From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 31 Mar 2026 09:35:46 +0000 (+0200)
Subject: BUG/MEDIUM: ssl/ocsp: ocsp commands warn when accessed without admin level
X-Git-Tag: v3.4-dev8~80
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d47415624b19bd093a7778ba7aea90cd9e813f9d;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl/ocsp: ocsp commands warn when accessed without admin level

This commit adds an ha_warning() when OCSP commands are accessed without
admin level. This is to warn users that these commands will be
restricted to admin only in HAProxy 3.3.

Must be backported in every stable branches.

Initially reported by Cameron Brown.
---

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index fec67105d..eeb8f4135 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -1510,6 +1510,9 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app
 	unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
 	unsigned char *p;
 
+	if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
+		ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
+
 	if (!*args[3]) {
 		memprintf(&err, "'update ssl ocsp-response' expects a filename\n");
 		return cli_dynerr(appctx, err);
@@ -1590,6 +1593,9 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx
 	char *err = NULL;
 	int i, j, ret;
 
+	if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
+		ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
+
 	if (!payload)
 		payload = args[3];
 
@@ -1630,10 +1636,12 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx
 static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx *appctx, void *private)
 {
 #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
-
 	struct show_ocspresp_cli_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
 	int arg_idx = 3;
 
+	if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
+		ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
+
 	if (*args[3]) {
 		struct certificate_ocsp *ocsp = NULL;
 		char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
@@ -1817,6 +1825,9 @@ static int cli_parse_show_ocsp_updates(char **args, char *payload, struct appctx
 #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 	struct show_ocsp_updates_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
 
+	if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN)
+		ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]);
+
 	HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
 
 	return 0;