BUG/MINOR: ssl: Missing ssl_conf pointer check when checking ocsp upd…

…ate inconsistencies The ssl_conf might be NULL when processing ocsp_update option in crt-lists. This patch fixes GitHub issue haproxy#1995. It does not need to be backported.
jiho-jung · Jan 11, 2023 · 8c99081 · 8c99081
1 parent 71237a1
commit 8c99081
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
@@ -615,7 +615,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 					entry_dup->crtlist = newlist;
 					if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
 						if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-						    || ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+						    || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
 							memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
 							cfgerr |= ERR_ALERT;
 						}
@@ -647,7 +647,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 			entry->crtlist = newlist;
 			if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
 				if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-				    || ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+				    || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
 					memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
 					cfgerr |= ERR_ALERT;
 				}