Merging upstream version 2.9.7.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-13 12:20:30 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-13 12:20:30 +0000
commit: 83b327169ee372115441eea6df825165573a0aa0 (patch)
tree: bc65883721c11623acb6dbb36b3c515c6cc6ec8f /src/ssl_sock.c
parent: Adding debian version 2.9.6-1. (diff)
download: haproxy-83b327169ee372115441eea6df825165573a0aa0.tar.xz
haproxy-83b327169ee372115441eea6df825165573a0aa0.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c7403b8..96d826e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4136,6 +4136,14 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
 	if ((ckchs = ckchs_lookup(path))) {
 		/* we found the ckchs in the tree, we can use it directly */
 		 cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
+
+		 /* This certificate has an 'ocsp-update' already set in a
+		  * previous crt-list so we must raise an error. */
+		 if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) {
+			 memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err: "", path);
+			 cfgerr |= ERR_ALERT | ERR_FATAL;
+		 }
+
 		 found++;
 	} else if (stat(path, &buf) == 0) {
 		found++;
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-13 12:20:30 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-13 12:20:30 +0000
commit	83b327169ee372115441eea6df825165573a0aa0 (patch)
tree	bc65883721c11623acb6dbb36b3c515c6cc6ec8f /src/ssl_sock.c
parent	Adding debian version 2.9.6-1. (diff)
download	haproxy-83b327169ee372115441eea6df825165573a0aa0.tar.xz haproxy-83b327169ee372115441eea6df825165573a0aa0.zip