MINOR: ssl: Add payload support to "set ssl ocsp-response"

It is now possible to use a payload with the "set ssl ocsp-response" command. These syntaxes will work the same way: # echo "set ssl ocsp-response $(base64 -w 10000 ocsp.der)" | \ socat /tmp/sock1 - # echo -e "set ssl ocsp-response <<\n$(base64 ocsp.der)\n" | \ socat /tmp/sock1 - Signed-off-by: Aur�lien Nephtali <aurelien.nephtali@corp.ovh.com>
2025-02-19 12:16:59 +00:00 · 2018-04-18 14:04:58 +02:00 · 2018-04-18 14:04:58 +02:00 · 1e0867cfbc
commit 1e0867cfbc
parent 25650ce513
2 changed files with 19 additions and 3 deletions
--- a/doc/management.txt
+++ b/doc/management.txt
@ -1712,7 +1712,7 @@ set severity-output [ none | number | string ]
  Change the severity output format of the stats socket connected to for the
  duration of the current session.

-set ssl ocsp-response <response>
+set ssl ocsp-response <response | payload>
  This command is used to update an OCSP Response for a certificate (see "crt"
  on "bind" lines). Same controls are performed as during the initial loading of
  the response. The <response> must be passed as a base64 encoded string of the
@ -1725,6 +1725,10 @@ set ssl ocsp-response <response>
    echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
                 socat stdio /var/run/haproxy.stat

+    using the payload syntax:
+    echo -e "set ssl ocsp-response <<\n$(base64 resp.der)\n" | \
+                 socat stdio /var/run/haproxy.stat
+
 set ssl tls-key <id> <tlskey>
  Set the next TLS key for the <id> listener to <tlskey>. This key becomes the
  ultimate key, while the penultimate one is used for encryption (others just
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -8565,16 +8565,28 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx
 {
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 	char *err = NULL;
+	int i, j;
+
+	if (!payload)
+		payload = args[3];

 	/* Expect one parameter: the new response in base64 encoding */
-	if (!*args[3]) {
+	if (!*payload) {
 		appctx->ctx.cli.severity = LOG_ERR;
 		appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n";
 		appctx->st0 = CLI_ST_PRINT;
 		return 1;
 	}

-	trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size);
+	/* remove \r and \n from the payload */
+	for (i = 0, j = 0; payload[i]; i++) {
+		if (payload[i] == '\r' || payload[i] == '\n')
+			continue;
+		payload[j++] = payload[i];
+	}
+	payload[j] = 0;
+
+	trash.len = base64dec(payload, j, trash.str, trash.size);
 	if (trash.len < 0) {
 		appctx->ctx.cli.severity = LOG_ERR;
 		appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";