From: Frédéric Lécaille <flecaille@haproxy.com>
Date: Wed, 6 Dec 2023 10:42:42 +0000 (+0100)
Subject: BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)
X-Git-Tag: v3.0-dev1~121
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=917f7c74d3d30a3f7ac77fd6ea69cfcd529e53a9;p=thirdparty%2Fhaproxy.git

BUG/MINOR: lua: Wrong OCSP CID after modifying an SSL certficate (LUA)

This bugfix is the same as the following one:
    "BUG/MINOR: ssl_ckch: Wrong OCSP CID after modifying an SSL certficate"
where the OCSP CID had to be reset when updating a certificate.

Must be backported to 2.8.
---

diff --git a/src/hlua.c b/src/hlua.c
index 2b4a98318a..8902157748 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -12911,6 +12911,13 @@ __LJMP static int hlua_ckch_set(lua_State *L)
 			goto end;
 		}
 
+		/* Reset the OCSP CID */
+		if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
+		    cert_ext->type == CERT_TYPE_ISSUER) {
+			OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
+			new_ckchs->data->ocsp_cid = NULL;
+		}
+
 		/* apply the change on the duplicate */
 		if (cert_ext->load(filename, payload, data, &err) != 0) {
 			memprintf(&err, "%sCan't load the payload for '%s'", err ? err : "", cert_ext->ext);