From: Ruediger Pluem Date: Fri, 14 Feb 2020 09:38:12 +0000 (+0000) Subject: * modules/ssl/ssl_util_ocsp.c (serialize_request): Set the Connection header X-Git-Tag: 2.5.0-alpha2-ci-test-only~1656 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5906e825c45e6ba7b998f2752d46d0dde8f7bf09;p=thirdparty%2Fapache%2Fhttpd.git * modules/ssl/ssl_util_ocsp.c (serialize_request): Set the Connection header to close to indicate that we do not want to keep the HTTP connection to the OCSP responder alive. We don't reuse the connections currently and if the OCSP responder keeps the connection alive this could cause us to wait for keepalive timeout of the OCSP responder to timeout until we finish our reading of the OCSP response. PR: 64135 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1874007 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index bfcb87d4126..450d87776a2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_ssl: Do not keep connections to OCSP responders alive when doing + OCSP requests. PR 64135. [Ruediger Pluem] + *) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github issue mod_md#172 (https://github.com/icing/mod_md/issues/172). [Michael Kaufmann , Stefan Eissing] diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index b66e15146c8..b9c8a0b850e 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -46,6 +46,7 @@ static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri, BIO_printf(bio, "%s%s%s HTTP/1.0\r\n" "Host: %s:%d\r\n" "Content-Type: application/ocsp-request\r\n" + "Connection: close\r\n" "Content-Length: %d\r\n" "\r\n", uri->path ? uri->path : "/",