MINOR: ssl: Add crt-list ocsp-update option

This option will define how the ocsp update mechanism behaves. The
option can either be set to 'on' or 'off' and can only be specified in a
crt-list entry so that we ensure that it concerns a single certificate.
The 'off' mode is the default one and corresponds to the old behavior
(no automatic update).
When the option is set to 'on', we will try to get an ocsp response
whenever an ocsp uri can be found in the frontend's certificate. The
only limitation of this mode is that the certificate's issuer will have
to be known in order for the OCSP certid to be built.

This patch only adds the parsing of the option. The full functionality
will come in a later commit.

diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h
index e32190d463b47983e9ef6551b90d0b02825a042c..c3bc45c2c1e11824fcd1894fcd44e1754bf08938 100644 (file)
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@@ -146,6 +146,7 @@ struct ssl_bind_conf {
        unsigned int verify:3;     /* verify method (set of SSL_VERIFY_* flags) */
        unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */
        unsigned int early_data:1; /* early data allowed */
+       unsigned int ocsp_update:2;/* enable OCSP auto update */
        char *ca_file;             /* CAfile to use on verify and ca-names */
        char *ca_verify_file;      /* CAverify file to use on verify only */
        char *crl_file;            /* CRLfile to use on verify */

diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h
index 278c8f7e88549a8b5ea17456bfe55190e77d9b1d..f7a96ba5cdfbe26d393b7533b60b2e06d011b65d 100644 (file)
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@@ -103,6 +103,13 @@ enum {
        SSL_SOCK_VERIFY_NONE     = 3,
 };
 
+/* bind ocsp update mode */
+enum {
+       SSL_SOCK_OCSP_UPDATE_DFLT     = 0,
+       SSL_SOCK_OCSP_UPDATE_OFF      = 1,
+       SSL_SOCK_OCSP_UPDATE_ON       = 2,
+};
+
 /* states of the CLI IO handler for 'set ssl cert' */
 enum {
        SETCERT_ST_INIT = 0,

diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c
index d9e93e44071da5d22a9f63a991e3f0946b6d648e..ed9765c24159e0d581cc77e54ea7e0b1a16f189a 100644 (file)
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@@ -603,6 +603,7 @@ static int ssl_parse_global_extra_noext(char **args, int section_type, struct pr
        return 0;
 }
 
+
 /***************************** Bind keyword Parsing ********************************************/
 
 /* for ca-file and ca-verify-file */
@@ -1335,6 +1336,28 @@ static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, st
        return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, 0, err);
 }
 
+
+static int ssl_bind_parse_ocsp_update(char **args, int cur_arg, struct proxy *px,
+                                      struct ssl_bind_conf *ssl_conf, int from_cli, char **err)
+{
+       if (!*args[cur_arg + 1]) {
+               memprintf(err, "'%s' : expecting <on|off>", args[cur_arg]);
+               return ERR_ALERT | ERR_FATAL;
+       }
+
+       if (strcmp(args[cur_arg + 1], "on") == 0)
+               ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_ON;
+       else if (strcmp(args[cur_arg + 1], "off") == 0)
+               ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_OFF;
+       else {
+               memprintf(err, "'%s' : expecting <on|off>", args[cur_arg]);
+               return ERR_ALERT | ERR_FATAL;
+       }
+
+       return 0;
+}
+
+
 /***************************** "server" keywords Parsing ********************************************/
 
 /* parse the "npn" bind keyword */
@@ -1900,6 +1923,7 @@ struct ssl_bind_kw ssl_bind_kws[] = {
        { "ssl-min-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
        { "ssl-max-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
        { "verify",                ssl_bind_parse_verify,           1 }, /* set SSL verify method */
+       { "ocsp-update",           ssl_bind_parse_ocsp_update,      1 }, /* ocsp update mode (on or off) */
        { NULL, NULL, 0 },
 };