diff --git a/doc/management.txt b/doc/management.txt index c0c3f4823..a2e8d8fc3 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -1712,7 +1712,7 @@ set severity-output [ none | number | string ] Change the severity output format of the stats socket connected to for the duration of the current session. -set ssl ocsp-response +set ssl ocsp-response This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The must be passed as a base64 encoded string of the @@ -1725,6 +1725,10 @@ set ssl ocsp-response echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat + using the payload syntax: + echo -e "set ssl ocsp-response <<\n$(base64 resp.der)\n" | \ + socat stdio /var/run/haproxy.stat + set ssl tls-key Set the next TLS key for the listener to . This key becomes the ultimate key, while the penultimate one is used for encryption (others just diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 70bf66024..db9d4c119 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -8565,16 +8565,28 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx { #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) char *err = NULL; + int i, j; + + if (!payload) + payload = args[3]; /* Expect one parameter: the new response in base64 encoding */ - if (!*args[3]) { + if (!*payload) { appctx->ctx.cli.severity = LOG_ERR; appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n"; appctx->st0 = CLI_ST_PRINT; return 1; } - trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size); + /* remove \r and \n from the payload */ + for (i = 0, j = 0; payload[i]; i++) { + if (payload[i] == '\r' || payload[i] == '\n') + continue; + payload[j++] = payload[i]; + } + payload[j] = 0; + + trash.len = base64dec(payload, j, trash.str, trash.size); if (trash.len < 0) { appctx->ctx.cli.severity = LOG_ERR; appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";