projects / haproxy-2.5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 722180a) | patch
BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>
Wed, 9 Jun 2021 15:16:18 +0000 (17:16 +0200)
committerWilliam Lallemand <wlallemand@haproxy.org>
Wed, 9 Jun 2021 15:49:00 +0000 (17:49 +0200)
commita3a0cce8ee8c142cd148090854ca8551a36d9bd7
treea3ee1552e032d7e55503545cfde7c27b75131fd4tree | snapshot
parent722180aca8757d8807b21cf125a2d68249be5bf8commit | diff
BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future

The wey the "Next Update" field of the OCSP response is converted into a
timestamp relies on the use of signed integers for the year and month so
if the calculated timestamp happens to overflow INT_MAX, it ends up
being seen as negative and the OCSP response being dwignored in
ssl_sock_ocsp_stapling_cbk (because of the "ocsp->expire < now.tv_sec"
test).

It could be backported to all stable branches.
src/ssl_sock.c diff | blob | history
haproxy-2.5 public tree. Stable production code.