From c890b9795280a865bf4c9b94aefda7d9b344c87d Mon Sep 17 00:00:00 2001
From: definitio <37266727+definitio@users.noreply.github.com>
Date: Thu, 8 Apr 2021 13:22:40 +0300
Subject: [PATCH] Update HAProxy OCSP stapling via local UNIX socket

---
 .../src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
index 12c4c8724..6bf8af928 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
@@ -18,6 +18,7 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 HAPROXY_DIR="/tmp/haproxy/ssl"
+HAPROXY_SOCKET="/var/run/haproxy.socket"
 
 for _pem in "$HAPROXY_DIR"/*.pem; do
     cert_file="$(basename "$_pem")"
@@ -64,6 +65,11 @@ for _pem in "$HAPROXY_DIR"/*.pem; do
 
             if [ "${_ret}" != "0" ]; then
                 echo "Updating OCSP stapling failed with return code ${_ret}"
+            else
+                _update="$(openssl enc -base64 -A -in "${_ocsp}")"
+                if ! echo "set ssl ocsp-response ${_update}" | socat stdio $HAPROXY_SOCKET; then
+                    echo "Updating haproxy OCSP stapling via socket failed"
+                fi
             fi
         fi
     fi