BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate

This bug could be reproduced with the "set ssl cert" CLI command to update
a certificate. The OCSP CID is duplicated by ckchs_dup() which calls
ssl_sock_copy_cert_key_and_chain(). It should be computed again by
ssl_sock_load_ocsp(). This may be accomplished resetting the new ckch OCSP CID
returned by ckchs_dup().

This bug may be in relation with GH #2319.

Must be backported to 2.8.

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 59ce96d824e2a62e70a9a1ff107de43b03dc08a0..db3160258fdae6ac2f7b21f504fd3f31a2918e15 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -2424,6 +2424,13 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
                goto end;
        }
 
+       /* Reset the OCSP CID */
+       if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
+           cert_ext->type == CERT_TYPE_ISSUER) {
+               OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
+               new_ckchs->data->ocsp_cid = NULL;
+       }
+
        data = new_ckchs->data;
 
        /* apply the change on the duplicate */