You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by kb...@apache.org on 2011/08/28 18:50:13 UTC
svn commit: r1162553 - /httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
Author: kbrand
Date: Sun Aug 28 16:50:12 2011
New Revision: 1162553
URL: http://svn.apache.org/viewvc?rev=1162553&view=rev
Log:
Better safe than sorry: with OpenSSL 1.0, X509_STORE_CTX_get_current_cert()
may not always return a cert.
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=1162553&r1=1162552&r2=1162553&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Sun Aug 28 16:50:12 2011
@@ -252,8 +252,15 @@ int modssl_verify_ocsp(X509_STORE_CTX *c
apr_pool_t *vpool;
int rv;
- /* don't do OCSP checking for valid self-issued certs */
- if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+ if (!cert) {
+ /* starting with OpenSSL 1.0, X509_STORE_CTX_get_current_cert()
+ * may yield NULL. Return early, but leave the ctx error as is. */
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+ "No cert available to check with OCSP");
+ return 1;
+ }
+ else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+ /* don't do OCSP checking for valid self-issued certs */
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
"Skipping OCSP check for valid self-issued cert");
X509_STORE_CTX_set_error(ctx, X509_V_OK);