mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-24 05:32:21 +00:00
MINOR: ssl: Store 'ocsp-update' mode in the ckch_data and check for inconsistencies
The 'ocsp-update' option is parsed at the same time as all the other bind line options but it does not actually have anything to do with the bind line since it concerns the frontend certificate instead. For that reason, we should have a mean to identify inconsistencies in the configuration and raise an error when a given certificate has two different ocsp-update modes specified in one or more crt-lists. The simplest way to do it is to store the ocsp update mode directly in the ckch and not only in the ssl_bind_conf.
This commit is contained in:
parent
03c5ffff8e
commit
fb2b9988e8
@ -55,6 +55,7 @@ struct ckch_data {
|
||||
struct buffer *ocsp_response;
|
||||
X509 *ocsp_issuer;
|
||||
OCSP_CERTID *ocsp_cid;
|
||||
int ocsp_update_mode;
|
||||
};
|
||||
|
||||
/*
|
||||
|
@ -563,6 +563,8 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
|
||||
|
||||
entry->node.key = ckchs;
|
||||
entry->crtlist = newlist;
|
||||
if (entry->ssl_conf)
|
||||
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
|
||||
ebpt_insert(&newlist->entries, &entry->node);
|
||||
LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
|
||||
LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);
|
||||
@ -611,6 +613,14 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
|
||||
|
||||
entry_dup->node.key = ckchs;
|
||||
entry_dup->crtlist = newlist;
|
||||
if (entry->ssl_conf) {
|
||||
if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
|
||||
ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
|
||||
memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
|
||||
cfgerr |= ERR_ALERT;
|
||||
}
|
||||
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
|
||||
}
|
||||
ebpt_insert(&newlist->entries, &entry_dup->node);
|
||||
LIST_APPEND(&newlist->ord_entries, &entry_dup->by_crtlist);
|
||||
LIST_APPEND(&ckchs->crtlist_entry, &entry_dup->by_ckch_store);
|
||||
@ -634,6 +644,14 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
|
||||
} else {
|
||||
entry->node.key = ckchs;
|
||||
entry->crtlist = newlist;
|
||||
if (entry->ssl_conf) {
|
||||
if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
|
||||
ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
|
||||
memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
|
||||
cfgerr |= ERR_ALERT;
|
||||
}
|
||||
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
|
||||
}
|
||||
ebpt_insert(&newlist->entries, &entry->node);
|
||||
LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
|
||||
LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);
|
||||
|
Loading…
Reference in New Issue
Block a user