Treat a SSLFakeTryLater generated response as a responder error.

Any failure to obtain a response from the original OCSP responder
with SSLStaplingFakeTryLater set to ON should generate a cacheable response.
BUT the cached response has to be marked as an error at time of caching.
Otherwise it will be cached too long, AND the generated error response
will go out to the client even if SSLStaplingReturnResponderErrors
is set to OFF.

This change is in line with trunk and 2.5.

diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index b4f3417943301ccf8056abebd3a73142a7344656..b40db52f4e8183d5dcbcfc5350050bbe2e402c68 100644 (file)
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -549,6 +549,7 @@ static BOOL stapling_renew_response(server_rec *s, modssl_ctx_t *mctx, SSL *ssl,
                      "stapling_renew_response: responder error");
         if (mctx->stapling_fake_trylater) {
             *prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
+            *pok = FALSE;
         }
         else {
             goto done;