mirror of
https://github.com/haproxy/haproxy.git
synced 2026-05-25 10:42:14 -04:00
e2c3cd9eb7
The check on the OCSP response expire time is based on the "Next Update" field of the response, converted by my_timegm function that returns a time_t (signed long). It is then stored in the 'expire' field of the certificate_ocsp structure which is typed as a signed long. When loading an OCSP response, if the "Next Update" time is too far in the future and we are running on a 32 bits machine, we might end up with negative times ireturned by my_timegm, which make the comparison with the current date fail and raises the "OCSP single response: no longer valid." error message. This problem typically happens in the ocsp_auto_update.vtc regtest since the loaded OCSP response have a "Next Update" field in 2050. This patch simply changes the type of the expire field to an unsigned long since the 'my_timegm' function does not return '-1' in case of error, contrary to the standard 'timegm' one. Ths patch can be backported to all stable branches. |
||
|---|---|---|
| .. | ||
| haproxy | ||
| import | ||
| make | ||