* modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't stop
Certificate Revoked messages.
Certificate Revoked Responder messages don't belong to 'error' class.
When the server receives one, it MUST be passed on to the client.
And stored for the normal period of basic responses.
Also don't log an error each time it is retrieved from cache,
only once when it is retrieved from the OCSP responder.
PR: 60182
Obtained from: https://github.com/apache/httpd/commit/
7db9795f45fd4688ceb13ee36090e4e2becbc709.diff
Submitted by: <gmoniker gmail.com>
Reviewed by: gbechis, icing, ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@
1910820 13f79535-47bb-0310-9956-
ffa450edef68
--- /dev/null
+ *) mod_ssl: Fix handling of of Certificate Revoked messags
+ in OCSP stapling. PR 60182 [<gmoniker gmail.com>]
rv = SSL_TLSEXT_ERR_NOACK;
}
- if (status != V_OCSP_CERTSTATUS_GOOD) {
+ if (status != V_OCSP_CERTSTATUS_GOOD && pok) {
char snum[MAX_STRING_LEN] = { '\0' };
BIO *bio = BIO_new(BIO_s_mem());
(reason != OCSP_REVOKED_STATUS_NOSTATUS) ?
OCSP_crl_reason_str(reason) : "n/a",
snum[0] ? snum : "[n/a]");
-
- if (mctx->stapling_return_errors == FALSE) {
- if (pok)
- *pok = FALSE;
- rv = SSL_TLSEXT_ERR_NOACK;
- }
}
}
projects / thirdparty / apache / httpd.git / commitdiff
