From: Ruediger Pluem Date: Wed, 18 Mar 2020 11:28:40 +0000 (+0000) Subject: * modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't stop X-Git-Tag: 2.5.0-alpha2-ci-test-only~1580 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5699abfec6e506bcca7e814a566e593a95ed1e9b;p=thirdparty%2Fapache%2Fhttpd.git * modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't stop Certificate Revoked messages. Certificate Revoked Responder messages don't belong to 'error' class. When the server receives one, it MUST be passed on to the client. And stored for the normal period of basic responses. Also don't log an error each time it is retrieved from cache, only once when it is retrieved from the OCSP responder. PR: 60182 Obtained from: https://github.com/apache/httpd/commit/7db9795f45fd4688ceb13ee36090e4e2becbc709.diff Submitted by: Reviewed by: rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1875355 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index 9a65d1415a6..6b98bf9a7f4 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -435,7 +435,7 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx, rv = SSL_TLSEXT_ERR_NOACK; } - if (status != V_OCSP_CERTSTATUS_GOOD) { + if (status != V_OCSP_CERTSTATUS_GOOD && pok) { char snum[MAX_STRING_LEN] = { '\0' }; BIO *bio = BIO_new(BIO_s_mem()); @@ -456,12 +456,6 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx, (reason != OCSP_REVOKED_STATUS_NOSTATUS) ? OCSP_crl_reason_str(reason) : "n/a", snum[0] ? snum : "[n/a]"); - - if (mctx->stapling_return_errors == FALSE) { - if (pok) - *pok = FALSE; - rv = SSL_TLSEXT_ERR_NOACK; - } } }