MEDIUM: ssl/ocsp: OCSP response is expired with OCSP_MAX_RESPONSE_TIME_SKEW

When a OCSP response has a nextUpdate date which is
OCSP_MAX_RESPONSE_TIME_SKEW (300) seconds in the future, the OCSP
stapling callback ssl_sock_ocsp_stapling_cbk() returns SSL_TLSEXT_ERR_NOACK.

However we don't emit an error when trying to load the file.

There is a OCSP_check_validity() check using
OCSP_MAX_RESPONSE_TIME_SKEW, but it checks that the OCSP response is not
thisUpdate is not too much in the past.

This patch emits an error during loading so we don't try to load an OCSP
response which would never be emitted because of OCSP_MAX_RESPONSE_TIME_SKEW.

This was discussed in issue #2822.

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index b4c3122e90d5c0c7d6f4fc4f5aa98c3cf4e033d6..fdb26e3d2644106b946d8d3b3af4fc5cee593010 100644 (file)
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -333,6 +333,11 @@ int ssl_sock_load_ocsp_response(struct buffer *ocsp_response,
        }
 #endif
 
+       if (ocsp->expire < date.tv_sec) {
+               memprintf(err, "OCSP single response: no longer valid. Must be valid during at least %ds.", OCSP_MAX_RESPONSE_TIME_SKEW);
+               goto out;
+       }
+
        ret = 0;
 out:
        ERR_clear_error();