1berry/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MINOR: ssl/cli: add a '-t' option to 'show ssl sni'

Browse Source 
Add a -t option to 'show ssl sni', allowing to add an offset to the
current date so it would allow to check which certificates are expired
after a certain period of time.
This commit is contained in:
William Lallemand 2025-04-28 11:35:11 +02:00
parent f1064c7382
commit 83975f34e4
2 changed files with 38 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/management.txt
View File

@ -3805,7 +3805,7 @@ show ssl providers
- fips
- base
show ssl sni [-f <frontend>] [-A]
show ssl sni [-f <frontend>] [-A] [-t <offset>]
Dump every SNI configured for the designated frontend, or all frontends if no
frontend was specified. It allows to see what SNI are offered for a frontend,
and to identify if a SNI is defined multiple times by multiple certificates for
@ -3814,6 +3814,12 @@ show ssl sni [-f <frontend>] [-A]
The -A option allows to filter the list and only displays the certificates
that are past the notAfter date, allowing to show only expired certificates.
The -t option takes an offset in seconds, or with a time unit (s, m, h, d),
which is added to the current time, allowing to check which certificates
expired after the offset when combined with -A.
For example if you want to check which certificates would be expired in 30d,
just do "show ssl sni -A -t 30d".
Columns are separated by a single \t, allowing to parse it simply.
The 'Frontend/Bind' column shows the frontend name followed by the bind line
@ -3837,7 +3843,7 @@ show ssl sni [-f <frontend>] [-A]
leaf certificate.
Example:
$ echo "@1 show ssl sni" | socat /var/run/haproxy-master.sock - | column -t -s $'\t'
$ echo "@1 show ssl sni -A -t 30d" | socat /var/run/haproxy-master.sock - | column -t -s $'\t'
# Frontend/Bind SNI Negative Filter Type Filename NotAfter NotBefore
li1/haproxy.cfg:10021 *.ex.lan !m1.ex.lan rsa example.lan.pem Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
li1/haproxy.cfg:10021 machine10 - ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT

33
src/ssl_ckch.c
View File

@ -98,6 +98,7 @@ struct show_sni_ctx {
struct ebmb_node *n;
int nodetype;
int options;
unsigned int offset;
};
/* CLI context used by "dump ssl cert" */
@ -1713,7 +1714,7 @@ static int cli_io_handler_show_sni(struct appctx *appctx)
#ifdef HAVE_ASN1_TIME_TO_TM
if (ctx->options & SHOW_SNI_OPT_NOTAFTER) {
time_t notAfter = x509_get_notafter_time_t(sni->ckch_inst->ckch_store->data->cert);
if (!(date.tv_sec > notAfter))
if (!(date.tv_sec+ctx->offset > notAfter))
continue;
}
#endif
@ -1788,7 +1789,7 @@ yield:
}
/* parsing function for 'show ssl sni [-f <frontend>] [-A]' */
/* parsing function for 'show ssl sni [-f <frontend>] [-A] [-t <offset>]' */
static int cli_parse_show_sni(char **args, char *payload, struct appctx *appctx, void *private)
{
struct show_sni_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
@ -1832,9 +1833,35 @@ static int cli_parse_show_sni(char **args, char *payload, struct appctx *appctx,
return cli_err(appctx, "'-A' option is only supported with OpenSSL >= 1.1.1!\n");
#endif
} else if (strcmp(args[cur_arg], "-t") == 0) {
unsigned int offset;
const char *res;
char *err = NULL;
if (*args[cur_arg+1] == '\0')
return cli_err(appctx, "'-t' requires an offset argument!\n");
res = parse_time_err(args[cur_arg+1], &offset, TIME_UNIT_S);
if (res == PARSE_TIME_OVER) {
return cli_dynerr(appctx, memprintf(&err, "offset overflow '%s' (maximum value is 2147483647s or ~24855 days)", args[cur_arg+1]));
}
else if (res == PARSE_TIME_UNDER) {
return cli_dynerr(appctx, memprintf(&err, "timer underflow '%s' (minimum non-null value is 1s)", args[cur_arg+1]));
}
else if (res) {
return cli_dynerr(appctx, memprintf(&err, "'%s %s' : unexpected character '%c'", args[cur_arg], args[cur_arg+1], *res));
}
if (!offset) {
return cli_dynerr(appctx, memprintf(&err, "'%s' expects a positive value", args[cur_arg]));
}
ctx->offset = offset;
cur_arg++; /* skip the argument */
} else {
return cli_err(appctx, "Invalid parameters, 'show ssl sni' only supports '-f', or '-A' options!\n");
return cli_err(appctx, "Invalid parameters, 'show ssl sni' only supports '-f', '-A' or '-t' options!\n");
}
cur_arg++;
}