From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 18 Dec 2024 14:48:26 +0000 (+0100)
Subject: MEDIUM: ssl/ocsp: OCSP response is expired with OCSP_MAX_RESPONSE_TIME_SKEW
X-Git-Tag: v3.2-dev2~33
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c7f5ce32e53c4903700bb253a4fce18c17036b2;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl/ocsp: OCSP response is expired with OCSP_MAX_RESPONSE_TIME_SKEW

When a OCSP response has a nextUpdate date which is
OCSP_MAX_RESPONSE_TIME_SKEW (300) seconds in the future, the OCSP
stapling callback ssl_sock_ocsp_stapling_cbk() returns SSL_TLSEXT_ERR_NOACK.

However we don't emit an error when trying to load the file.

There is a OCSP_check_validity() check using
OCSP_MAX_RESPONSE_TIME_SKEW, but it checks that the OCSP response is not
thisUpdate is not too much in the past.

This patch emits an error during loading so we don't try to load an OCSP
response which would never be emitted because of OCSP_MAX_RESPONSE_TIME_SKEW.

This was discussed in issue #2822.
---

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index b4c3122e90..fdb26e3d26 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -333,6 +333,11 @@ int ssl_sock_load_ocsp_response(struct buffer *ocsp_response,
 	}
 #endif
 
+	if (ocsp->expire < date.tv_sec) {
+		memprintf(err, "OCSP single response: no longer valid. Must be valid during at least %ds.", OCSP_MAX_RESPONSE_TIME_SKEW);
+		goto out;
+	}
+
 	ret = 0;
 out:
 	ERR_clear_error();