From 2b9f0697bfed1d1a84c99103a1ac9475b3a6cbfb Mon Sep 17 00:00:00 2001
From: =?utf8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= <flecaille@haproxy.com>
Date: Tue, 5 Dec 2023 15:38:29 +0100
Subject: [PATCH] BUG/MINOR: ssl: Wrong OCSP CID after modifying an SSL
 certficate

This bug could be reproduced with the "set ssl cert" CLI command to update
a certificate. The OCSP CID is duplicated by ckchs_dup() which calls
ssl_sock_copy_cert_key_and_chain(). It should be computed again by
ssl_sock_load_ocsp(). This may be accomplished resetting the new ckch OCSP CID
returned by ckchs_dup().

This bug may be in relation with GH #2319.

Must be backported to 2.8.

(cherry picked from commit 75f5977ff4ccf205ee386e4f4b0c384fb6a110d5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---
 src/ssl_ckch.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 59ce96d..db31602 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -2424,6 +2424,13 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
 		goto end;
 	}
 
+	/* Reset the OCSP CID */
+	if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
+	    cert_ext->type == CERT_TYPE_ISSUER) {
+		OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
+		new_ckchs->data->ocsp_cid = NULL;
+	}
+
 	data = new_ckchs->data;
 
 	/* apply the change on the duplicate */
-- 
1.7.10.4