RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-14 23:44:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file

Browse Source 
Invalid OCSP file (for example empty one that can be used to enable
OCSP response to be set dynamically later) causes errors that are
placed on OpenSSL error stack. Those errors are not cleared so
anything that checks this stack later will fail.

Following configuration:
  bind :443 ssl crt crt1.pem crt crt2.pem

With following files:
  crt1.pem
  crt1.pem.ocsp - empty one
  crt2.pem.rsa
  crt2.pem.ecdsa

Will fail to load.

This patch should be backported to 1.7.
This commit is contained in:
Janusz Dziemidowicz 2017-03-08 16:59:41 +01:00 committed by Willy Tarreau
parent de7dc88c51
commit 8d7104982e
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/ssl_sock.c
View File

@ -478,6 +478,8 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
ret = 0; ret = 0;
out: out:
ERR_clear_error();
if (bs) if (bs)
OCSP_BASICRESP_free(bs); OCSP_BASICRESP_free(bs);