From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Thu, 1 Feb 2024 10:58:14 +0000 (+0100)
Subject: BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call
X-Git-Tag: v3.0-dev3~81
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=73705ac701c6b0a8201ae29fffd9f29520a03b78;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call

If we were to enable 'ocsp-update' on a certificate that does not have
an OCSP URI, we would exit ssl_sock_load_ocsp with a negative error code
which would raise a misleading error message ("<cert> has an OCSP URI
and OCSP auto-update is set to 'on' ..."). This patch simply fixes the
error message but an error is still raised.

This issue was raised in GitHub #2432.
It can be backported up to branch 2.8.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 56872a1007..926fc3b730 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3348,7 +3348,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_data *data,
 			memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
 				  err && *err ? *err : "", path);
 		else
-			memprintf(err, "%s '%s' has an OCSP URI and OCSP auto-update is set to 'on' but an error occurred (maybe the issuer could not be found)'.\n",
+			memprintf(err, "%s '%s' has an OCSP auto-update set to 'on' but an error occurred (maybe the OCSP URI or the issuer could not be found)'.\n",
 				  err && *err ? *err : "", path);
 		errcode |= ERR_ALERT | ERR_FATAL;
 		goto end;