RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-29 08:02:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL certficate

Browse Source 
This bug could be reproduced with the "set ssl cert" CLI command to update
a certificate. The OCSP CID is duplicated by ckchs_dup() which calls
ssl_sock_copy_cert_key_and_chain(). It should be computed again by
ssl_sock_load_ocsp(). This may be accomplished resetting the new ckch OCSP CID
returned by ckchs_dup().

This bug may be in relation with GH #2319.

Must be backported to 2.8.
This commit is contained in:
Frédéric Lécaille 2023-12-05 15:38:29 +01:00 committed by William Lallemand
parent 456ba6e95f
commit 75f5977ff4
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/ssl_ckch.c
View File

@ -2424,6 +2424,13 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
goto end;
}
/* Reset the OCSP CID */
if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
cert_ext->type == CERT_TYPE_ISSUER) {
OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
new_ckchs->data->ocsp_cid = NULL;
}
data = new_ckchs->data;
/* apply the change on the duplicate */