commit 474f614975217a50385ba30e06e888613700ae31
author Remi Tricot-Le Breton <rlebreton@haproxy.com> Thu Jan 12 09:49:09 2023 +0100
committer William Lallemand <wlallemand@haproxy.org> Thu Jan 12 13:13:45 2023 +0100
tree 98ab5d734ec9a7ebf1ecb3cc11089d8de31c480e
parent bdd84c5ffb66a772a1713668889f25ce9d3a29d0

MINOR: ssl: Treat ocsp-update inconsistencies as fatal errors

If incompatibilities are found in a certificate's ocsp-update mode we
raised a single alert that will be considered fatal from here on. This
is changed because in case of incompatibilities we will end up with an
undefined behaviour. The ocsp response might or might not be updated
depending on the order in which the multiple ocsp-update options are
taken into account.

src/ssl_crtlist.c

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index bf32de1..825f380 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -617,7 +617,7 @@
 						if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
 						    || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
 							memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
-							cfgerr |= ERR_ALERT;
+							cfgerr |= ERR_ALERT | ERR_FATAL;
 						}
 					}
 					if (entry->ssl_conf)
@@ -649,7 +649,7 @@
 				if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
 				    || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
 					memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
-					cfgerr |= ERR_ALERT;
+					cfgerr |= ERR_ALERT | ERR_FATAL;
 				}
 			}
 			if (entry->ssl_conf)