summaryrefslogtreecommitdiffstats
path: root/src/ssl_sock.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:20:30 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:20:30 +0000
commitddfc40eabdbc59a607b568e946fb116dcd3439fd (patch)
treeb3253de65399448dbbf12e5b65d2da56c53d3af6 /src/ssl_sock.c
parentAdding upstream version 2.9.6. (diff)
downloadhaproxy-ddfc40eabdbc59a607b568e946fb116dcd3439fd.tar.xz
haproxy-ddfc40eabdbc59a607b568e946fb116dcd3439fd.zip
Adding upstream version 2.9.7.upstream/2.9.7
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/ssl_sock.c')
-rw-r--r--src/ssl_sock.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c7403b8..96d826e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4136,6 +4136,14 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err)
if ((ckchs = ckchs_lookup(path))) {
/* we found the ckchs in the tree, we can use it directly */
cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, &ckch_inst, err);
+
+ /* This certificate has an 'ocsp-update' already set in a
+ * previous crt-list so we must raise an error. */
+ if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) {
+ memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err: "", path);
+ cfgerr |= ERR_ALERT | ERR_FATAL;
+ }
+
found++;
} else if (stat(path, &buf) == 0) {
found++;