mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 15:47:01 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Add payload support to "set ssl ocsp-response"

Browse Source 
It is now possible to use a payload with the "set ssl ocsp-response"
command.  These syntaxes will work the same way:

 # echo "set ssl ocsp-response $(base64 -w 10000 ocsp.der)" | \
     socat /tmp/sock1 -

 # echo -e "set ssl ocsp-response <<\n$(base64 ocsp.der)\n" | \
     socat /tmp/sock1 -

Signed-off-by: Aurlien Nephtali <aurelien.nephtali@corp.ovh.com>
This commit is contained in:
Aurlien Nephtali 2018-04-18 14:04:58 +02:00 committed by Willy Tarreau
parent 25650ce513
commit 1e0867cfbc
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/management.txt
View File

@ -1712,7 +1712,7 @@ set severity-output [ none | number | string ]
Change the severity output format of the stats socket connected to for the Change the severity output format of the stats socket connected to for the
duration of the current session. duration of the current session.
set ssl ocsp-response <response> set ssl ocsp-response <response | payload>
This command is used to update an OCSP Response for a certificate (see "crt" This command is used to update an OCSP Response for a certificate (see "crt"
on "bind" lines). Same controls are performed as during the initial loading of on "bind" lines). Same controls are performed as during the initial loading of
the response. The <response> must be passed as a base64 encoded string of the the response. The <response> must be passed as a base64 encoded string of the
@ -1725,6 +1725,10 @@ set ssl ocsp-response <response>
echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
socat stdio /var/run/haproxy.stat socat stdio /var/run/haproxy.stat
using the payload syntax:
echo -e "set ssl ocsp-response <<\n$(base64 resp.der)\n" | \
socat stdio /var/run/haproxy.stat
set ssl tls-key <id> <tlskey> set ssl tls-key <id> <tlskey>
Set the next TLS key for the <id> listener to <tlskey>. This key becomes the Set the next TLS key for the <id> listener to <tlskey>. This key becomes the
ultimate key, while the penultimate one is used for encryption (others just ultimate key, while the penultimate one is used for encryption (others just

16
src/ssl_sock.c
View File

@ -8565,16 +8565,28 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx
{ {
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
char *err = NULL; char *err = NULL;
int i, j;
if (!payload)
payload = args[3];
/* Expect one parameter: the new response in base64 encoding */ /* Expect one parameter: the new response in base64 encoding */
if (!*args[3]) { if (!*payload) {
appctx->ctx.cli.severity = LOG_ERR; appctx->ctx.cli.severity = LOG_ERR;
appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n"; appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n";
appctx->st0 = CLI_ST_PRINT; appctx->st0 = CLI_ST_PRINT;
return 1; return 1;
} }
trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size); /* remove \r and \n from the payload */
for (i = 0, j = 0; payload[i]; i++) {
if (payload[i] == '\r' || payload[i] == '\n')
continue;
payload[j++] = payload[i];
}
payload[j] = 0;
trash.len = base64dec(payload, j, trash.str, trash.size);
if (trash.len < 0) { if (trash.len < 0) {
appctx->ctx.cli.severity = LOG_ERR; appctx->ctx.cli.severity = LOG_ERR;
appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n"; appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";