On 01/23/2015 12:02 AM, Cyril Bonté wrote:
Hi Raphaël,
Le 12/01/2015 17:10, Raphaël Enrici a écrit :
Dear all,
nice to meet you (first post since a very loooong time here).
As far as I understand it, when using the crt option of bind directive
with a
directory as parameter, cert files from the specified directory are
loaded...
Well, good, that's great :)
Today we faced an issue on two hosts working in active/passive mode
which lead us to some cold sweat...
(...)
>
It seems to be due to the use of readdir in the function
ssl_sock_load_cert()
located in src/ssl_sock.c. As readdir does not guarantee any order or
at least
not an alphabetical or time order, both the instance did not have the
same
answer although the configuration were exactly the same.
(...)
Or may be the listing of certs could be alphabetically sorted although
it may
break existing deployments and so may not be a good thing at all.
I have a small patch ready for this, I think I can send it tomorrow or
during the week-end.
Indeed, i think we could merge your patch to mainline because all
certificates are stored and accessed into/from a tree using the CN and
Dns aliases as key so the result will be the same regardless of the
loading order. The only effect will be to fix the current unpredictable
behavior on the choice of the default certificate.
Please, don't forget to update the doc.
R,
Emeric
