BUG/MINOR: ssl: OCSP callback only registered for first SSL_CTX

If multiple SSL_CTXs use the same certificate that has an OCSP response
file on the filesystem, only the first one will have the OCSP callback
set. This bug was introduced by "cc346678d MEDIUM: ssl: Add ocsp_certid
in ckch structure and discard ocsp buffer early" which cleared the
ocsp_response from the ckch_data after it was inserted in the tree,
which prevented subsequent contexts from having the callback registered.

This patch should be backported to 2.8.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e3e321425c9588f9775933650708514d4ac9b276..6453265a34ebd91de98eb49f27409789208ad64f 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1132,7 +1132,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
        /* In case of ocsp update mode set to 'on', this function might be
         * called with no known ocsp response. If no ocsp uri can be found in
         * the certificate, nothing needs to be done here. */
-       if (!data->ocsp_response) {
+       if (!data->ocsp_response && !data->ocsp_cid) {
                if (data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_ON || b_data(ocsp_uri) == 0) {
                        ret = 0;
                        goto out;