From 66965a60ba08c262018b32d9b02a9942bd0664c2 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Wed, 25 Mar 2026 14:47:10 +0100 Subject: [PATCH] BUG/MEDIUM: ssl/ocsp: ocsp commands are missing permission checks 'set ssl ocsp-response', 'update ssl ocsp-response', 'show ssl ocsp-response', 'show ssl ocsp-updates' are lacking permissions checks on admin level. Must be backported in 3.3. This can be a breaking change for some users. Initially reported by Cameron Brown. --- src/ssl_ocsp.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index eeb8f4135..2709704dc 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -1510,8 +1510,8 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {}; unsigned char *p; - if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN) - ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]); + if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) + return 1; if (!*args[3]) { memprintf(&err, "'update ssl ocsp-response' expects a filename\n"); @@ -1593,8 +1593,8 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx char *err = NULL; int i, j, ret; - if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN) - ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]); + if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) + return 1; if (!payload) payload = args[3]; @@ -1639,8 +1639,8 @@ static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx struct show_ocspresp_cli_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx)); int arg_idx = 3; - if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN) - ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]); + if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) + return 1; if (*args[3]) { struct certificate_ocsp *ocsp = NULL; @@ -1825,8 +1825,8 @@ static int cli_parse_show_ocsp_updates(char **args, char *payload, struct appctx #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) struct show_ocsp_updates_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx)); - if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN) - ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]); + if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) + return 1; HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);