RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-05-04 16:57:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: ssl: OCSP callback only registered for first SSL_CTX

Browse Source 
If multiple SSL_CTXs use the same certificate that has an OCSP response
file on the filesystem, only the first one will have the OCSP callback
set. This bug was introduced by "cc346678d MEDIUM: ssl: Add ocsp_certid
in ckch structure and discard ocsp buffer early" which cleared the
ocsp_response from the ckch_data after it was inserted in the tree,
which prevented subsequent contexts from having the callback registered.

This patch should be backported to 2.8.
This commit is contained in:
Remi Tricot-Le Breton 2023-07-21 17:21:15 +02:00 committed by William Lallemand
parent 80cef0c02d
commit adb96fd9ff
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/ssl_sock.c
View File

@ -1132,7 +1132,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
/* In case of ocsp update mode set to 'on', this function might be
* called with no known ocsp response. If no ocsp uri can be found in
* the certificate, nothing needs to be done here. */
if (!data->ocsp_response) {
if (!data->ocsp_response && !data->ocsp_cid) {
if (data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_ON || b_data(ocsp_uri) == 0) {
ret = 0;
goto out;