You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2020/03/18 11:31:21 UTC
svn commit: r1875356 - /httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
Author: rpluem
Date: Wed Mar 18 11:31:20 2020
New Revision: 1875356
URL: http://svn.apache.org/viewvc?rev=1875356&view=rev
Log:
* modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't send
out an OCSP response that can't be parsed.
If the crypto/ASN library can't parse a response as 'basic OCSP'
even if it leads with a OCSP successful status, then don't pass it
to the client. There is nothing to say at all it isn't just garbage.
And if other types of messages are standardized they can be added.
PR: 60182
Obtained from: https://github.com/apache/httpd/commit/e72154c75dab1cc043ea1aad36758806855efb25.diff
Submitted by: <gm...@gmail.com>
Reviewed by: rpluem
Modified:
httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1875356&r1=1875355&r2=1875356&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Wed Mar 18 11:31:20 2020
@@ -397,10 +397,10 @@ static int stapling_check_response(serve
bs = OCSP_response_get1_basic(rsp);
if (bs == NULL) {
- /* If we can't parse response just pass it to client */
+ /* If we can't parse response as OCSP basic, then don't pass it to client */
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01934)
"stapling_check_response: Error Parsing Response!");
- return SSL_TLSEXT_ERR_OK;
+ return SSL_TLSEXT_ERR_NOACK;
}
if (!OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,