* modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't send

  out an OCSP response that can't be parsed.

  If the crypto/ASN library can't parse a response as 'basic OCSP'
  even if it leads with a OCSP successful status, then don't pass it
  to the client. There is nothing to say at all it isn't just garbage.
  And if other types of messages are standardized they can be added.

PR: 60182
Obtained from: https://github.com/apache/httpd/commit/e72154c75dab1cc043ea1aad36758806855efb25.diff
Submitted by: <gmoniker@gmail.com>
Reviewed by: rpluem

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1875356 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index 6b98bf9a7f4be416e5a3feedda7e089fc196ec19..7f15eeeceff9dead5dd78f43c3f7bbe5ff6e9950 100644 (file)
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -397,10 +397,10 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
 
     bs = OCSP_response_get1_basic(rsp);
     if (bs == NULL) {
-        /* If we can't parse response just pass it to client */
+        /* If we can't parse response as OCSP basic, then don't pass it to client */
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01934)
                      "stapling_check_response: Error Parsing Response!");
-        return SSL_TLSEXT_ERR_OK;
+        return SSL_TLSEXT_ERR_NOACK;
     }
 
     if (!OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,