filename>", cli_parse_dump_crtlist, cli_io_handler_dump_crtlist, NULL },
{ { "show", "ssl", "crt-list", NULL }, "show ssl crt-list [<filename>] : show the list of crt-lists or the content of a crt-list <filename>", cli_parse_dump_crtlist, cli_io_handler_dump_crtlist, NULL },
{ { "show", "ssl", "crt-list", NULL }, "show ssl crt-list [-n] [<filename>] : show the list of crt-lists or the content of a crt-list <filename>", cli_parse_dump_crtlist, cli_io_handler_dump_crtlist, NULL },
{ { NULL }, NULL, NULL, NULL }
}};