From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Mon, 25 Mar 2024 15:50:23 +0000 (+0100)
Subject: BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message
X-Git-Tag: v3.0-dev7~73
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97c2734f44fa89d59a61f66955966f9381b4ae8b;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message

In a crt-list such as the following:
    foo.pem [ocsp-update off] foo.com
    foo.pem bar.com
we would get a wrong "Incompatibilities found in OCSP update mode ..."
error message during init when the two lines are actually saying the
same thing since the default for 'ocsp-update' option is 'off'.

This patch can be backported up to branch 2.8.
---

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 5a79d13fad..eb1d17fe65 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -1727,7 +1727,8 @@ int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_e
 
 	if (store->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
 		if ((!entry->ssl_conf && store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-		    || (entry->ssl_conf && store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
+		    || (entry->ssl_conf && entry->ssl_conf->ocsp_update != SSL_SOCK_OCSP_UPDATE_OFF &&
+		        store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
 			memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
 			err_code |= ERR_ALERT | ERR_FATAL;
 		}