From: Remi Tricot-Le Breton Date: Tue, 20 Dec 2022 10:11:10 +0000 (+0100) Subject: MINOR: ssl: Add crt-list ocsp-update option X-Git-Tag: v2.8-dev1~87 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=03c5ffff8ed173b496156e8b3c6a1164918187a9;p=thirdparty%2Fhaproxy.git MINOR: ssl: Add crt-list ocsp-update option This option will define how the ocsp update mechanism behaves. The option can either be set to 'on' or 'off' and can only be specified in a crt-list entry so that we ensure that it concerns a single certificate. The 'off' mode is the default one and corresponds to the old behavior (no automatic update). When the option is set to 'on', we will try to get an ocsp response whenever an ocsp uri can be found in the frontend's certificate. The only limitation of this mode is that the certificate's issuer will have to be known in order for the OCSP certid to be built. This patch only adds the parsing of the option. The full functionality will come in a later commit. --- diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h index e32190d463..c3bc45c2c1 100644 --- a/include/haproxy/listener-t.h +++ b/include/haproxy/listener-t.h @@ -146,6 +146,7 @@ struct ssl_bind_conf { unsigned int verify:3; /* verify method (set of SSL_VERIFY_* flags) */ unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */ unsigned int early_data:1; /* early data allowed */ + unsigned int ocsp_update:2;/* enable OCSP auto update */ char *ca_file; /* CAfile to use on verify and ca-names */ char *ca_verify_file; /* CAverify file to use on verify only */ char *crl_file; /* CRLfile to use on verify */ diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index 278c8f7e88..f7a96ba5cd 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -103,6 +103,13 @@ enum { SSL_SOCK_VERIFY_NONE = 3, }; +/* bind ocsp update mode */ +enum { + SSL_SOCK_OCSP_UPDATE_DFLT = 0, + SSL_SOCK_OCSP_UPDATE_OFF = 1, + SSL_SOCK_OCSP_UPDATE_ON = 2, +}; + /* states of the CLI IO handler for 'set ssl cert' */ enum { SETCERT_ST_INIT = 0, diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index d9e93e4407..ed9765c241 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -603,6 +603,7 @@ static int ssl_parse_global_extra_noext(char **args, int section_type, struct pr return 0; } + /***************************** Bind keyword Parsing ********************************************/ /* for ca-file and ca-verify-file */ @@ -1335,6 +1336,28 @@ static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, st return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, 0, err); } + +static int ssl_bind_parse_ocsp_update(char **args, int cur_arg, struct proxy *px, + struct ssl_bind_conf *ssl_conf, int from_cli, char **err) +{ + if (!*args[cur_arg + 1]) { + memprintf(err, "'%s' : expecting ", args[cur_arg]); + return ERR_ALERT | ERR_FATAL; + } + + if (strcmp(args[cur_arg + 1], "on") == 0) + ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_ON; + else if (strcmp(args[cur_arg + 1], "off") == 0) + ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_OFF; + else { + memprintf(err, "'%s' : expecting ", args[cur_arg]); + return ERR_ALERT | ERR_FATAL; + } + + return 0; +} + + /***************************** "server" keywords Parsing ********************************************/ /* parse the "npn" bind keyword */ @@ -1900,6 +1923,7 @@ struct ssl_bind_kw ssl_bind_kws[] = { { "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */ { "ssl-max-ver", ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */ { "verify", ssl_bind_parse_verify, 1 }, /* set SSL verify method */ + { "ocsp-update", ssl_bind_parse_ocsp_update, 1 }, /* ocsp update mode (on or off) */ { NULL, NULL, 0 }, };