svn commit: r1875356 - /httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c

[rp...@apache.org]

Author: rpluem
Date: Wed Mar 18 11:31:20 2020
New Revision: 1875356

URL: http://svn.apache.org/viewvc?rev=1875356&view=rev
Log:
* modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't send
  out an OCSP response that can't be parsed.

  If the crypto/ASN library can't parse a response as 'basic OCSP'
  even if it leads with a OCSP successful status, then don't pass it
  to the client. There is nothing to say at all it isn't just garbage.
  And if other types of messages are standardized they can be added.

PR: 60182
Obtained from: https://github.com/apache/httpd/commit/e72154c75dab1cc043ea1aad36758806855efb25.diff
Submitted by: <gm...@gmail.com>
Reviewed by: rpluem

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1875356&r1=1875355&r2=1875356&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Wed Mar 18 11:31:20 2020
@@ -397,10 +397,10 @@ static int stapling_check_response(serve
 
     bs = OCSP_response_get1_basic(rsp);
     if (bs == NULL) {
-        /* If we can't parse response just pass it to client */
+        /* If we can't parse response as OCSP basic, then don't pass it to client */
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01934)
                      "stapling_check_response: Error Parsing Response!");
-        return SSL_TLSEXT_ERR_OK;
+        return SSL_TLSEXT_ERR_NOACK;
     }
 
     if (!OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,