BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call

If we were to enable 'ocsp-update' on a certificate that does not have
an OCSP URI, we would exit ssl_sock_load_ocsp with a negative error code
which would raise a misleading error message ("<cert> has an OCSP URI
and OCSP auto-update is set to 'on' ..."). This patch simply fixes the
error message but an error is still raised.

This issue was raised in GitHub #2432.
It can be backported up to branch 2.8.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 56872a10077582b6a018898b527a3673adaac8f4..926fc3b730c7ec5bfd36427c4c155f057d2921cb 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3348,7 +3348,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_data *data,
                        memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
                                  err && *err ? *err : "", path);
                else
-                       memprintf(err, "%s '%s' has an OCSP URI and OCSP auto-update is set to 'on' but an error occurred (maybe the issuer could not be found)'.\n",
+                       memprintf(err, "%s '%s' has an OCSP auto-update set to 'on' but an error occurred (maybe the OCSP URI or the issuer could not be found)'.\n",
                                  err && *err ? *err : "", path);
                errcode |= ERR_ALERT | ERR_FATAL;
                goto end;