upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-04-15 21:59:41 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

BUG/MEDIUM: ssl/ocsp: ocsp commands warn when accessed without admin level

Browse source 
This commit adds an ha_warning() when OCSP commands are accessed without
admin level. This is to warn users that these commands will be
restricted to admin only in HAProxy 3.3.

Must be backported in every stable branches.

Initially reported by Cameron Brown.
This commit is contained in:
William Lallemand 2026-03-31 11:35:46 +02:00
parent 14a4168a84
commit d47415624b
1 changed files with 12 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
src/ssl_ocsp.c
View file

@ -1510,6 +1510,9 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app
unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
unsigned char *p;
if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
if (!*args[3]) {
memprintf(&err, "'update ssl ocsp-response' expects a filename\n");
return cli_dynerr(appctx, err);
@ -1590,6 +1593,9 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx
char *err = NULL;
int i, j, ret;
if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
if (!payload)
payload = args[3];
@ -1630,10 +1636,12 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx
static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx *appctx, void *private)
{
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
struct show_ocspresp_cli_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
int arg_idx = 3;
if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
if (*args[3]) {
struct certificate_ocsp *ocsp = NULL;
char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
@ -1817,6 +1825,9 @@ static int cli_parse_show_ocsp_updates(char **args, char *payload, struct appctx
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
struct show_ocsp_updates_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
return 0;