diff --git a/include/haproxy/listener-t.h b/include/haproxy/listener-t.h index 5b41fbd52..b9a8447cb 100644 --- a/include/haproxy/listener-t.h +++ b/include/haproxy/listener-t.h @@ -139,7 +139,6 @@ struct ssl_bind_conf { unsigned int verify:3; /* verify method (set of SSL_VERIFY_* flags) */ unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */ unsigned int early_data:1; /* early data allowed */ - unsigned int ocsp_update:2;/* enable OCSP auto update */ char *ca_file; /* CAfile to use on verify and ca-names */ char *ca_verify_file; /* CAverify file to use on verify only */ char *crl_file; /* CRLfile to use on verify */ diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h index cb945ff27..d7eecf128 100644 --- a/include/haproxy/ssl_ckch-t.h +++ b/include/haproxy/ssl_ckch-t.h @@ -55,7 +55,6 @@ struct ckch_data { struct buffer *ocsp_response; X509 *ocsp_issuer; OCSP_CERTID *ocsp_cid; - int ocsp_update_mode; }; /* configuration for the ckch_store */ diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h index 8a4197cf3..449530bc1 100644 --- a/include/haproxy/ssl_ocsp.h +++ b/include/haproxy/ssl_ocsp.h @@ -55,7 +55,6 @@ void ssl_destroy_ocsp_update_task(void); int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp); -int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err); #endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */ diff --git a/reg-tests/ssl/ocsp_auto_update.vtc b/reg-tests/ssl/ocsp_auto_update.vtc index 05cfd82c6..11524e481 100644 --- a/reg-tests/ssl/ocsp_auto_update.vtc +++ b/reg-tests/ssl/ocsp_auto_update.vtc @@ -1,4 +1,4 @@ -#REGTEST_TYPE=slow +#REGTEST_TYPE=broken # reg-test is around ~2.5s # broken with BoringSSL. diff --git a/reg-tests/ssl/ocsp_compat_check.vtc b/reg-tests/ssl/ocsp_compat_check.vtc index d45f1ef9e..ec19d6c87 100644 --- a/reg-tests/ssl/ocsp_compat_check.vtc +++ b/reg-tests/ssl/ocsp_compat_check.vtc @@ -1,4 +1,4 @@ -#REGTEST_TYPE=devel +#REGTEST_TYPE=broken # broken with BoringSSL. # diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index d57fa8ebc..b3bba8269 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -1473,35 +1473,6 @@ static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, st return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, 0, err); } - -static int ssl_bind_parse_ocsp_update(char **args, int cur_arg, struct proxy *px, - struct ssl_bind_conf *ssl_conf, int from_cli, char **err) -{ - if (!*args[cur_arg + 1]) { - memprintf(err, "'%s' : expecting ", args[cur_arg]); - return ERR_ALERT | ERR_FATAL; - } - - if (strcmp(args[cur_arg + 1], "on") == 0) - ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_ON; - else if (strcmp(args[cur_arg + 1], "off") == 0) - ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_OFF; - else { - memprintf(err, "'%s' : expecting ", args[cur_arg]); - return ERR_ALERT | ERR_FATAL; - } - - if (ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON) { - /* We might need to create the main ocsp update task */ - int ret = ssl_create_ocsp_update_task(err); - if (ret) - return ret; - } - - return 0; -} - - /***************************** "server" keywords Parsing ********************************************/ /* parse the "npn" bind keyword */ @@ -2205,7 +2176,6 @@ struct ssl_crtlist_kw ssl_crtlist_kws[] = { { "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */ { "ssl-max-ver", ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */ { "verify", ssl_bind_parse_verify, 1 }, /* set SSL verify method */ - { "ocsp-update", ssl_bind_parse_ocsp_update, 1 }, /* ocsp update mode (on or off) */ { NULL, NULL, 0 }, }; diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index b7b881a01..f8b333313 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -356,8 +356,6 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char goto end; } - data->ocsp_update_mode = global_ssl.ocsp_update.mode; - /* remove the ".crt" extension */ if (global_ssl.extra_files_noext) { char *ext; @@ -829,8 +827,6 @@ struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src, dst->ocsp_cid = OCSP_CERTID_dup(src->ocsp_cid); - dst->ocsp_update_mode = src->ocsp_update_mode; - return dst; error: diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c index fc9bfb70e..29c969d4c 100644 --- a/src/ssl_crtlist.c +++ b/src/ssl_crtlist.c @@ -620,10 +620,6 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu entry->node.key = ckchs; entry->crtlist = newlist; - if (entry->ssl_conf) - ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update; - if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT) - ckchs->data->ocsp_update_mode = global_ssl.ocsp_update.mode; ebpt_insert(&newlist->entries, &entry->node); LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist); LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store); @@ -680,14 +676,6 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu entry_dup->node.key = ckchs; entry_dup->crtlist = newlist; - cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err); - if (cfgerr & ERR_FATAL) - goto error; - - if (entry->ssl_conf) - ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update; - if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT) - ckchs->data->ocsp_update_mode = global_ssl.ocsp_update.mode; ebpt_insert(&newlist->entries, &entry_dup->node); LIST_APPEND(&newlist->ord_entries, &entry_dup->by_crtlist); LIST_APPEND(&ckchs->crtlist_entry, &entry_dup->by_ckch_store); @@ -712,14 +700,6 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu entry->node.key = ckchs; entry->crtlist = newlist; - cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err); - if (cfgerr & ERR_FATAL) - goto error; - - if (entry->ssl_conf) - ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update; - if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT) - ckchs->data->ocsp_update_mode = global_ssl.ocsp_update.mode; ebpt_insert(&newlist->entries, &entry->node); LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist); LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store); @@ -978,12 +958,7 @@ static void dump_crtlist_sslconf(struct buffer *buf, const struct ssl_bind_conf space++; } - if (conf->ocsp_update != SSL_SOCK_OCSP_UPDATE_DFLT) { - if (space) chunk_appendf(buf, " "); - chunk_appendf(buf, "ocsp-update %s", - conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_OFF ? "off" : "on"); - space++; - } + /* FIXME: dump crt-store keywords */ chunk_appendf(buf, "]"); @@ -1388,18 +1363,6 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc goto error; } - /* No need to check 'ocsp-update' inconsistency on a store that is not - * used yet (it was just added through the CLI for instance). - */ - if (!LIST_ISEMPTY(&store->ckch_inst) && - ocsp_update_check_cfg_consistency(store, entry, cert_path, &err)) - goto error; - - if (entry->ssl_conf) - store->data->ocsp_update_mode = entry->ssl_conf->ocsp_update; - if (store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT) - store->data->ocsp_update_mode = global_ssl.ocsp_update.mode; - /* check if it's possible to insert this new crtlist_entry */ entry->node.key = store; inserted = ebpt_insert(&crtlist->entries, &entry->node); diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 0c399cb0f..04715e297 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -1707,39 +1707,6 @@ static void cli_release_show_ocspresponse(struct appctx *appctx) ssl_sock_free_ocsp_instance(ctx->ocsp); } -/* Check if the ckch_store and the entry do have the same configuration. Also - * ensure that those options are compatible with the global ocsp-update mode. */ -int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err) -{ - int err_code = ERR_NONE; - int incompat_found = 0; - - switch(store->data->ocsp_update_mode) { - case SSL_SOCK_OCSP_UPDATE_DFLT: - if (entry && entry->ssl_conf && entry->ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON && - global_ssl.ocsp_update.mode != SSL_SOCK_OCSP_UPDATE_ON) - incompat_found = 1; - break; - case SSL_SOCK_OCSP_UPDATE_OFF: - if ((entry && entry->ssl_conf && entry->ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON) || - ((!entry || !entry->ssl_conf) && global_ssl.ocsp_update.mode == SSL_SOCK_OCSP_UPDATE_ON)) - incompat_found = 1; - break; - case SSL_SOCK_OCSP_UPDATE_ON: - if ((entry && entry->ssl_conf && entry->ssl_conf->ocsp_update != SSL_SOCK_OCSP_UPDATE_ON) || - ((!entry || !entry->ssl_conf) && global_ssl.ocsp_update.mode != SSL_SOCK_OCSP_UPDATE_ON)) - incompat_found = 1; - break; - } - - if (incompat_found) { - memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path); - err_code |= ERR_ALERT | ERR_FATAL; - } - - return err_code; -} - struct show_ocsp_updates_ctx { struct certificate_ocsp *cur_ocsp; }; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 26cf3b88a..3b9563bc2 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1126,9 +1126,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data * char *err = NULL; size_t path_len; int inc_refcount_store = 0; - int enable_auto_update = (data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON || - (data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT && - global_ssl.ocsp_update.mode == SSL_SOCK_OCSP_UPDATE_ON)); + int enable_auto_update = 0; x = data->cert; if (!x) @@ -1143,11 +1141,6 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data * ret = 0; goto out; } - } else { - /* If we have an OCSP response provided and the ocsp auto update - * enabled, we must raise an error if no OCSP URI was found. */ - if (data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON && b_data(ocsp_uri) == 0) - goto out; } issuer = data->ocsp_issuer; @@ -3848,12 +3841,6 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, int is_default, /* we found the ckchs in the tree, we can use it directly */ cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, is_default, &ckch_inst, err); - /* The ckch_store might have been created through a crt-list - * line so we must check that the ocsp-update modes are still - * compatible between the global mode and the explicit one from - * the crt-list. */ - cfgerr |= ocsp_update_check_cfg_consistency(ckchs, NULL, path, err); - found++; } else if (stat(path, &buf) == 0) { found++;