MINOR: ssl: Add payload support to "set ssl ocsp-response"
It is now possible to use a payload with the "set ssl ocsp-response"
command. These syntaxes will work the same way:
# echo "set ssl ocsp-response $(base64 -w 10000 ocsp.der)" | \
socat /tmp/sock1 -
# echo -e "set ssl ocsp-response <<\n$(base64 ocsp.der)\n" | \
socat /tmp/sock1 -
Signed-off-by: Aurélien Nephtali <aurelien.nephtali@corp.ovh.com>
diff --git a/doc/management.txt b/doc/management.txt
index c0c3f48..a2e8d8f 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -1712,7 +1712,7 @@
Change the severity output format of the stats socket connected to for the
duration of the current session.
-set ssl ocsp-response <response>
+set ssl ocsp-response <response | payload>
This command is used to update an OCSP Response for a certificate (see "crt"
on "bind" lines). Same controls are performed as during the initial loading of
the response. The <response> must be passed as a base64 encoded string of the
@@ -1725,6 +1725,10 @@
echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
socat stdio /var/run/haproxy.stat
+ using the payload syntax:
+ echo -e "set ssl ocsp-response <<\n$(base64 resp.der)\n" | \
+ socat stdio /var/run/haproxy.stat
+
set ssl tls-key <id> <tlskey>
Set the next TLS key for the <id> listener to <tlskey>. This key becomes the
ultimate key, while the penultimate one is used for encryption (others just
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 70bf660..db9d4c1 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -8565,16 +8565,28 @@
{
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
char *err = NULL;
+ int i, j;
+
+ if (!payload)
+ payload = args[3];
/* Expect one parameter: the new response in base64 encoding */
- if (!*args[3]) {
+ if (!*payload) {
appctx->ctx.cli.severity = LOG_ERR;
appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n";
appctx->st0 = CLI_ST_PRINT;
return 1;
}
+
+ /* remove \r and \n from the payload */
+ for (i = 0, j = 0; payload[i]; i++) {
+ if (payload[i] == '\r' || payload[i] == '\n')
+ continue;
+ payload[j++] = payload[i];
+ }
+ payload[j] = 0;
- trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size);
+ trash.len = base64dec(payload, j, trash.str, trash.size);
if (trash.len < 0) {
appctx->ctx.cli.severity = LOG_ERR;
appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";