From: Remi Tricot-Le Breton Date: Thu, 25 Jun 2026 13:39:18 +0000 (+0200) Subject: MINOR: ocsp: Do not see ocsp loading failures as fatal anymore X-Git-Tag: v3.5-dev2~11 X-Git-Url: http://git.kaiwu.me/web/$%7BGITURL%7D/static/gitweb.js?a=commitdiff_plain;h=e0903167358ab12dda18dab7d45230269ea8226e;p=haproxy.git MINOR: ocsp: Do not see ocsp loading failures as fatal anymore Until now, if the call to 'ssl_sock_load_ocsp' raised an error, because of a missing issuer certificate for instance, we would send a fatal error code and the init would fail. With this patch we only consider this as a non-critical error and we will send a warning instead. In such a case the OCSP response will not be loaded and stapling or auto update features will not work for the certificate. --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7220f400a..171857e2f 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3111,7 +3111,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_store *store else memprintf(err, "%s '%s' has an OCSP auto-update set to 'on' but an error occurred (maybe the OCSP URI or the issuer could not be found)'.\n", err && *err ? *err : "", path); - errcode |= ERR_ALERT | ERR_FATAL; + errcode |= ERR_WARN; goto end; } #endif