From ec7eb59d206a2eb58b1d325483d196e8daaf9285 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.org>
Date: Thu, 18 Aug 2022 15:53:02 +0200
Subject: [PATCH] BUG/MINOR: ssl/cli: error when the ca-file is empty

"set ssl ca-file" does not return any error when a ca-file is empty or
only contains comments. This could be a problem is the file was
malformated and did not contain any PEM header.

It must be backported as far as 2.5.
---
 src/ssl_ckch.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 0992240e2..9827928c8 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -1140,7 +1140,8 @@ int ssl_store_load_ca_from_buf(struct cafile_entry *ca_e, char *cert_buf)
 						retval = !X509_STORE_add_crl(ca_e->ca_store, info->crl);
 					}
 				}
-				retval = retval || (i != sk_X509_INFO_num(infos));
+				/* return an error if we didn't compute all the X509_INFO or if there was none */
+				retval = retval ||  (i != sk_X509_INFO_num(infos)) || ( sk_X509_INFO_num(infos) == 0);
 
 				/* Cleanup */
 				sk_X509_INFO_pop_free(infos, X509_INFO_free);
-- 
2.47.3