BUG/MINOR: ssl_ckch: Wrong OCSP CID after modifying an SSL certficate

This bug could be reproduced with the "set ssl cert" CLI command to update a certificate. The OCSP CID is duplicated by ckchs_dup() which calls ssl_sock_copy_cert_key_and_chain(). It should be computed again by ssl_sock_load_ocsp(). This may be accomplished resetting the new ckch OCSP CID returned by ckchs_dup(). This bug may be in relation with GH #2319. Must be backported to 2.8.
haproxytech · Dec 6, 2023 · 29583ba · 29583ba · wlallemand · Dec 6, 2023
1 parent 4cc02bb
commit 29583ba
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
@@ -2424,6 +2424,13 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
 		goto end;
 	}
 
+	/* Reset the OCSP CID */
+	if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
+	    cert_ext->type == CERT_TYPE_ISSUER) {
+		OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
+		new_ckchs->data->ocsp_cid = NULL;
+	}
+
 	data = new_ckchs->data;
 
 	/* apply the change on the duplicate */