From 73705ac701c6b0a8201ae29fffd9f29520a03b78 Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Thu, 1 Feb 2024 11:58:14 +0100
Subject: [PATCH] BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp
 call

If we were to enable 'ocsp-update' on a certificate that does not have
an OCSP URI, we would exit ssl_sock_load_ocsp with a negative error code
which would raise a misleading error message ("<cert> has an OCSP URI
and OCSP auto-update is set to 'on' ..."). This patch simply fixes the
error message but an error is still raised.

This issue was raised in GitHub #2432.
It can be backported up to branch 2.8.
---
 src/ssl_sock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 56872a100..926fc3b73 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3348,7 +3348,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_data *data,
 			memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
 				  err && *err ? *err : "", path);
 		else
-			memprintf(err, "%s '%s' has an OCSP URI and OCSP auto-update is set to 'on' but an error occurred (maybe the issuer could not be found)'.\n",
+			memprintf(err, "%s '%s' has an OCSP auto-update set to 'on' but an error occurred (maybe the OCSP URI or the issuer could not be found)'.\n",
 				  err && *err ? *err : "", path);
 		errcode |= ERR_ALERT | ERR_FATAL;
 		goto end;