You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by yl...@apache.org on 2019/08/23 10:31:01 UTC

svn commit: r1865740 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Author: ylavic
Date: Fri Aug 23 10:31:01 2019
New Revision: 1865740

URL: http://svn.apache.org/viewvc?rev=1865740&view=rev
Log:
mod_ssl: OCSP does not apply to proxy mode, fix verify context.

Since ssl_callback_SSLVerify() is called for both server and proxy modes,
use myCtxConfig()->ocsp_mask to check the right mode/configuration (i.e.
none for proxy in any case).

PR 63679.
Submitted by: Lubos Uhliarik <luhliari redhat.com>

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1865740&r1=1865739&r2=1865740&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Fri Aug 23 10:31:01 2019
@@ -1831,8 +1831,8 @@ int ssl_callback_SSLVerify(int ok, X509_
     /*
      * Perform OCSP-based revocation checks
      */
-    if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
-         (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {     
+    if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+         (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {     
         /* If there was an optional verification error, it's not
          * possible to perform OCSP validation since the issuer may be
          * missing/untrusted.  Fail in that case. */