From 6479eab976d425ae2f8d3eb988a4f79d701001a5 Mon Sep 17 00:00:00 2001
From: PiBa-NL <pba_2k3@yahoo.com>
Date: Sun, 19 Jul 2015 17:14:03 +0200
Subject: haproxy-1_5, haproxy-devel, bump binary versions to 1.5.14 /
 1.6-dev2. Also copy fixes made -devel to the -1_5 package.

---
 config/haproxy1_5/pkg/haproxy.inc                | 208 +++++++++-
 config/haproxy1_5/pkg/haproxy_utils.inc          |  44 ++-
 config/haproxy1_5/pkg/haproxy_utils.inc.bak      | 460 -----------------------
 config/haproxy1_5/www/haproxy_listeners_edit.php |  11 +-
 config/haproxy1_5/www/haproxy_pool_edit.php      |   2 +-
 5 files changed, 234 insertions(+), 491 deletions(-)
 delete mode 100644 config/haproxy1_5/pkg/haproxy_utils.inc.bak

(limited to 'config')

diff --git a/config/haproxy1_5/pkg/haproxy.inc b/config/haproxy1_5/pkg/haproxy.inc
index 793c5c28..eceef783 100644
--- a/config/haproxy1_5/pkg/haproxy.inc
+++ b/config/haproxy1_5/pkg/haproxy.inc
@@ -345,10 +345,12 @@ function haproxy_custom_php_deinstall_command() {
 	update_output_window($static_output);
 	$static_output .= "HAProxy, deleting haproxy webgui\n";
 	update_output_window($static_output);
-	exec("rm /usr/local/etc/rc.d/haproxy.sh");
+	unlink_if_exists("/usr/local/etc/rc.d/haproxy.sh");
+	unlink_if_exists("/etc/rc.haproxy_ocsp.sh");
 	$static_output .= "HAProxy, installing cron job if needed\n";
 	update_output_window($static_output);
 	haproxy_install_cron(false);
+	haproxy_install_cronjob(false, '/etc/rc.haproxy_ocsp.sh');
 	$static_output .= "HAProxy, running haproxy_custom_php_deinstall_command() DONE\n";
 	update_output_window($static_output);
 }
@@ -362,6 +364,12 @@ function haproxy_custom_php_install_command() {
 	update_output_window($static_output);
 	conf_mount_rw();
 	
+	$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
+	if ($pf_version == "2.1" || $pf_version == "2.2")
+		$haproxy_binary = "/usr/pbi/haproxy-devel-" . php_uname("m") . "/sbin/haproxy";
+	else
+		$haproxy_binary = "/usr/local/sbin/haproxy";
+
 	$static_output .= "HAProxy, create '/usr/local/etc/rc.d/haproxy.sh'\n";
 	update_output_window($static_output);
 	$haproxy = <<<EOD
@@ -375,7 +383,7 @@ function haproxy_custom_php_install_command() {
 
 name="haproxy"
 rcvar="\${name}_enable"
-command="/usr/pbi/haproxy-devel-`uname -m`/sbin/haproxy"
+command="{$haproxy_binary}"
 haproxy_enable=\${haproxy-"YES"}
 
 start_cmd="haproxy_start"
@@ -425,7 +433,32 @@ EOD;
 	$fd = fopen("/usr/local/etc/rc.d/haproxy.sh", "w");
 	fwrite($fd, $haproxy);
 	fclose($fd);
-	exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh");
+	chmod("/usr/local/etc/rc.d/haproxy.sh", 0755);
+
+	$haproxy_ocsp = <<<EOD
+#!/usr/local/bin/php -f
+
+<?php
+
+/*
+	Updates haproxy OCSP responses.
+*/
+
+require_once("globals.inc");		
+require_once("functions.inc");
+require_once("haproxy.inc");
+require_once("haproxy_socketinfo.inc");
+haproxy_updateocsp();
+
+?>
+
+EOD;
+	// removing the \r prevents the "No input file specified." error..
+	$haproxy_ocsp = str_replace("\r\n","\n", $haproxy_ocsp);
+	$fd = fopen("/etc/rc.haproxy_ocsp.sh", "w");
+	fwrite($fd, $haproxy_ocsp);
+	fclose($fd);
+	chmod("/etc/rc.haproxy_ocsp.sh", 0755);
 
 	$static_output .= "HAProxy, update configuration\n";
 	update_output_window($static_output);
@@ -447,6 +480,51 @@ EOD;
 	update_output_window($static_output);
 }
 
+function haproxy_install_cronjob($should_install, $script, $interval = 60, $parameters = "") {
+	global $config, $g;
+	if($g['booting']==true) 
+		return;
+	$is_installed = false;
+	if(!$config['cron']['item'])
+		return;
+	$x=0;
+	foreach($config['cron']['item'] as $item) {
+		if(strstr($item['command'], $script)) {
+			$is_installed = true;
+			break;
+		}
+		$x++;
+	}
+	switch($should_install) {
+		case true:
+			if(!$is_installed) {
+				$cron_item = array();
+				$cron_item['minute'] = "*/{$interval}";
+				$cron_item['hour'] = "*";
+				$cron_item['mday'] = "*";
+				$cron_item['month'] = "*";
+				$cron_item['wday'] = "*";
+				$cron_item['who'] = "root";
+				$cron_item['command'] = "$script $parameters";		
+				$config['cron']['item'][] = $cron_item;
+				parse_config(true);
+				write_config("haproxy, install cron job");
+				configure_cron();
+			}
+		break;
+		case false:
+			if($is_installed == true) {
+				if($x > 0) {
+					unset($config['cron']['item'][$x]);
+					parse_config(true);
+					write_config("haproxy, remove cron job");
+				}
+				configure_cron();
+			}
+		break;
+	}
+}
+
 function haproxy_install_cron($should_install) {
 	global $config, $g;
 	if($g['booting']==true) 
@@ -879,24 +957,108 @@ function haproxy_write_certificate_crl($filename, $crlid, $append = false) {
 	unset($crl);
 }
 
-function haproxy_write_certificate_fullchain($filename, $certid, $append = false) {
+function haproxy_write_certificate_fullchain($filename, $certid, $append = false, $skiproot = true) {
 	$cert = haproxy_lookup_cert($certid);
 
 	$certcontent = base64_decode($cert['crt']);
 	if (isset($cert['prv']))
 		$certcontent .= "\r\n".base64_decode($cert['prv']);
 	
+	$ca = $cert;
+	while(!empty($ca['caref'])) {
+		$ca = lookup_ca($ca['caref']);
+		if ($ca) {
+			if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt'])))
+				break;
+			$certcontent .= "\r\n" . base64_decode($ca['crt']);
+		} else
+			break;
+	}
+	$flags = $append ? FILE_APPEND : 0;
+	file_put_contents($filename, $certcontent, $flags);
+	unset($certcontent);
+	unset($cert);
+}
+
+function haproxy_write_certificate_issuer($filename, $certid) {
+	$cert = haproxy_lookup_cert($certid);
 	$certchaincontent = ca_chain($cert);
 	if ($certchaincontent != "") {
 		$certcontent .= "\r\n" . $certchaincontent;
 	}
 	unset($certchaincontent);
-	$flags = $append ? FILE_APPEND : 0;
-	file_put_contents($filename, $certcontent, $flags);
+	file_put_contents($filename, $certcontent, 0);
 	unset($certcontent);
 	unset($cert);
 }
 
+function haproxy_uses_ocsp() {
+	global $config;
+	$a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item'];
+	if (!is_array($a_frontends))
+		return false;
+	
+	$configpath = "{$g['varetc_path']}/haproxy";
+	foreach ($a_frontends as $frontend) {
+		if ($frontend['sslocsp'] == 'yes') {
+			return true;
+		}
+	}
+	return false;
+}
+
+function haproxy_getocspurl($filename) {
+	return exec("openssl x509 -noout -ocsp_uri -in $filename", $output, $err);
+}
+
+function haproxy_updateocsp_one($socketupdate, $filename, $name) {
+	if (file_exists("{$filename}.ocsp")) {
+		// If the .ocsp file exists we want to use ocsp
+		syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}.. ");
+		$ocsp_url = haproxy_getocspurl($filename);
+		$ocsp_host = parse_url($ocsp_url, PHP_URL_HOST);
+		if (empty($ocsp_url)) {
+			// If cert does not have a ocsp_uri, it cannot be updated..
+			syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri");
+		} else {
+			$retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+			if ($socketupdate) {
+				$ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp"));
+				$r = haproxy_socket_command("set ssl ocsp-response $ocspresponse");
+				if ($r[0] == "OCSP Response updated!\n")
+					syslog(LOG_NOTICE, "HAProxy OCSP socket update successful for frontend {$name}..result: ".$retval);
+				else {
+					syslog(LOG_ERR, "HAProxy OCSP ERROR while performing haproxy socket update OCSP response for:  {$name}");
+				}
+			} else {
+				syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}..result: ".$retval);
+			}
+		}
+	}
+}
+
+function haproxy_updateocsp($socketupdate = true) {
+	global $config, $g;
+	$a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item'];
+	if (!is_array($a_frontends))
+		return true;
+	
+	$configpath = "{$g['varetc_path']}/haproxy";
+	foreach ($a_frontends as $frontend) {
+		$filename = "$configpath/{$frontend['name']}.pem";
+		haproxy_updateocsp_one($socketupdate, $filename, $frontend['name']);
+		
+		$subfolder = "$configpath/{$frontend['name']}";
+		$certs = $frontend['ha_certificates']['item'];
+		if (is_array($certs)){
+			foreach($certs as $cert){
+				$filename = "$subfolder/{$cert['ssl_certificate']}.pem";
+				haproxy_updateocsp_one($socketupdate, $filename, $frontend['name']);
+			}
+		}
+	}
+}
+
 function haproxy_writeconf($configpath) {
 	global $config;
 	global $aliastable;
@@ -993,14 +1155,29 @@ function haproxy_writeconf($configpath) {
 				//ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem
 				$filename = "$configpath/{$frontend['name']}.pem";
 				$ssl_crt = " crt $filename";
+
 				haproxy_write_certificate_fullchain($filename, $frontend['ssloffloadcert']);
+				if ($frontend['sslocsp'] == 'yes') {
+					if (!empty(haproxy_getocspurl($filename))) {
+						haproxy_write_certificate_issuer($filename . ".issuer", $frontend['ssloffloadcert']);
+						touch($filename . ".ocsp");//create initial empty file. this will trigger updates, and inform haproxy it 'should' be using ocsp
+					}
+				}
+				
 				$subfolder = "$configpath/{$frontend['name']}";
 				$certs = $frontend['ha_certificates']['item'];
 				if (is_array($certs)){
 					if (count($certs) > 0){
 						@mkdir($subfolder, 0755, true);
 						foreach($certs as $cert){
-							haproxy_write_certificate_fullchain("$subfolder/{$cert['ssl_certificate']}.pem", $cert['ssl_certificate']);
+							$filenamefoldercert = "$subfolder/{$cert['ssl_certificate']}.pem";
+							haproxy_write_certificate_fullchain($filenamefoldercert, $cert['ssl_certificate']);
+							if ($frontend['sslocsp'] == 'yes') {
+								if (!empty(haproxy_getocspurl($filenamefoldercert))) {
+									haproxy_write_certificate_issuer($filenamefoldercert . ".issuer", $cert['ssl_certificate']);
+									touch($filenamefoldercert . ".ocsp");
+								}
+							}
 						}
 						$ssl_crt .= " crt $subfolder";
 					}
@@ -1344,11 +1521,6 @@ function haproxy_writeconf($configpath) {
 			haproxy_do_xmlrpc_sync();
 		}
 	}
-	
-	if (isset($a_global['carpdev']))
-		haproxy_install_cron(true);
-	else
-		haproxy_install_cron(false);
 }
 
 function haproxy_is_running() {
@@ -1560,8 +1732,18 @@ function haproxy_check_run($reload) {
 	$a_global = &$config['installedpackages']['haproxy'];
 	$configpath = "{$g['varetc_path']}/haproxy";
 	
-	if ($reload)
+	if ($reload) {
 		haproxy_writeconf($configpath);
+		haproxy_updateocsp(false);
+		
+		if (isset($a_global['carpdev']))
+			haproxy_install_cron(true);
+		else
+			haproxy_install_cron(false);
+	
+		$useocsp = haproxy_uses_ocsp();
+		haproxy_install_cronjob($useocsp, '/etc/rc.haproxy_ocsp.sh', 120);
+	}
 
 	if(isset($a_global['enable'])) {
 		if (isset($a_global['carpdev'])) {
diff --git a/config/haproxy1_5/pkg/haproxy_utils.inc b/config/haproxy1_5/pkg/haproxy_utils.inc
index d8c4faf4..ec72b986 100644
--- a/config/haproxy1_5/pkg/haproxy_utils.inc
+++ b/config/haproxy1_5/pkg/haproxy_utils.inc
@@ -36,24 +36,38 @@ require_once("config.inc");
 class haproxy_utils {
 	public static $pf_version;
 
-	public function query_dns($host, $querytype="A,AAAA", $dnsserver = "127.0.0.1") {
+	public function query_dns($host, $querytype="A,AAAA") {
 		$result = array();
-		$host = trim($host, " \t\n\r\0\x0B[];\"'");
-		$host_esc = escapeshellarg($host);
 		$types = explode(',',$querytype);
+		$recordtype = 0;
 		foreach($types as $type){
-			$resolved = gethostbyname($host);
-			if($resolved) {
-				$resolved = array();
-				if (haproxy_utils::$pf_version < '2.2')
-					exec("/usr/bin/dig   {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved);
-				else
-					exec("/usr/bin/drill {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved);
-				foreach($resolved as $item) {
-					$newitem = array();
-					$newitem["typeid"] = $type;
-					$newitem["data"] = $item;
-					$result[] = $newitem;
+			switch ($type) {
+				case 'A': 
+					$recordtype = DNS_A; 
+					break;
+				case 'AAAA': 
+					$recordtype = DNS_AAAA; 
+					break;
+			}
+			if ($recordtype != 0) {
+				//query one type at a time, querying multiple types in one call dns_get_record fails if one is not present..
+				$errreporting = error_reporting();
+				error_reporting($errreporting & ~E_WARNING);// dns_get_record throws a warning if nothing is resolved..
+				$dnsresult = dns_get_record($host, $recordtype);
+				error_reporting($errreporting);
+				if (is_array($dnsresult)) {
+					foreach($dnsresult as $item) {
+						$newitem["typeid"] = $item['type'];
+						switch ($item['type']) {
+							case 'A':
+								$newitem["data"] = $item['ip']; 
+								break;
+							case 'AAAA':
+								$newitem["data"] = $item['ipv6']; 
+								break;
+						}
+						$result[] = $newitem;
+					}
 				}
 			}
 		}
diff --git a/config/haproxy1_5/pkg/haproxy_utils.inc.bak b/config/haproxy1_5/pkg/haproxy_utils.inc.bak
deleted file mode 100644
index 26c77b45..00000000
--- a/config/haproxy1_5/pkg/haproxy_utils.inc.bak
+++ /dev/null
@@ -1,460 +0,0 @@
-<?php
-/*
-	haproxy_utils.php
-	part of pfSense (https://www.pfsense.org/)
-	Copyright (C) 2013-2015 PiBa-NL
-	All rights reserved.
-
-	Redistribution and use in source and binary forms, with or without
-	modification, are permitted provided that the following conditions are met:
-
-	1. Redistributions of source code must retain the above copyright notice,
-	   this list of conditions and the following disclaimer.
-
-	2. Redistributions in binary form must reproduce the above copyright
-	   notice, this list of conditions and the following disclaimer in the
-	   documentation and/or other materials provided with the distribution.
-
-	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-	AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-	POSSIBILITY OF SUCH DAMAGE.
-*/
-/*
-  This file contains functions which are NOT specific to HAProxy and may/could/should 
-  be moved to the general pfSense php library for possible easy use by other parts of pfSense
-*/
-
-require_once("config.inc");
-
-class haproxy_utils {
-	public static $pf_version;
-
-	public function query_dns($host, $querytype="A,AAAA", $dnsserver = "127.0.0.1") {
-		$result = array();
-		$host = trim($host, " \t\n\r\0\x0B[];\"'");
-		$host_esc = escapeshellarg($host);
-		$types = explode(',',$querytype);
-		foreach($types as $type){
-			$resolved = gethostbyname($host);
-			if($resolved) {
-				$resolved = array();
-				if (haproxy_utils::$pf_version < '2.2')
-					exec("/usr/bin/dig   {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved);
-				else
-					exec("/usr/bin/drill {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved);
-				foreach($resolved as $item) {
-					$newitem = array();
-					$newitem["typeid"] = $type;
-					$newitem["data"] = $item;
-					$result[] = $newitem;
-				}
-			}
-		}
-		return $result;
-	}
-}
-haproxy_utils::$pf_version = substr(trim(file_get_contents("/etc/version")),0,3);
-
-if(!function_exists('ifset')){
-	function ifset(&$var, $default = ''){
-		return isset($var) ? $var : $default;
-	};
-}
-
-if(!function_exists('is_arrayset')){
-	function is_arrayset(&$array, $items){
-		if (!isset($array))
-			return false;
-		$item = $array;
-		$arg = func_get_args();
-		for($i = 1; $i < count($arg); $i++) {
-
-			$itemindex = $arg[$i];
-			if (!isset($item[$itemindex]) || !is_array($item[$itemindex]))
-				return false;
-			$item = $item[$itemindex];
-
-		}
-		return true;
-	}
-}
-
-function haproxy_compareByName($a, $b) {
-	return strcasecmp($a['name'], $b['name']);
-}
-
-function haproxy_interface_ip($interfacebindname,$userfriendly=false){
-	$list = haproxy_get_bindable_interfaces();
-	$item = $list[$interfacebindname];
-	$result = $item['ip'];
-	if ($userfriendly && !$result)
-		$result = $item['name'];
-	return $result;
-}
-
-function haproxy_get_bindable_interfaces($ipv="ipv4,ipv6", $interfacetype="any,localhost,real,carp,ipalias"){
-	// returns a list of ALL interface/IPs that can be used to bind a service to.
-	// filtered by the conditions given in the two filter parameters.
-	// result array includes:
-	// $bindable[key]                can be stored and compared with previous setings
-	// $bindable[key]['ip']          the current IP (possibly changes for dhcp enabled interfaces..)
-	// $bindable[key]['description'] can be shown to user in a selection box
-
-	global $config;
-	$ipverions = split(',',$ipv);
-	$interfacetypes= split(',',$interfacetype);
-
-	$bindable = array();
-	if (in_array("ipv4",$ipverions)){
-		if (in_array('any',$interfacetypes)){
-			$item = array();
-			$item[ip] = '0.0.0.0';
-			$item[name] = 'any (IPv4)';
-			$bindable['any_ipv4'] = $item;
-		}
-		if (in_array('localhost',$interfacetypes)){
-			$item = array();
-			$item[ip] = '127.0.0.1';
-			$item[name] = 'localhost (IPv4)';
-			$bindable['localhost_ipv4'] = $item;
-		}
-		if (in_array('real',$interfacetypes)){
-			foreach($config['interfaces'] as $if => $ifdetail) {
-				if (!isset($ifdetail['enable']))
-					continue;
-				if (!isset($ifdetail['ipaddr']))
-					continue;
-				$descr = $ifdetail['descr'];
-				if (!$descr){
-					if ($if == "wan" && !$ifdetail['descr'])
-						$descr = "WAN";
-					else if ($if == "lan" && !$ifdetail['descr'])
-						$descr = "LAN";
-					else
-						$descr = $if;
-				}
-				$item = array();
-				$item['ip'] = get_interface_ip($if);
-				$item['name'] = "$descr address (IPv4)";
-				$bindable[$if.'_ipv4'] = $item;
-			}
-		}
-		if (in_array('carp',$interfacetypes)){
-			$carplist = get_configured_carp_interface_list();
-			foreach ($carplist as $carpif => $carpip){
-				if (is_ipaddrv4($carpip)){
-					$item = array();
-					$item['ip'] = $carpip;
-					$item['name'] = $carpip." (".get_vip_descr($carpip).")";
-					$bindable[$carpip] = $item;
-				}
-			}
-
-		}
-		if (in_array('ipalias',$interfacetypes)){
-			$aliaslist = get_configured_ip_aliases_list();
-			foreach ($aliaslist as $aliasip => $aliasif){
-				if (is_ipaddrv4($aliasip)){
-					$item = array();
-					$item['ip'] = $aliasip;
-					$item['name'] = $aliasip." (".get_vip_descr($aliasip).")";
-					$bindable[$aliasip.'_ipv4'] = $item;	
-				}
-			}
-		}
-	}
-	if (!isset($config['system']['ipv6allow']))
-		return $bindable;// skip adding the IPv6 addresses if those are not 'allowed'
-	
-	if (in_array("ipv6",$ipverions)){
-		if (in_array('any',$interfacetypes)){
-			$item = array();
-			$item[ip] = '::';
-			$item[name] = 'any (IPv6)';
-			$bindable['any_ipv6'] = $item;
-		}
-		if (in_array('localhost',$interfacetypes)){
-			$item = array();
-			$item[ip] = '::1';
-			$item[name] = 'localhost (IPv6)';
-			$bindable['localhost_ipv6'] = $item;
-		}
-		if (in_array('real',$interfacetypes)){
-			foreach($config['interfaces'] as $if => $ifdetail) {
-				if (!isset($ifdetail['enable']))
-					continue;
-				if (!isset($ifdetail['ipaddrv6']))
-					continue;
-				$descr = $ifdetail['descr'];
-				if (!$descr){
-					if ($if == "wan" && !$ifdetail['descr'])
-						$descr = "WAN";
-					else if ($if == "lan" && !$ifdetail['descr'])
-						$descr = "LAN";
-					else
-						$descr = $if;
-				}
-				$item = array();
-				$item['ip'] = get_interface_ipv6($if);
-				$item['name'] = "$descr  address (IPv6)";
-				$bindable[$if.'_ipv6'] = $item;
-			}
-		}		
-		if (in_array('carp',$interfacetypes)){
-			$carplist = get_configured_carp_interface_list();
-			foreach ($carplist as $carpif => $carpip){
-				if (is_ipaddrv6($carpip)){
-					$item = array();
-					$item['ip'] = $carpip;
-					$item['name'] = $carpip." (".get_vip_descr($carpip).")";
-					$bindable[$carpip] = $item;
-				}
-			}
-
-		}
-		if (in_array('ipalias',$interfacetypes)){
-			$aliaslist = get_configured_ip_aliases_list();
-			foreach ($aliaslist as $aliasip => $aliasif){
-				if (is_ipaddrv6($aliasip)){
-					$item = array();
-					$item['ip'] = $aliasip;
-					$item['name'] = $aliasip." (".get_vip_descr($aliasip).")";
-					$bindable[$aliasip] = $item;	
-				}
-			}
-		}
-	}
-	return $bindable;
-}
-
-function haproxy_get_cert_extensions($crt){
-	$cert = openssl_x509_parse(base64_decode($crt['crt']));
-	return $cert['extensions'];
-}
-
-function haproxy_get_cert_authoritykeyidentifier($cert)
-{
-	$certextension = haproxy_get_cert_extensions($cert);
-	$lines = preg_split('/[\n]+/',$certextension['authorityKeyIdentifier']);
-	return substr($lines[0],6);// cut off the starting string 'keyid:'
-}
-function haproxy_get_cert_subjectKeyIdentifier($cert)
-{
-	$certextension = haproxy_get_cert_extensions($cert);
-	$lines = preg_split('/[\n]+/',$certextension['subjectKeyIdentifier']);
-	return $lines[0];
-}
-
-function haproxy_cert_signed_by($cert, $signedbycert) {
-	// checks if $cert was signed by $signedbycert
-	// this does NOT validate a proper signature but only checks if the extension properties match.
-	$authoritykeyid = haproxy_get_cert_authoritykeyidentifier($cert);
-	$subjectid = haproxy_get_cert_subjectKeyIdentifier($signedbycert);
-	return $authoritykeyid == $subjectid;
-}
-
-function haproxy_recalculate_certifcate_chain(){
-	// and set "selfsigned" for certificates that where used to sign themselves
-	// recalculate the "caref" for all certificates where it is currently unkown.
-	
-	$allcertificates = haproxy_get_certificates('ca,server,user',true);
-	$items_recalculated = 0;
-	foreach($allcertificates as &$cert){
-		$recalculate=false;
-		if (!isset($cert['selfsigned'])){
-			if (!isset($cert['caref']))
-				$recalculate=true;
-			else {		
-				$ca = lookup_ca($cert['caref']);
-				if (!$ca)	
-					$recalculate=true;
-			}
-		}
-		if ($recalculate){
-			foreach($allcertificates as &$signedbycert){
-				if(haproxy_cert_signed_by($cert, $signedbycert)){
-					if ($cert['refid'] == $signedbycert['refid']){
-						$cert['selfsigned'] = true;
-					} else {					
-						$cert['caref'] = $signedbycert['refid'];
-					}
-					$items_recalculated++;
-				}
-			}
-		}
-	}
-	if ($items_recalculated > 0)
-		write_config("Services: HAProxy: Recalculated $items_recalculated certificate chains.");
-	return $items_recalculated;
-}
-
-function get_certificat_usage($refid) {
-	$usage = array();
-	$cert = lookup_cert($refid);
-	if (is_cert_revoked($cert))
-		$usage[] = "*Revoked";
-	if (is_webgui_cert($refid))
-		$usage[] = "webConfigurator";
-	if (is_user_cert($refid))
-		$usage[] = "User Cert";
-	if (is_openvpn_server_cert($refid))
-		$usage[] = "OpenVPN Server";
-	if (is_openvpn_client_cert($refid))
-		$usage[] = "OpenVPN Client";
-	if (is_ipsec_cert($refid))
-		$usage[] = "IPsec Tunnel";
-	if (function_exists("is_captiveportal_cert"))
-		if (is_captiveportal_cert($refid))
-			$usage[] = "Captive Portal";
-	return $usage;
-}
-
-function haproxy_get_certificate_descriptivename($cert) {
-	$usage = get_certificat_usage($cert['crt']);
-	foreach($usage as $use){
-		$usagestr .= " " . $use;
-	}		
-	if ($usagestr != "")
-		$usagestr = " (".trim($usagestr).")";
-
-	$purpose = cert_get_purpose($cert['crt']);
-	$certserverpurpose = $purpose['server'] == 'Yes' ? " [Server cert]" : "";
-		
-	$caname = "";
-	$ca = lookup_ca($cert['caref']);
-	if ($ca)
-		$caname = " (CA: {$ca['descr']})";
-	
-	return $cert['descr'] . $caname . $certserverpurpose . $usagestr;
-}
-
-function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=false) {
-	// $type one or multiple of these separated by a comma:  ca,server,user
-	// $get_includeWebCert if the webgui certificate may be included.
-
-	// This function (is intended to) provide a uniform way to retrieve a list of server certificates
-	global $config;
-	$type = ",$type,";
-	$certificates = array();
-	if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) {
-		if (is_array($config['cert'])) {
-			$a_cert = &$config['cert'];
-			foreach ($a_cert as $cert) {
-				$purpose = cert_get_purpose($cert['crt']);
-				
-				$ok = false;
-				$ok |= stristr($type,',server,') && $purpose['server'] == 'Yes';
-				$ok |= stristr($type,',user,') && $purpose['server'] != 'Yes';
-				if (!$ok)
-					continue;
-				//if ($get_includeWebCert == false && is_webgui_cert($cert['refid']))
-				if ($get_includeWebCert == false && $cert['descr'] == "def web cert")
-					continue;
-				$certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
-			}
-		}
-	}
-	if (strpos($type,',ca,') !== false) {
-		if (is_array($config['ca'])) {
-			$a_cert = &$config['ca'];
-			foreach ($a_cert as $cert) {
-				$certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
-			}
-		}
-	}
-	uasort($certificates, haproxy_compareByName);
-	return $certificates;
-}
-
-function haproxy_get_crls() {
-	global $config;
-	$certificates=array();
-	if (is_array($config['crl'])) {
-		foreach ($config['crl'] as $crl) {
-			$caname = "";
-			$ca = lookup_ca($crl['caref']);
-			if ($ca)
-				$caname = " (CA: {$ca['descr']})";
-		
-			$certificates[$crl['refid']]['name'] = $crl['descr'] . $caname;
-		}
-	}
-	uasort($certificates, haproxy_compareByName);
-	return $certificates;
-}
-
-function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) {
-	$offset = str_repeat('  ',$nestID);
-	$itemName = "item$nestID";
-	echo "{$offset}$nodeName = {};\n";
-	if (is_array($items))
-		foreach ($items as $key => $item)
-		{
-			if (in_array($path.'/'.$key, $includeitems))
-				$subpath = $path.'/'.$key;
-			else
-				$subpath = $path.'/*';
-			if (in_array($subpath, $includeitems) || in_array($path.'/*', $includeitems)) {
-				if (is_array($item)) {
-					$subNodeName = "item$nestID";
-					phparray_to_javascriptarray_recursive($nestID+1, $subpath, $items[$key], $subNodeName, $includeitems);
-					echo "{$offset}{$nodeName}['{$key}'] = $itemName;\n";
-				} else {
-					$item = json_encode($item);
-					echo "{$offset}{$nodeName}['$key'] = $item;\n";
-				}
-			}
-		}
-}
-function phparray_to_javascriptarray($items, $javaMapName, $includeitems) {
-	phparray_to_javascriptarray_recursive(1,'',$items, $javaMapName, $includeitems);
-}
-
-function haproxy_html_select_options($keyvaluelist, $selected="") {
-	$result = "";
-	foreach($keyvaluelist as $key => $desc){
-		$selectedhtml = $key == $selected ? "selected" : "";
-		if ($desc['deprecated'] && $key != $selected){
-			continue;
-		}
-		$name = htmlspecialchars($desc['name']);
-		$result .= "<option value='{$key}' {$selectedhtml}>{$name}</option>";
-	}
-	return $result;
-}
-
-function haproxy_js_select_options($keyvaluelist, $selected="") {
-	$result = "";
-	foreach($keyvaluelist as $key => $desc){
-		$selectedhtml = $key == $selected ? "selected" : "";
-		if ($desc['deprecated'] && $key != $selected){
-			continue;
-		}
-		$name = htmlspecialchars($desc['name']);
-		$result .= "<option value='{$key}' {$selectedhtml}>{$name}<\/option>";
-	}
-	return $result;
-}
-
-function echo_html_select($name, $keyvaluelist, $selected, $listEmptyMessage="", $onchangeEvent="", $style="") {
-	if (count($keyvaluelist)>0){
-		if ($onchangeEvent != "")
-			$onchangeEvent = " onchange='$onchangeEvent'";
-		if ($style != "")
-			$style = " style='$style'";
-		echo "<select name=\"$name\" id=\"$name\" class=\"formselect\"$onchangeEvent$style>";
-		echo haproxy_html_select_options($keyvaluelist, $selected);
-		echo "</select>";
-	} else {
-		echo $listEmptyMessage;
-	}
-}
-
-?>
\ No newline at end of file
diff --git a/config/haproxy1_5/www/haproxy_listeners_edit.php b/config/haproxy1_5/www/haproxy_listeners_edit.php
index d8841c33..6998e099 100644
--- a/config/haproxy1_5/www/haproxy_listeners_edit.php
+++ b/config/haproxy1_5/www/haproxy_listeners_edit.php
@@ -71,7 +71,7 @@ uasort($a_pools, haproxy_compareByName);
 global $simplefields;
 $simplefields = array('name','desc','status','secondary','primary_frontend','type','forwardfor','httpclose','extaddr','backend_serverpool',
 	'max_connections','client_timeout','port','advanced_bind',
-	'ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','ssloffloadacladditional','sslclientcert-none','sslclientcert-invalid',
+	'ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','ssloffloadacladditional','sslclientcert-none','sslclientcert-invalid','sslocsp',
 	'socket-stats',
 	'dontlognull','dontlog-normal','log-separate-errors','log-detailed');
 
@@ -787,6 +787,12 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend);
 				<input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();" />Add ACL for certificate CommonName. (host header matches the 'CN' of the certificate)<br/>
 			</td>
 		</tr>
+		<tr class="haproxy_ssloffloading_enabled" align="left">
+			<td width="22%" valign="top" class="vncell">OCSP</td>
+			<td width="78%" class="vtable" colspan="2">
+				<input id="sslocsp" name="sslocsp" type="checkbox" value="yes" <?php if ($pconfig['sslocsp']=='yes') echo "checked";?> onclick="updatevisibility();" />Load certificate ocsp responses for easy certificate validation by the client.<br/>
+			</td>
+		</tr>
 		<tr class="haproxy_ssloffloading_enabled">
 			<td width="22%" valign="top" class="vncell">Additional certificates</td>
 			<td width="78%" class="vtable" colspan="2" valign="top">
@@ -805,7 +811,8 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend);
 				<input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo 'value="'.htmlspecialchars($pconfig['dcertadv']).'"';?> />
 				<br/>
 				NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br/>
-				some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
+				some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets<br/>
+				Example: no-sslv3 ciphers EECDH+aRSA+AES:TLSv1+kRSA+AES:TLSv1+kRSA+3DES
 			</td>
 		</tr>
 		<tr class="haproxy_ssloffloading_enabled haproxy_primary">
diff --git a/config/haproxy1_5/www/haproxy_pool_edit.php b/config/haproxy1_5/www/haproxy_pool_edit.php
index 5e38b12d..0824e45c 100644
--- a/config/haproxy1_5/www/haproxy_pool_edit.php
+++ b/config/haproxy1_5/www/haproxy_pool_edit.php
@@ -961,7 +961,7 @@ set by the 'retries' parameter.</div>
 			<td colspan="2" valign="top" class="listtopic">Advanced</td>
 		</tr>
 		<tr class="" align="left" id='Strict-Transport-Security'>
-			<td width="22%" valign="top" class="vncell">Strict-Transport-Security</td>
+			<td width="22%" valign="top" class="vncell">HSTS Strict-Transport-Security</td>
 			<td width="78%" class="vtable" colspan="2">
 				When configured enables "HTTP Strict Transport Security" leave empty to disable. (only used on 'http' frontends)<br/>
 				<b>WARNING! the domain will only work over https with a valid certificate!</b><br/>
-- 
cgit v1.2.3