From: Aurélien Nephtali Date: Wed, 18 Apr 2018 12:04:58 +0000 (+0200) Subject: MINOR: ssl: Add payload support to "set ssl ocsp-response" X-Git-Tag: v1.9-dev1~285 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e0867cfbc5bd6ec028a5c8eaa4386b2a402eb37;p=thirdparty%2Fhaproxy.git MINOR: ssl: Add payload support to "set ssl ocsp-response" It is now possible to use a payload with the "set ssl ocsp-response" command. These syntaxes will work the same way: # echo "set ssl ocsp-response $(base64 -w 10000 ocsp.der)" | \ socat /tmp/sock1 - # echo -e "set ssl ocsp-response <<\n$(base64 ocsp.der)\n" | \ socat /tmp/sock1 - Signed-off-by: Aurélien Nephtali --- diff --git a/doc/management.txt b/doc/management.txt index c0c3f48234..a2e8d8fc35 100644 --- a/doc/management.txt +++ b/doc/management.txt @@ -1712,7 +1712,7 @@ set severity-output [ none | number | string ] Change the severity output format of the stats socket connected to for the duration of the current session. -set ssl ocsp-response +set ssl ocsp-response This command is used to update an OCSP Response for a certificate (see "crt" on "bind" lines). Same controls are performed as during the initial loading of the response. The must be passed as a base64 encoded string of the @@ -1725,6 +1725,10 @@ set ssl ocsp-response echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \ socat stdio /var/run/haproxy.stat + using the payload syntax: + echo -e "set ssl ocsp-response <<\n$(base64 resp.der)\n" | \ + socat stdio /var/run/haproxy.stat + set ssl tls-key Set the next TLS key for the listener to . This key becomes the ultimate key, while the penultimate one is used for encryption (others just diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 70bf660243..db9d4c1199 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -8565,16 +8565,28 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx { #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) char *err = NULL; + int i, j; + + if (!payload) + payload = args[3]; /* Expect one parameter: the new response in base64 encoding */ - if (!*args[3]) { + if (!*payload) { appctx->ctx.cli.severity = LOG_ERR; appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n"; appctx->st0 = CLI_ST_PRINT; return 1; } - trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size); + /* remove \r and \n from the payload */ + for (i = 0, j = 0; payload[i]; i++) { + if (payload[i] == '\r' || payload[i] == '\n') + continue; + payload[j++] = payload[i]; + } + payload[j] = 0; + + trash.len = base64dec(payload, j, trash.str, trash.size); if (trash.len < 0) { appctx->ctx.cli.severity = LOG_ERR; appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";