You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/09/14 10:08:27 UTC

[Bug 54357] Crash during restart or at startup in mod_ssl, in certinfo_free() function registered by ssl_stapling_ex_init()

https://issues.apache.org/bugzilla/show_bug.cgi?id=54357

Kaspar Brand <as...@velox.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Hardware|Sun                         |All
            Summary|Crash during restart when   |Crash during restart or at
                   |using mod_ssl and           |startup in mod_ssl, in
                   |apr_crypto                  |certinfo_free() function
                   |(mod_session_crypto)        |registered by
                   |                            |ssl_stapling_ex_init()
                 OS|Solaris                     |All

--- Comment #10 from Kaspar Brand <as...@velox.ch> ---
(In reply to Alex Bligh from comment #9)
> I have assumed that one set of stapling information per certificate is
> required, not per certificate algorithm (i.e. we do not need an array).

Thank you for looking into this. A couple of comments:

- Your patch is against 2.4.7 I assume. In 2.4.8, major changes were done in
the area of server certificate configuration (r1573360), i.e. there is no
longer a fixed limit of three certificates (RSA/DSA/ECC) per SSL_CTX.

- OCSP stapling (RFC 6066, section 8) is a per-certificate feature, actually,
so we need to make sure that we have a per-certificate store (not a
per-modssl_pk_server_t one only) for the certinfo struct.

- Using an array which parallels the current "cert_files" in the
modssl_pk_server_t struct might be sufficient for the time being, though I'm
reluctant to say that it's futureproof. If RFC 6961 ("Multiple Certificate
Status Request Extension") support becomes available in OpenSSL one day, there
would be a need to have a certinfo struct attached to each certificate in the
chain.

- It would be best to write the patch against trunk, after which it can be
proposed for backport to 2.4.x.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org