From b1d623949c3b60ccb41c18d44c874d183dda2ca4 Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Mon, 25 Mar 2024 16:50:24 +0100
Subject: [PATCH] BUG/MINOR: ssl: Detect more 'ocsp-update' incompatibilities

The inconsistencies in 'ocsp-update' parameter were only checked when
parsing a crt-list line so if a certificate was used on a bind line
after being used in a crt-list with 'ocsp-update' set to 'on', then no
error would be raised. This patch helps detect such inconsistencies.

This patch can be backported up to branch 2.8.
---
 src/ssl_sock.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f5382492ee..49565576c7 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3842,6 +3842,14 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, int is_default,
 	if ((ckchs = ckchs_lookup(path))) {
 		/* we found the ckchs in the tree, we can use it directly */
 		 cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, is_default, &ckch_inst, err);
+
+		 /* This certificate has an 'ocsp-update' already set in a
+		  * previous crt-list so we must raise an error. */
+		 if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) {
+			 memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err: "", path);
+			 cfgerr |= ERR_ALERT | ERR_FATAL;
+		 }
+
 		 found++;
 	} else if (stat(path, &buf) == 0) {
 		found++;
-- 
2.47.3