2 files changed, 55 insertions, 11 deletions

diff --git a/man/systemd-journal-upload.service.xml b/man/systemd-journal-upload.service.xml
index 1b8b0be677..a073a37a29 100644
--- a/man/systemd-journal-upload.service.xml
+++ b/man/systemd-journal-upload.service.xml
@@ -165,7 +165,9 @@
         <term><option>--key=</option></term>
 
         <listitem><para>
-          Takes a path to a SSL key file in PEM format.
+          Takes a path to a SSL key file in PEM format, or <option>-</option>.
+          If <option>-</option> is set, then client certificate authentication checking
+          will be disabled.
           Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-upload.pem</filename>.
         </para></listitem>
       </varlistentry>
@@ -174,7 +176,9 @@
         <term><option>--cert=</option></term>
 
         <listitem><para>
-          Takes a path to a SSL certificate file in PEM format.
+          Takes a path to a SSL certificate file in PEM format, or <option>-</option>.
+          If <option>-</option> is set, then client certificate authentication checking
+          will be disabled.
           Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem</filename>.
         </para></listitem>
       </varlistentry>
@@ -183,9 +187,8 @@
         <term><option>--trust=</option></term>
 
         <listitem><para>
-          Takes a path to a SSL CA certificate file in PEM format,
-          or <option>all</option>. If <option>all</option> is set,
-          then certificate checking will be disabled.
+          Takes a path to a SSL CA certificate file in PEM format, or <option>-</option>/<option>all</option>.
+          If <option>-</option>/<option>all</option> is set, then certificate checking will be disabled.
           Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
         </para></listitem>
       </varlistentry>
diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c
index 031e82587d..2f9585df56 100644
--- a/src/journal-remote/journal-upload.c
+++ b/src/journal-remote/journal-upload.c
@@ -23,6 +23,7 @@
 #include "main-func.h"
 #include "mkdir.h"
 #include "parse-util.h"
+#include "path-util.h"
 #include "pretty-print.h"
 #include "process-util.h"
 #include "rlimit-util.h"
@@ -240,14 +241,14 @@ int start_upload(Uploader *u,
                             "systemd-journal-upload " GIT_VERSION,
                             LOG_WARNING, );
 
-                if (arg_key || startswith(u->url, "https://")) {
+                if (!streq_ptr(arg_key, "-") && (arg_key || startswith(u->url, "https://"))) {
                         easy_setopt(curl, CURLOPT_SSLKEY, arg_key ?: PRIV_KEY_FILE,
                                     LOG_ERR, return -EXFULL);
                         easy_setopt(curl, CURLOPT_SSLCERT, arg_cert ?: CERT_FILE,
                                     LOG_ERR, return -EXFULL);
                 }
 
-                if (streq_ptr(arg_trust, "all"))
+                if (STRPTR_IN_SET(arg_trust, "-", "all"))
                         easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0,
                                     LOG_ERR, return -EUCLEAN);
                 else if (arg_trust || startswith(u->url, "https://"))
@@ -515,12 +516,52 @@ static int perform_upload(Uploader *u) {
         return update_cursor_state(u);
 }
 
+static int config_parse_path_or_ignore(
+                const char *unit,
+                const char *filename,
+                unsigned line,
+                const char *section,
+                unsigned section_line,
+                const char *lvalue,
+                int ltype,
+                const char *rvalue,
+                void *data,
+                void *userdata) {
+
+        _cleanup_free_ char *n = NULL;
+        bool fatal = ltype;
+        char **s = data;
+        int r;
+
+        assert(filename);
+        assert(lvalue);
+        assert(rvalue);
+        assert(data);
+
+        if (isempty(rvalue))
+                goto finalize;
+
+        n = strdup(rvalue);
+        if (!n)
+                return log_oom();
+
+        if (streq(n, "-"))
+                goto finalize;
+
+        r = path_simplify_and_warn(n, PATH_CHECK_ABSOLUTE | (fatal ? PATH_CHECK_FATAL : 0), unit, filename, line, lvalue);
+        if (r < 0)
+                return fatal ? -ENOEXEC : 0;
+
+finalize:
+        return free_and_replace(*s, n);
+}
+
 static int parse_config(void) {
         const ConfigTableItem items[] = {
-                { "Upload",  "URL",                    config_parse_string, 0, &arg_url    },
-                { "Upload",  "ServerKeyFile",          config_parse_path,   0, &arg_key    },
-                { "Upload",  "ServerCertificateFile",  config_parse_path,   0, &arg_cert   },
-                { "Upload",  "TrustedCertificateFile", config_parse_path,   0, &arg_trust  },
+                { "Upload",  "URL",                    config_parse_string,         0, &arg_url    },
+                { "Upload",  "ServerKeyFile",          config_parse_path_or_ignore, 0, &arg_key    },
+                { "Upload",  "ServerCertificateFile",  config_parse_path_or_ignore, 0, &arg_cert   },
+                { "Upload",  "TrustedCertificateFile", config_parse_path_or_ignore, 0, &arg_trust  },
                 {}};
 
         return config_parse_many_nulstr(PKGSYSCONFDIR "/journal-upload.conf",