MEDIUM: ssl: Start update task if at least one ocsp-update option is set to on

This patch effectively enables the ocsp auto update mechanism. If a least one ocsp-update option is enabled in a crt-list, then the ocsp auto update task is created. It will look into the dedicated ocsp update tree for the next update to be updated, use the http_client to send the ocsp request to the proper responder, validate the received ocsp response and update the ocsp response tree before finally reinserting the entry in the ocsp update tree (with a next update time set to now+1H). The main task will then sleep until another entry needs to be updated. The task gets scheduled after config check in order to avoid trying to update ocsp responses while configuration is still being parsed (and certificates and actual ocsp responses are loaded).
2025-04-24 12:06:57 +00:00 · 2022-12-20 11:11:14 +01:00 · 2022-12-20 11:11:14 +01:00 · aff827785e
commit aff827785e
parent 6477bbd78d
2 changed files with 16 additions and 0 deletions
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@ -1354,6 +1354,13 @@ static int ssl_bind_parse_ocsp_update(char **args, int cur_arg, struct proxy *px
 		return ERR_ALERT | ERR_FATAL;
 	}

+	if (ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON) {
+		/* We might need to create the main ocsp update task */
+		int ret = ssl_create_ocsp_update_task(err);
+		if (ret)
+			return ret;
+	}
+
 	return 0;
 }

--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -1363,6 +1363,15 @@ int ssl_create_ocsp_update_task(char **err)
 	return 0;
 }

+static int ssl_ocsp_task_schedule()
+{
+	if (ocsp_update_task)
+		task_schedule(ocsp_update_task, now_ms);
+
+	return 0;
+}
+REGISTER_POST_CHECK(ssl_ocsp_task_schedule);
+
 static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp);

 static void ssl_destroy_ocsp_update_task(void)