From d47415624b19bd093a7778ba7aea90cd9e813f9d Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Tue, 31 Mar 2026 11:35:46 +0200 Subject: [PATCH] BUG/MEDIUM: ssl/ocsp: ocsp commands warn when accessed without admin level This commit adds an ha_warning() when OCSP commands are accessed without admin level. This is to warn users that these commands will be restricted to admin only in HAProxy 3.3. Must be backported in every stable branches. Initially reported by Cameron Brown. --- src/ssl_ocsp.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index fec67105d..eeb8f4135 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -1510,6 +1510,9 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {}; unsigned char *p; + if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN) + ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]); + if (!*args[3]) { memprintf(&err, "'update ssl ocsp-response' expects a filename\n"); return cli_dynerr(appctx, err); @@ -1590,6 +1593,9 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx char *err = NULL; int i, j, ret; + if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN) + ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]); + if (!payload) payload = args[3]; @@ -1630,10 +1636,12 @@ static int cli_parse_set_ocspresponse(char **args, char *payload, struct appctx static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx *appctx, void *private) { #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) - struct show_ocspresp_cli_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx)); int arg_idx = 3; + if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN) + ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]); + if (*args[3]) { struct certificate_ocsp *ocsp = NULL; char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {}; @@ -1817,6 +1825,9 @@ static int cli_parse_show_ocsp_updates(char **args, char *payload, struct appctx #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) struct show_ocsp_updates_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx)); + if ((appctx->cli_ctx.level & ACCESS_LVL_MASK) < ACCESS_LVL_ADMIN) + ha_warning("'%s %s %s' accessed without admin rights, this won't be supported anymore starting from haproxy 3.3\n", args[0], args[1], args[2]); + HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock); return 0; -- 2.47.3