BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities

The inconsistencies in 'ocsp-update' parameter were only checked when
parsing a crt-list line so if a certificate was used on a bind line
after being used in a crt-list with 'ocsp-update' set to 'on', then no
error would be raised. This patch helps detect such inconsistencies.

This patch can be backported up to branch 2.8.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f5382492ee77ad1e32bd3c95c0be13ed0930c42f..49565576c76bb078a3081409dd6c3f02b6bbe805 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3842,6 +3842,14 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, int is_default,
        if ((ckchs = ckchs_lookup(path))) {
                /* we found the ckchs in the tree, we can use it directly */
                 cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, is_default, &ckch_inst, err);
+
+                /* This certificate has an 'ocsp-update' already set in a
+                 * previous crt-list so we must raise an error. */
+                if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) {
+                        memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err: "", path);
+                        cfgerr |= ERR_ALERT | ERR_FATAL;
+                }
+
                 found++;
        } else if (stat(path, &buf) == 0) {
                found++;