Remove the "ocsp-update" keyword handling from the crt-list.
The code was made as an exception everywhere so we could activate the
ocsp-update for an individual certificate.
The feature will still exists but will be parsed as a "crt-store"
keyword which will still be usable in a "crt-list". This will appear in
future commits.
This commit also disable the reg-tests for now.
unsigned int verify:3; /* verify method (set of SSL_VERIFY_* flags) */
unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */
unsigned int early_data:1; /* early data allowed */
- unsigned int ocsp_update:2;/* enable OCSP auto update */
char *ca_file; /* CAfile to use on verify and ca-names */
char *ca_verify_file; /* CAverify file to use on verify only */
char *crl_file; /* CRLfile to use on verify */
struct buffer *ocsp_response;
X509 *ocsp_issuer;
OCSP_CERTID *ocsp_cid;
- int ocsp_update_mode;
};
/* configuration for the ckch_store */
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
-int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err);
#endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */
-#REGTEST_TYPE=slow
+#REGTEST_TYPE=broken
# reg-test is around ~2.5s
# broken with BoringSSL.
-#REGTEST_TYPE=devel
+#REGTEST_TYPE=broken
# broken with BoringSSL.
#
return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, 0, err);
}
-
-static int ssl_bind_parse_ocsp_update(char **args, int cur_arg, struct proxy *px,
- struct ssl_bind_conf *ssl_conf, int from_cli, char **err)
-{
- if (!*args[cur_arg + 1]) {
- memprintf(err, "'%s' : expecting <on|off>", args[cur_arg]);
- return ERR_ALERT | ERR_FATAL;
- }
-
- if (strcmp(args[cur_arg + 1], "on") == 0)
- ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_ON;
- else if (strcmp(args[cur_arg + 1], "off") == 0)
- ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_OFF;
- else {
- memprintf(err, "'%s' : expecting <on|off>", args[cur_arg]);
- return ERR_ALERT | ERR_FATAL;
- }
-
- if (ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON) {
- /* We might need to create the main ocsp update task */
- int ret = ssl_create_ocsp_update_task(err);
- if (ret)
- return ret;
- }
-
- return 0;
-}
-
-
/***************************** "server" keywords Parsing ********************************************/
/* parse the "npn" bind keyword */
{ "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
{ "ssl-max-ver", ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
{ "verify", ssl_bind_parse_verify, 1 }, /* set SSL verify method */
- { "ocsp-update", ssl_bind_parse_ocsp_update, 1 }, /* ocsp update mode (on or off) */
{ NULL, NULL, 0 },
};
goto end;
}
- data->ocsp_update_mode = global_ssl.ocsp_update.mode;
-
/* remove the ".crt" extension */
if (global_ssl.extra_files_noext) {
char *ext;
dst->ocsp_cid = OCSP_CERTID_dup(src->ocsp_cid);
- dst->ocsp_update_mode = src->ocsp_update_mode;
-
return dst;
error:
entry->node.key = ckchs;
entry->crtlist = newlist;
- if (entry->ssl_conf)
- ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
- if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT)
- ckchs->data->ocsp_update_mode = global_ssl.ocsp_update.mode;
ebpt_insert(&newlist->entries, &entry->node);
LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);
entry_dup->node.key = ckchs;
entry_dup->crtlist = newlist;
- cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err);
- if (cfgerr & ERR_FATAL)
- goto error;
-
- if (entry->ssl_conf)
- ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
- if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT)
- ckchs->data->ocsp_update_mode = global_ssl.ocsp_update.mode;
ebpt_insert(&newlist->entries, &entry_dup->node);
LIST_APPEND(&newlist->ord_entries, &entry_dup->by_crtlist);
LIST_APPEND(&ckchs->crtlist_entry, &entry_dup->by_ckch_store);
entry->node.key = ckchs;
entry->crtlist = newlist;
- cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err);
- if (cfgerr & ERR_FATAL)
- goto error;
-
- if (entry->ssl_conf)
- ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
- if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT)
- ckchs->data->ocsp_update_mode = global_ssl.ocsp_update.mode;
ebpt_insert(&newlist->entries, &entry->node);
LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);
space++;
}
- if (conf->ocsp_update != SSL_SOCK_OCSP_UPDATE_DFLT) {
- if (space) chunk_appendf(buf, " ");
- chunk_appendf(buf, "ocsp-update %s",
- conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_OFF ? "off" : "on");
- space++;
- }
+ /* FIXME: dump crt-store keywords */
chunk_appendf(buf, "]");
goto error;
}
- /* No need to check 'ocsp-update' inconsistency on a store that is not
- * used yet (it was just added through the CLI for instance).
- */
- if (!LIST_ISEMPTY(&store->ckch_inst) &&
- ocsp_update_check_cfg_consistency(store, entry, cert_path, &err))
- goto error;
-
- if (entry->ssl_conf)
- store->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
- if (store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT)
- store->data->ocsp_update_mode = global_ssl.ocsp_update.mode;
-
/* check if it's possible to insert this new crtlist_entry */
entry->node.key = store;
inserted = ebpt_insert(&crtlist->entries, &entry->node);
ssl_sock_free_ocsp_instance(ctx->ocsp);
}
-/* Check if the ckch_store and the entry do have the same configuration. Also
- * ensure that those options are compatible with the global ocsp-update mode. */
-int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err)
-{
- int err_code = ERR_NONE;
- int incompat_found = 0;
-
- switch(store->data->ocsp_update_mode) {
- case SSL_SOCK_OCSP_UPDATE_DFLT:
- if (entry && entry->ssl_conf && entry->ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON &&
- global_ssl.ocsp_update.mode != SSL_SOCK_OCSP_UPDATE_ON)
- incompat_found = 1;
- break;
- case SSL_SOCK_OCSP_UPDATE_OFF:
- if ((entry && entry->ssl_conf && entry->ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON) ||
- ((!entry || !entry->ssl_conf) && global_ssl.ocsp_update.mode == SSL_SOCK_OCSP_UPDATE_ON))
- incompat_found = 1;
- break;
- case SSL_SOCK_OCSP_UPDATE_ON:
- if ((entry && entry->ssl_conf && entry->ssl_conf->ocsp_update != SSL_SOCK_OCSP_UPDATE_ON) ||
- ((!entry || !entry->ssl_conf) && global_ssl.ocsp_update.mode != SSL_SOCK_OCSP_UPDATE_ON))
- incompat_found = 1;
- break;
- }
-
- if (incompat_found) {
- memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
- err_code |= ERR_ALERT | ERR_FATAL;
- }
-
- return err_code;
-}
-
struct show_ocsp_updates_ctx {
struct certificate_ocsp *cur_ocsp;
};
char *err = NULL;
size_t path_len;
int inc_refcount_store = 0;
- int enable_auto_update = (data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON ||
- (data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT &&
- global_ssl.ocsp_update.mode == SSL_SOCK_OCSP_UPDATE_ON));
+ int enable_auto_update = 0;
x = data->cert;
if (!x)
ret = 0;
goto out;
}
- } else {
- /* If we have an OCSP response provided and the ocsp auto update
- * enabled, we must raise an error if no OCSP URI was found. */
- if (data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON && b_data(ocsp_uri) == 0)
- goto out;
}
issuer = data->ocsp_issuer;
/* we found the ckchs in the tree, we can use it directly */
cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, is_default, &ckch_inst, err);
- /* The ckch_store might have been created through a crt-list
- * line so we must check that the ocsp-update modes are still
- * compatible between the global mode and the explicit one from
- * the crt-list. */
- cfgerr |= ocsp_update_check_cfg_consistency(ckchs, NULL, path, err);
-
found++;
} else if (stat(path, &buf) == 0) {
found++;
projects / thirdparty / haproxy.git / commitdiff
