MINOR: ssl: Add crt-list ocsp-update option

This option will define how the ocsp update mechanism behaves. The option can either be set to 'on' or 'off' and can only be specified in a crt-list entry so that we ensure that it concerns a single certificate. The 'off' mode is the default one and corresponds to the old behavior (no automatic update). When the option is set to 'on', we will try to get an ocsp response whenever an ocsp uri can be found in the frontend's certificate. The only limitation of this mode is that the certificate's issuer will have to be known in order for the OCSP certid to be built. This patch only adds the parsing of the option. The full functionality will come in a later commit.
2022-12-20 11:11:10 +01:00 · 2022-12-20 11:11:10 +01:00 · 03c5ffff8e
commit 03c5ffff8e
parent bdd3c79568
3 changed files with 32 additions and 0 deletions
--- a/include/haproxy/listener-t.h
+++ b/include/haproxy/listener-t.h
@ -146,6 +146,7 @@ struct ssl_bind_conf {
 	unsigned int verify:3;     /* verify method (set of SSL_VERIFY_* flags) */
 	unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */
 	unsigned int early_data:1; /* early data allowed */
+	unsigned int ocsp_update:2;/* enable OCSP auto update */
 	char *ca_file;             /* CAfile to use on verify and ca-names */
 	char *ca_verify_file;      /* CAverify file to use on verify only */
 	char *crl_file;            /* CRLfile to use on verify */
--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@ -103,6 +103,13 @@ enum {
 	SSL_SOCK_VERIFY_NONE     = 3,
 };

+/* bind ocsp update mode */
+enum {
+	SSL_SOCK_OCSP_UPDATE_DFLT     = 0,
+	SSL_SOCK_OCSP_UPDATE_OFF      = 1,
+	SSL_SOCK_OCSP_UPDATE_ON       = 2,
+};
+
 /* states of the CLI IO handler for 'set ssl cert' */
 enum {
 	SETCERT_ST_INIT = 0,
--- a/src/cfgparse-ssl.c
+++ b/src/cfgparse-ssl.c
@ -603,6 +603,7 @@ static int ssl_parse_global_extra_noext(char **args, int section_type, struct pr
 	return 0;
 }

+
 /***************************** Bind keyword Parsing ********************************************/

 /* for ca-file and ca-verify-file */
@ -1335,6 +1336,28 @@ static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, st
 	return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, 0, err);
 }

+
+static int ssl_bind_parse_ocsp_update(char **args, int cur_arg, struct proxy *px,
+                                      struct ssl_bind_conf *ssl_conf, int from_cli, char **err)
+{
+	if (!*args[cur_arg + 1]) {
+		memprintf(err, "'%s' : expecting <on|off>", args[cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	if (strcmp(args[cur_arg + 1], "on") == 0)
+		ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_ON;
+	else if (strcmp(args[cur_arg + 1], "off") == 0)
+		ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_OFF;
+	else {
+		memprintf(err, "'%s' : expecting <on|off>", args[cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+
+	return 0;
+}
+
+
 /***************************** "server" keywords Parsing ********************************************/

 /* parse the "npn" bind keyword */
@ -1900,6 +1923,7 @@ struct ssl_bind_kw ssl_bind_kws[] = {
 	{ "ssl-min-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
 	{ "ssl-max-ver",           ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
 	{ "verify",                ssl_bind_parse_verify,           1 }, /* set SSL verify method */
+	{ "ocsp-update",           ssl_bind_parse_ocsp_update,      1 }, /* ocsp update mode (on or off) */
 	{ NULL, NULL, 0 },
 };