From 03c5ffff8ed173b496156e8b3c6a1164918187a9 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Tue, 20 Dec 2022 11:11:10 +0100 Subject: [PATCH] MINOR: ssl: Add crt-list ocsp-update option This option will define how the ocsp update mechanism behaves. The option can either be set to 'on' or 'off' and can only be specified in a crt-list entry so that we ensure that it concerns a single certificate. The 'off' mode is the default one and corresponds to the old behavior (no automatic update). When the option is set to 'on', we will try to get an ocsp response whenever an ocsp uri can be found in the frontend's certificate. The only limitation of this mode is that the certificate's issuer will have to be known in order for the OCSP certid to be built. This patch only adds the parsing of the option. The full functionality will come in a later commit. --- include/haproxy/listener-t.h | 1 + include/haproxy/ssl_sock-t.h | 7 +++++++ src/cfgparse-ssl.c | 24 ++++++++++++++++++++++++ 3 files changed, 32 insertions(+) diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h index e32190d46..c3bc45c2c 100644 --- a/include/haproxy/listener-t.h +++ b/include/haproxy/listener-t.h @@ -146,6 +146,7 @@ struct ssl_bind_conf { unsigned int verify:3; /* verify method (set of SSL_VERIFY_* flags) */ unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */ unsigned int early_data:1; /* early data allowed */ + unsigned int ocsp_update:2;/* enable OCSP auto update */ char *ca_file; /* CAfile to use on verify and ca-names */ char *ca_verify_file; /* CAverify file to use on verify only */ char *crl_file; /* CRLfile to use on verify */ diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index 278c8f7e8..f7a96ba5c 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -103,6 +103,13 @@ enum { SSL_SOCK_VERIFY_NONE = 3, }; +/* bind ocsp update mode */ +enum { + SSL_SOCK_OCSP_UPDATE_DFLT = 0, + SSL_SOCK_OCSP_UPDATE_OFF = 1, + SSL_SOCK_OCSP_UPDATE_ON = 2, +}; + /* states of the CLI IO handler for 'set ssl cert' */ enum { SETCERT_ST_INIT = 0, diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index d9e93e440..ed9765c24 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -603,6 +603,7 @@ static int ssl_parse_global_extra_noext(char **args, int section_type, struct pr return 0; } + /***************************** Bind keyword Parsing ********************************************/ /* for ca-file and ca-verify-file */ @@ -1335,6 +1336,28 @@ static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, st return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, 0, err); } + +static int ssl_bind_parse_ocsp_update(char **args, int cur_arg, struct proxy *px, + struct ssl_bind_conf *ssl_conf, int from_cli, char **err) +{ + if (!*args[cur_arg + 1]) { + memprintf(err, "'%s' : expecting ", args[cur_arg]); + return ERR_ALERT | ERR_FATAL; + } + + if (strcmp(args[cur_arg + 1], "on") == 0) + ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_ON; + else if (strcmp(args[cur_arg + 1], "off") == 0) + ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_OFF; + else { + memprintf(err, "'%s' : expecting ", args[cur_arg]); + return ERR_ALERT | ERR_FATAL; + } + + return 0; +} + + /***************************** "server" keywords Parsing ********************************************/ /* parse the "npn" bind keyword */ @@ -1900,6 +1923,7 @@ struct ssl_bind_kw ssl_bind_kws[] = { { "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */ { "ssl-max-ver", ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */ { "verify", ssl_bind_parse_verify, 1 }, /* set SSL verify method */ + { "ocsp-update", ssl_bind_parse_ocsp_update, 1 }, /* ocsp update mode (on or off) */ { NULL, NULL, 0 }, };