* modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't stop

  Certificate Revoked messages.

  Certificate Revoked Responder messages don't belong to 'error' class.
  When the server receives one, it MUST be passed on to the client.
  And stored for the normal period of basic responses.

  Also don't log an error each time it is retrieved from cache,
  only once when it is retrieved from the OCSP responder.

PR: 60182
Obtained from: https://github.com/apache/httpd/commit/7db9795f45fd4688ceb13ee36090e4e2becbc709.diff
Submitted by: <gmoniker@gmail.com>
Reviewed by: rpluem

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1875355 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index 9a65d1415a6e318f453c7174e33c4cd79acda41d..6b98bf9a7f4be416e5a3feedda7e089fc196ec19 100644 (file)
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -435,7 +435,7 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
             rv = SSL_TLSEXT_ERR_NOACK;
         }
 
-        if (status != V_OCSP_CERTSTATUS_GOOD) {
+        if (status != V_OCSP_CERTSTATUS_GOOD && pok) {
             char snum[MAX_STRING_LEN] = { '\0' };
             BIO *bio = BIO_new(BIO_s_mem());
 
@@ -456,12 +456,6 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
                          (reason != OCSP_REVOKED_STATUS_NOSTATUS) ?
                          OCSP_crl_reason_str(reason) : "n/a",
                          snum[0] ? snum : "[n/a]");
-
-            if (mctx->stapling_return_errors == FALSE) {
-                if (pok)
-                    *pok = FALSE;
-                rv = SSL_TLSEXT_ERR_NOACK;
-            }
         }
     }