Adding upstream version 2.9.7.upstream/2.9.7 upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-13 12:20:30 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-13 12:20:30 +0000
commit: ddfc40eabdbc59a607b568e946fb116dcd3439fd (patch)
tree: b3253de65399448dbbf12e5b65d2da56c53d3af6 /src/ssl_sock.c
parent: Adding upstream version 2.9.6. (diff)
download: haproxy-upstream.tar.xz
haproxy-upstream.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c7403b8..96d826e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4136,6 +4136,14 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
 	if ((ckchs = ckchs_lookup(path))) {
 		/* we found the ckchs in the tree, we can use it directly */
 		 cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
+
+		 /* This certificate has an 'ocsp-update' already set in a
+		  * previous crt-list so we must raise an error. */
+		 if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) {
+			 memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err: "", path);
+			 cfgerr |= ERR_ALERT | ERR_FATAL;
+		 }
+
 		 found++;
 	} else if (stat(path, &buf) == 0) {
 		found++;
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-13 12:20:30 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-13 12:20:30 +0000
commit	ddfc40eabdbc59a607b568e946fb116dcd3439fd (patch)
tree	b3253de65399448dbbf12e5b65d2da56c53d3af6 /src/ssl_sock.c
parent	Adding upstream version 2.9.6. (diff)
download	haproxy-upstream.tar.xz haproxy-upstream.zip