You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2014/05/07 14:52:13 UTC

svn commit: r1593002 - in /httpd/httpd/branches/2.4.x: ./ STATUS modules/ssl/ssl_util_stapling.c

Author: jim
Date: Wed May  7 12:52:13 2014
New Revision: 1593002

URL: http://svn.apache.org/r1593002
Log:
Merge r1588853 from trunk:

ssl_stapling_init_cert: do not return success when no responder URI is found
stapling_renew_response: abort early (before apr_uri_parse) if ocspuri is empty

Submitted by: kbrand
Reviewed/backported by: jim

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/STATUS
    httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1588853

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1593002&r1=1593001&r2=1593002&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Wed May  7 12:52:13 2014
@@ -100,11 +100,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: make SSL stapling init more robust for certs w/o responder URI
-     trunk patch: https://svn.apache.org/r1588853
-     2.4.x patch: trunk patch works (w/o docs/log-message-tags/next-number)
-     +1: kbrand, ylavic, jim
-
    * mod_ssl: restore argument structure for exec-type SSLPassPhraseDialog
      programs, and implement a special merging algorithm for
      SSLCertificate[Key]File to emulate the behavior in versions <= 2.4.7

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c?rev=1593002&r1=1593001&r2=1593002&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c Wed May  7 12:52:13 2014
@@ -145,14 +145,15 @@ int ssl_stapling_init_cert(server_rec *s
     X509_digest(x, EVP_sha1(), cinf->idx, NULL);
 
     aia = X509_get1_ocsp(x);
-    if (aia)
+    if (aia) {
         cinf->uri = sk_OPENSSL_STRING_pop(aia);
+        X509_email_free(aia);
+    }
     if (!cinf->uri && !mctx->stapling_force_url) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
                      "ssl_stapling_init_cert: no responder URL");
+        return 0;
     }
-    if (aia)
-        X509_email_free(aia);
     return 1;
 }
 
@@ -403,6 +404,13 @@ static BOOL stapling_renew_response(serv
     else
         ocspuri = cinf->uri;
 
+    if (!ocspuri) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621)
+                     "stapling_renew_response: no uri for responder");
+        rv = FALSE;
+        goto done;
+    }
+
     /* Create a temporary pool to constrain memory use */
     apr_pool_create(&vpool, conn->pool);