From 474f614975217a50385ba30e06e888613700ae31 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Thu, 12 Jan 2023 09:49:09 +0100 Subject: [PATCH] MINOR: ssl: Treat ocsp-update inconsistencies as fatal errors If incompatibilities are found in a certificate's ocsp-update mode we raised a single alert that will be considered fatal from here on. This is changed because in case of incompatibilities we will end up with an undefined behaviour. The ocsp response might or might not be updated depending on the order in which the multiple ocsp-update options are taken into account. --- src/ssl_crtlist.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index bf32de11f..825f38047 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -617,7 +617,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) { memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path); - cfgerr |= ERR_ALERT; + cfgerr |= ERR_ALERT | ERR_FATAL; } } if (entry->ssl_conf) @@ -649,7 +649,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) { memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path); - cfgerr |= ERR_ALERT; + cfgerr |= ERR_ALERT | ERR_FATAL; } } if (entry->ssl_conf)