BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message

In a crt-list such as the following:
    foo.pem [ocsp-update off] foo.com
    foo.pem bar.com
we would get a wrong "Incompatibilities found in OCSP update mode ..."
error message during init when the two lines are actually saying the
same thing since the default for 'ocsp-update' option is 'off'.

This patch can be backported up to branch 2.8.

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 5a79d13fad0ece9e43a5529a941d9791e2d07a87..eb1d17fe652cebcafb920c216adb234a0682cdf3 100644 (file)
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -1727,7 +1727,8 @@ int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_e
 
        if (store->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
                if ((!entry->ssl_conf && store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-                   || (entry->ssl_conf && store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
+                   || (entry->ssl_conf && entry->ssl_conf->ocsp_update != SSL_SOCK_OCSP_UPDATE_OFF &&
+                       store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
                        memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
                        err_code |= ERR_ALERT | ERR_FATAL;
                }