git.ipfire.org Git - thirdparty/haproxy.git/commit

author	William Lallemand <wlallemand@haproxy.com>
	Thu, 2 May 2024 12:22:24 +0000 (14:22 +0200)
committer	William Lallemand <wlallemand@haproxy.com>
	Fri, 17 May 2024 15:35:51 +0000 (17:35 +0200)
commit	2bcf38c7c844aa745c4603d37f8c94abc7572460
tree	101c26620d2a736bb6e4d972ec0c37d955214882	tree \| snapshot
parent	2e6615b2823819c7092cfdb596408c09dee160ee	commit \| diff

MEDIUM: ssl: add ocsp-update.disable global option

This option allow to disable completely the ocsp-update.

To achieve this, the ocsp-update.mode global keyword don't rely anymore
on SSL_SOCK_OCSP_UPDATE_OFF during parsing to call
ssl_create_ocsp_update_task().

Instead, we will inherit the SSL_SOCK_OCSP_UPDATE_* value from
ocsp-update.mode for each certificate which does not specify its own
mode.

To disable completely the ocsp without editing all crt entries,
ocsp-update.disable is used instead of "ocsp-update.mode" which is now
only used as the default value for crt.

doc/configuration.txt		diff \| blob \| blame \| history
include/haproxy/ssl_sock-t.h		diff \| blob \| blame \| history
src/ssl_ocsp.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history