diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h index 6409309bb..c9b410a9d 100644 --- a/include/haproxy/ssl_ocsp.h +++ b/include/haproxy/ssl_ocsp.h @@ -24,6 +24,8 @@ #ifdef USE_OPENSSL #include +#include +#include #include #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) @@ -50,6 +52,8 @@ void ssl_destroy_ocsp_update_task(void); int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp); +int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err); + #endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */ #endif /* USE_OPENSSL */ diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index 31428d63b..2675703a4 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include @@ -618,13 +619,11 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu entry_dup->node.key = ckchs; entry_dup->crtlist = newlist; - if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) { - if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) - || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) { - memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path); - cfgerr |= ERR_ALERT | ERR_FATAL; - } - } + + cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err); + if (cfgerr & ERR_FATAL) + goto error; + if (entry->ssl_conf) ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update; ebpt_insert(&newlist->entries, &entry_dup->node); @@ -650,13 +649,11 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu } else { entry->node.key = ckchs; entry->crtlist = newlist; - if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) { - if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) - || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) { - memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path); - cfgerr |= ERR_ALERT | ERR_FATAL; - } - } + + cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err); + if (cfgerr & ERR_FATAL) + goto error; + if (entry->ssl_conf) ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update; ebpt_insert(&newlist->entries, &entry->node); diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 1271f6e40..99edfc875 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -1668,6 +1668,20 @@ yield: #endif } +/* Check if the ckch_store and the entry does have the same configuration */ +int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err) +{ + int err_code = ERR_NONE; + + if (store->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) { + if ((!entry->ssl_conf && store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) + || (entry->ssl_conf && store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) { + memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path); + err_code |= ERR_ALERT | ERR_FATAL; + } + } + return err_code; +} static struct cli_kw_list cli_kws = {{ },{ { { "set", "ssl", "ocsp-response", NULL }, "set ssl ocsp-response : update a certificate's OCSP Response from a base64-encode DER", cli_parse_set_ocspresponse, NULL },