kozorizki/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG/MINOR: ssl: Wrong ocsp-update "incompatibility" error message

Browse Source 
In a crt-list such as the following:
    foo.pem [ocsp-update off] foo.com
    foo.pem bar.com
we would get a wrong "Incompatibilities found in OCSP update mode ..."
error message during init when the two lines are actually saying the
same thing since the default for 'ocsp-update' option is 'off'.

This patch can be backported up to branch 2.8.
This commit is contained in:
Remi Tricot-Le Breton 2024-03-25 16:50:23 +01:00 committed by William Lallemand
parent 9cf3d1fcc0
commit 97c2734f44
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/ssl_ocsp.c
View File

@ -1727,7 +1727,8 @@ int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_e
if (store->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
if ((!entry->ssl_conf && store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
|| (entry->ssl_conf && store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
|| (entry->ssl_conf && entry->ssl_conf->ocsp_update != SSL_SOCK_OCSP_UPDATE_OFF &&
store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
err_code |= ERR_ALERT | ERR_FATAL;
}