git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Remi Tricot-Le Breton <rlebreton@haproxy.com>
	Thu, 21 May 2026 13:18:06 +0000 (15:18 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Thu, 21 May 2026 13:43:49 +0000 (15:43 +0200)
commit	e2c3cd9eb714e3635b34d3ce99ff784adbc6f30a
tree	be14e461147fac6ef65fea0e4d076a0e93947d97	tree \| snapshot
parent	6717531053bd69a206f52ff24ec5e2f66371d774	commit \| diff

BUG/MINOR: ocsp: Manage date too far away in the future

The check on the OCSP response expire time is based on the "Next Update"
field of the response, converted by my_timegm function that returns a
time_t (signed long). It is then stored in the 'expire' field of the
certificate_ocsp structure which is typed as a signed long.
When loading an OCSP response, if the "Next Update" time is too far in
the future and we are running on a 32 bits machine, we might end up with
negative times ireturned by my_timegm, which make the comparison with
the current date fail and raises the "OCSP single response: no longer
valid." error message.

This problem typically happens in the ocsp_auto_update.vtc regtest since
the loaded OCSP response have a "Next Update" field in 2050.

This patch simply changes the type of the expire field to an unsigned
long since the 'my_timegm' function does not return '-1' in case of
error, contrary to the standard 'timegm' one.

Ths patch can be backported to all stable branches.

include/haproxy/ssl_ocsp-t.h		diff \| blob \| blame \| history
src/ssl_ocsp.c		diff \| blob \| blame \| history