From: Joe Orton Date: Wed, 3 Mar 2021 17:43:04 +0000 (+0000) Subject: Merge r1874007 from trunk: X-Git-Tag: 2.4.47~87 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8fd786f4f0ff79c6b94f48ba8b24b01eaefa322a;p=thirdparty%2Fapache%2Fhttpd.git Merge r1874007 from trunk: * modules/ssl/ssl_util_ocsp.c (serialize_request): Set the Connection header to close to indicate that we do not want to keep the HTTP connection to the OCSP responder alive. We don't reuse the connections currently and if the OCSP responder keeps the connection alive this could cause us to wait for keepalive timeout of the OCSP responder to timeout until we finish our reading of the OCSP response. PR: 64135 Submitted by: rpluem Reviewed by: jorton, ylavic, covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1887155 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index fc280c3320e..861d6a52809 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.47 + *) mod_ssl: Do not keep connections to OCSP responders alive when doing + OCSP requests. PR 64135. [Ruediger Pluem] + *) mod_ssl: Improve the coalescing filter to buffer into larger TLS records, and avoid revealing the HTTP header size via TLS record boundaries (for common response generators). diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index b66e15146c8..b9c8a0b850e 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -46,6 +46,7 @@ static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri, BIO_printf(bio, "%s%s%s HTTP/1.0\r\n" "Host: %s:%d\r\n" "Content-Type: application/ocsp-request\r\n" + "Connection: close\r\n" "Content-Length: %d\r\n" "\r\n", uri->path ? uri->path : "/",