upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-20 00:10:41 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 14

MINOR: ssl: Detect more OCSP update inconsistencies

Browse source 
If a configuration such as the following was included in a crt-list
file, it would not have raised a warning about 'ocsp-update'
inconsistencies for the concerned certificate:
    cert.pem [ocsp-update on]
    cert.pem
because the second line as a NULL entry->ssl_conf.
This commit is contained in:
Remi Tricot-Le Breton 2023-01-09 12:02:46 +01:00 committed by William Lallemand
parent 14d7f0eb48
commit fc92b8bda5
1 changed files with 10 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
src/ssl_crtlist.c
View file

@ -613,14 +613,15 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
entry_dup->node.key = ckchs;
entry_dup->crtlist = newlist;
if (entry->ssl_conf) {
if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
|| ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
cfgerr |= ERR_ALERT;
}
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
}
if (entry->ssl_conf)
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
ebpt_insert(&newlist->entries, &entry_dup->node);
LIST_APPEND(&newlist->ord_entries, &entry_dup->by_crtlist);
LIST_APPEND(&ckchs->crtlist_entry, &entry_dup->by_ckch_store);
@ -644,14 +645,15 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
} else {
entry->node.key = ckchs;
entry->crtlist = newlist;
if (entry->ssl_conf) {
if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
|| ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
cfgerr |= ERR_ALERT;
}
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
}
if (entry->ssl_conf)
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
ebpt_insert(&newlist->entries, &entry->node);
LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);