From ddfc40eabdbc59a607b568e946fb116dcd3439fd Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 14:20:30 +0200 Subject: Adding upstream version 2.9.7. Signed-off-by: Daniel Baumann --- src/ssl_ocsp.c | 45 +++++++++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 12 deletions(-) (limited to 'src/ssl_ocsp.c') diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 3e7408a..5b103af 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -843,7 +843,6 @@ static struct proxy *httpclient_ocsp_update_px; static struct ssl_ocsp_task_ctx { struct certificate_ocsp *cur_ocsp; struct httpclient *hc; - struct appctx *appctx; int flags; int update_status; } ssl_ocsp_task_ctx; @@ -1078,18 +1077,41 @@ void ocsp_update_response_end_cb(struct httpclient *hc) /* - * Send a log line that will use the dedicated proxy's error_logformat string. - * It uses the sess_log function instead of app_log for instance in order to - * benefit from the "generic" items that can be added to a log format line such - * as the date and frontend name that can be found at the beginning of the - * ocspupdate_log_format line. + * Send a log line that will mimic this previously used logformat : + * char ocspupdate_log_format[] = "%ci:%cp [%tr] %ft %[ssl_ocsp_certname] \ + * %[ssl_ocsp_status] %{+Q}[ssl_ocsp_status_str] %[ssl_ocsp_fail_cnt] \ + * %[ssl_ocsp_success_cnt]"; + * We can't use the regular sess_log function because we don't have any control + * over the stream and session used by the httpclient which might not exist + * anymore by the time we call this function. */ static void ssl_ocsp_send_log() { - if (!ssl_ocsp_task_ctx.appctx) + int status_str_len = 0; + char *status_str = NULL; + struct certificate_ocsp *ocsp = ssl_ocsp_task_ctx.cur_ocsp; + struct tm tm; + char timebuf[25]; + + if (!httpclient_ocsp_update_px) return; - sess_log(ssl_ocsp_task_ctx.appctx->sess); + if (ocsp && ssl_ocsp_task_ctx.update_status < OCSP_UPDT_ERR_LAST) { + status_str_len = istlen(ocsp_update_errors[ssl_ocsp_task_ctx.update_status]); + status_str = istptr(ocsp_update_errors[ssl_ocsp_task_ctx.update_status]); + } + + get_localtime(date.tv_sec, &tm); + date2str_log(timebuf, &tm, &date, 25); + + send_log(httpclient_ocsp_update_px, LOG_INFO, "-:- [%s] %s %s %u \"%.*s\" %u %u", + timebuf, + httpclient_ocsp_update_px->id, + ocsp->path, + ssl_ocsp_task_ctx.update_status, + status_str_len, status_str, + ocsp ? ocsp->num_failure : 0, + ocsp ? ocsp->num_success : 0); } /* @@ -1282,7 +1304,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context, hc->ops.res_payload = ocsp_update_response_body_cb; hc->ops.res_end = ocsp_update_response_end_cb; - if (!(ctx->appctx = httpclient_start(hc))) { + if (!httpclient_start(hc)) { goto leave; } @@ -1346,7 +1368,6 @@ http_error: return task; } -char ocspupdate_log_format[] = "%ci:%cp [%tr] %ft %[ssl_ocsp_certname] %[ssl_ocsp_status] %{+Q}[ssl_ocsp_status_str] %[ssl_ocsp_fail_cnt] %[ssl_ocsp_success_cnt]"; /* * Initialize the proxy for the OCSP update HTTP client with 2 servers, one for @@ -1358,7 +1379,6 @@ static int ssl_ocsp_update_precheck() httpclient_ocsp_update_px = httpclient_create_proxy(""); if (!httpclient_ocsp_update_px) return 1; - httpclient_ocsp_update_px->conf.error_logformat_string = strdup(ocspupdate_log_format); httpclient_ocsp_update_px->conf.logformat_string = httpclient_log_format; httpclient_ocsp_update_px->options2 |= PR_O2_NOLOGNORM; @@ -1662,7 +1682,8 @@ int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_e if (store->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) { if ((!entry->ssl_conf && store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) - || (entry->ssl_conf && store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) { + || (entry->ssl_conf && entry->ssl_conf->ocsp_update != SSL_SOCK_OCSP_UPDATE_OFF && + store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) { memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path); err_code |= ERR_ALERT | ERR_FATAL; } -- cgit v1.2.3