BUG/MINOR: ssl: Fix error message after ssl_sock_load_ocsp call

If we were to enable 'ocsp-update' on a certificate that does not have
an OCSP URI, we would exit ssl_sock_load_ocsp with a negative error code
which would raise a misleading error message ("<cert> has an OCSP URI
and OCSP auto-update is set to 'on' ..."). This patch simply fixes the
error message but an error is still raised.

This issue was raised in GitHub #2432.
It can be backported up to branch 2.8.

(cherry picked from commit 73705ac701c6b0a8201ae29fffd9f29520a03b78)
Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e089b56..0039962 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3665,7 +3665,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_data *data,
                        memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
                                  err && *err ? *err : "", path);
                else
-                       memprintf(err, "%s '%s' has an OCSP URI and OCSP auto-update is set to 'on' but an error occurred (maybe the issuer could not be found)'.\n",
+                       memprintf(err, "%s '%s' has an OCSP auto-update set to 'on' but an error occurred (maybe the OCSP URI or the issuer could not be found)'.\n",
                                  err && *err ? *err : "", path);
                errcode |= ERR_ALERT | ERR_FATAL;
                goto end;