From: Remi Tricot-Le Breton Date: Thu, 12 Jan 2023 08:49:09 +0000 (+0100) Subject: MINOR: ssl: Treat ocsp-update inconsistencies as fatal errors X-Git-Tag: v2.8-dev2~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=474f614975217a50385ba30e06e888613700ae31;p=thirdparty%2Fhaproxy.git MINOR: ssl: Treat ocsp-update inconsistencies as fatal errors If incompatibilities are found in a certificate's ocsp-update mode we raised a single alert that will be considered fatal from here on. This is changed because in case of incompatibilities we will end up with an undefined behaviour. The ocsp response might or might not be updated depending on the order in which the multiple ocsp-update options are taken into account. --- diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index bf32de11fc..825f380475 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -617,7 +617,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) { memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path); - cfgerr |= ERR_ALERT; + cfgerr |= ERR_ALERT | ERR_FATAL; } } if (entry->ssl_conf) @@ -649,7 +649,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) { memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path); - cfgerr |= ERR_ALERT; + cfgerr |= ERR_ALERT | ERR_FATAL; } } if (entry->ssl_conf)