From a9ae6b516decf82186fdc715d9931d19d76db084 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 4 Apr 2025 17:13:51 +0200
Subject: [PATCH] MEDIUM: ssl/crt-list: warn on negative wildcard filters

negative wildcard filters were always a noop, and are not useful for
anything unless you want to use !* alone to remove every name from a
certificate.

This is confusing and the documentation never stated it correctly. This
patch adds a warning during the bind initialization if it founds one,
only !* does not emit a warning.

This patch was done during the debugging of issue #2900.
---
 src/ssl_sock.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 15ca095e9..3257f5564 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2465,8 +2465,11 @@ static int ckch_inst_add_cert_sni(SSL_CTX *ctx, struct ckch_inst *ckch_inst,
 			default_crt = 1;
 	}
 	/* !* filter is a nop */
-	if (neg && wild)
+	if (neg && wild) {
+		if (*name)
+			ha_warning("parsing [%s:%d]: crt-list: Unsupported exclusion (!) on a wildcard filter \"!*%s\"\n", s->file, s->line, name);
 		return order;
+	}
 	if (*name || default_crt) {
 		int j, len;
 		len = strlen(name);