mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-05-04 12:41:00 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Treat ocsp-update inconsistencies as fatal errors

Browse Source 
If incompatibilities are found in a certificate's ocsp-update mode we
raised a single alert that will be considered fatal from here on. This
is changed because in case of incompatibilities we will end up with an
undefined behaviour. The ocsp response might or might not be updated
depending on the order in which the multiple ocsp-update options are
taken into account.
This commit is contained in:
Remi Tricot-Le Breton 2023-01-12 09:49:09 +01:00 committed by William Lallemand
parent bdd84c5ffb
commit 474f614975
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/ssl_crtlist.c
View File

@ -617,7 +617,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
|| (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
cfgerr |= ERR_ALERT;
cfgerr |= ERR_ALERT | ERR_FATAL;
}
}
if (entry->ssl_conf)
@ -649,7 +649,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
|| (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
cfgerr |= ERR_ALERT;
cfgerr |= ERR_ALERT | ERR_FATAL;
}
}
if (entry->ssl_conf)