Merge r1874007 from trunk:

* modules/ssl/ssl_util_ocsp.c (serialize_request): Set the Connection header
  to close to indicate that we do not want to keep the HTTP connection to the
  OCSP responder alive. We don't reuse the connections currently and if the
  OCSP responder keeps the connection alive this could cause us to wait for
  keepalive timeout of the OCSP responder to timeout until we finish our
  reading of the OCSP response.

PR: 64135
Submitted by: rpluem
Reviewed by: jorton, ylavic, covener

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1887155 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index fc280c3320e5916ea809db80ff4cd965451fe80e..861d6a528095da2c9545d296f21abf92f91bc6d8 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.47
 
+  *) mod_ssl: Do not keep connections to OCSP responders alive when doing
+     OCSP requests.  PR 64135.  [Ruediger Pluem]
+
   *) mod_ssl: Improve the coalescing filter to buffer into larger TLS
      records, and avoid revealing the HTTP header size via TLS record
      boundaries (for common response generators).

diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c
index b66e15146c85478398d3a610836026c72477eac5..b9c8a0b850e1cec468e3b9652b1c9faf23aa0cf1 100644 (file)
--- a/modules/ssl/ssl_util_ocsp.c
+++ b/modules/ssl/ssl_util_ocsp.c
@@ -46,6 +46,7 @@ static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri,
     BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
                "Host: %s:%d\r\n"
                "Content-Type: application/ocsp-request\r\n"
+               "Connection: close\r\n"
                "Content-Length: %d\r\n"
                "\r\n",
                uri->path ? uri->path : "/",