Repositories - haproxy-3.0.git/commit

author	Remi Tricot-Le Breton <rlebreton@haproxy.com>
	Mon, 25 Mar 2024 15:50:25 +0000 (16:50 +0100)
committer	William Lallemand <wlallemand@haproxy.com>
	Wed, 27 Mar 2024 10:38:28 +0000 (11:38 +0100)
commit	7359c0c7f4d367b4ee12944c35ea753e915edc19
tree	6f0fd2e71470a659218859a996db47909315a6e9	tree \| snapshot
parent	b1d623949c3b60ccb41c18d44c874d183dda2ca4	commit \| diff

MEDIUM: ssl: Add 'tune.ssl.ocsp-update.mode' global option

This option can be used to set a default ocsp-update mode for all
certificates of a given conf file. It allows to activate ocsp-update on
certificates without the need to create separate crt-lists. It can still
be superseded by the crt-list 'ocsp-update' option. It takes either "on"
or "off" as value and defaults to "off".
Since setting this new parameter to "on" would mean that we try to
enable ocsp-update on any certificate, and also certificates that don't
have an OCSP URI, the checks performed in ssl_sock_load_ocsp were
softened. We don't systematically raise an error when trying to enable
ocsp-update on a certificate that does not have an OCSP URI, be it via
the global option or the crt-list one. We will still raise an error when
a user tries to load a certificate that does have an OCSP URI but a
missing issuer certificate (if ocsp-update is enabled).

doc/configuration.txt		diff \| blob \| history
include/haproxy/ssl_sock-t.h		diff \| blob \| history
src/cfgparse-ssl.c		diff \| blob \| history
src/ssl_ckch.c		diff \| blob \| history
src/ssl_crtlist.c		diff \| blob \| history
src/ssl_ocsp.c		diff \| blob \| history
src/ssl_sock.c		diff \| blob \| history