From: Joe Orton <jorton@apache.org>
Date: Thu, 6 Jul 2023 16:11:56 +0000 (+0000)
Subject: Merge r1875355 from trunk:
X-Git-Tag: 2.4.58-rc1-candidate~92
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d617dbeaf481d62298d093deb0bda0637537cd8;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1875355 from trunk:

* modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't stop
  Certificate Revoked messages.

  Certificate Revoked Responder messages don't belong to 'error' class.
  When the server receives one, it MUST be passed on to the client.
  And stored for the normal period of basic responses.

  Also don't log an error each time it is retrieved from cache,
  only once when it is retrieved from the OCSP responder.

PR: 60182
Obtained from: https://github.com/apache/httpd/commit/7db9795f45fd4688ceb13ee36090e4e2becbc709.diff
Submitted by: <gmoniker gmail.com>
Reviewed by: gbechis, icing, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1910820 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/changes-entries/pr60182.txt b/changes-entries/pr60182.txt
new file mode 100644
index 00000000000..dcd08a6d2b4
--- /dev/null
+++ b/changes-entries/pr60182.txt
@@ -0,0 +1,2 @@
+  *) mod_ssl: Fix handling of of Certificate Revoked messags
+     in OCSP stapling. PR 60182 [<gmoniker gmail.com>]
diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index ab77e4a10af..c9d1d8e13d8 100644
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -445,7 +445,7 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
             rv = SSL_TLSEXT_ERR_NOACK;
         }
 
-        if (status != V_OCSP_CERTSTATUS_GOOD) {
+        if (status != V_OCSP_CERTSTATUS_GOOD && pok) {
             char snum[MAX_STRING_LEN] = { '\0' };
             BIO *bio = BIO_new(BIO_s_mem());
 
@@ -466,12 +466,6 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
                          (reason != OCSP_REVOKED_STATUS_NOSTATUS) ?
                          OCSP_crl_reason_str(reason) : "n/a",
                          snum[0] ? snum : "[n/a]");
-
-            if (mctx->stapling_return_errors == FALSE) {
-                if (pok)
-                    *pok = FALSE;
-                rv = SSL_TLSEXT_ERR_NOACK;
-            }
         }
     }