Skip to content

Commit

Permalink
BUG/MINOR: ssl_ckch: Wrong OCSP CID after modifying an SSL certficate
Browse files Browse the repository at this point in the history 
This bug could be reproduced with the "set ssl cert" CLI command to update
a certificate. The OCSP CID is duplicated by ckchs_dup() which calls
ssl_sock_copy_cert_key_and_chain(). It should be computed again by
ssl_sock_load_ocsp(). This may be accomplished resetting the new ckch OCSP CID
returned by ckchs_dup().

This bug may be in relation with GH #2319.

Must be backported to 2.8.
  • Loading branch information
@haproxyFred
haproxyFred committed Dec 5, 2023
1 parent b10ead7 commit 9b8ed40
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions src/ssl_ckch.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2421,6 +2421,13 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
goto end;
}

/* Reset the OCSP CID */
if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
cert_ext->type == CERT_TYPE_ISSUER) {
OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
new_ckchs->data->ocsp_cid = NULL;
}

data = new_ckchs->data;

/* apply the change on the duplicate */
Expand Down

0 comments on commit 9b8ed40

Please sign in to comment.