You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2014/05/07 14:52:13 UTC
svn commit: r1593002 - in /httpd/httpd/branches/2.4.x: ./ STATUS
modules/ssl/ssl_util_stapling.c
Author: jim
Date: Wed May 7 12:52:13 2014
New Revision: 1593002
URL: http://svn.apache.org/r1593002
Log:
Merge r1588853 from trunk:
ssl_stapling_init_cert: do not return success when no responder URI is found
stapling_renew_response: abort early (before apr_uri_parse) if ocspuri is empty
Submitted by: kbrand
Reviewed/backported by: jim
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1588853
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1593002&r1=1593001&r2=1593002&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Wed May 7 12:52:13 2014
@@ -100,11 +100,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: make SSL stapling init more robust for certs w/o responder URI
- trunk patch: https://svn.apache.org/r1588853
- 2.4.x patch: trunk patch works (w/o docs/log-message-tags/next-number)
- +1: kbrand, ylavic, jim
-
* mod_ssl: restore argument structure for exec-type SSLPassPhraseDialog
programs, and implement a special merging algorithm for
SSLCertificate[Key]File to emulate the behavior in versions <= 2.4.7
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c?rev=1593002&r1=1593001&r2=1593002&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c Wed May 7 12:52:13 2014
@@ -145,14 +145,15 @@ int ssl_stapling_init_cert(server_rec *s
X509_digest(x, EVP_sha1(), cinf->idx, NULL);
aia = X509_get1_ocsp(x);
- if (aia)
+ if (aia) {
cinf->uri = sk_OPENSSL_STRING_pop(aia);
+ X509_email_free(aia);
+ }
if (!cinf->uri && !mctx->stapling_force_url) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
"ssl_stapling_init_cert: no responder URL");
+ return 0;
}
- if (aia)
- X509_email_free(aia);
return 1;
}
@@ -403,6 +404,13 @@ static BOOL stapling_renew_response(serv
else
ocspuri = cinf->uri;
+ if (!ocspuri) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621)
+ "stapling_renew_response: no uri for responder");
+ rv = FALSE;
+ goto done;
+ }
+
/* Create a temporary pool to constrain memory use */
apr_pool_create(&vpool, conn->pool);