From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Thu, 12 Jan 2023 08:49:08 +0000 (+0100)
Subject: BUG/MINOR: ssl: OCSP minimum update threshold not properly set
X-Git-Tag: v2.8-dev2~54
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bdd84c5ffb66a772a1713668889f25ce9d3a29d0;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: OCSP minimum update threshold not properly set

An arbitrary 5 minutes minimum interval between two updates of the same
OCSP response is defined but it was not properly used when inserting
entries in the update tree.

This patch does not need to be backported.
---

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 017f018373..53afaae868 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -869,7 +869,8 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
 	 * updated more than once every 5 minutes in order to avoid continuous
 	 * update of the same response. */
 	if (b_data(&ocsp->response))
-		ocsp->next_update.key = MAX(ocsp->next_update.key, SSL_OCSP_UPDATE_DELAY_MIN);
+		ocsp->next_update.key = MAX(ocsp->next_update.key,
+                                            now.tv_sec + SSL_OCSP_UPDATE_DELAY_MIN);
 
 	HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
 	eb64_insert(&ocsp_update_tree, &ocsp->next_update);