BUG/MINOR: ssl: Reenable ocsp auto-update after an "add ssl crt-list"

If a certificate that has an OCSP uri is unused and gets added to a
crt-list with the ocsp auto update option "on", it would not have been
inserted into the auto update tree because this insertion was only
working on the first call of the ssl_sock_load_ocsp function.
If the configuration used a crt-list like the following:
    cert1.pem *
    cert2.pem [ocsp-update on] *

Then calling "del ssl crt-list" on the second line and then reverting
the delete by calling "add ssl crt-list" with the same line, then the
cert2.pem would not appear in the ocsp update list (can be checked
thanks to "show ssl ocsp-updates" command).

This patch ensures that in such a case we still perform the insertion in
the update tree.

This patch can be backported up to branch 2.8.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7d4e79db3b45a66f2bbac83ba878a30f0676d589..8583fb31565b5fcd97bccf21a7d263971f0ab351 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1295,6 +1295,25 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
                        if (ocsp_update_task)
                                task_wakeup(ocsp_update_task, TASK_WOKEN_MSG);
                }
+       } else if (iocsp->uri && data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) {
+               /* This unlikely case can happen if a series of "del ssl
+                * crt-list" / "add ssl crt-list" commands are made on the CLI.
+                * In such a case, the OCSP response tree entry will be created
+                * prior to the activation of the ocsp auto update and in such a
+                * case we must "force" insertion in the auto update tree.
+                */
+               if (iocsp->next_update.node.leaf_p == NULL) {
+                       ssl_ocsp_update_insert(iocsp);
+                       /* If we are during init the update task is not
+                        * scheduled yet so a wakeup won't do anything.
+                        * Otherwise, if the OCSP was added through the CLI, we
+                        * wake the task up to manage the case of a new entry
+                        * that needs to be updated before the previous first
+                        * entry.
+                        */
+                       if (ocsp_update_task)
+                               task_wakeup(ocsp_update_task, TASK_WOKEN_MSG);
+               }
        }
 
 out: