From: Ruediger Pluem <rpluem@apache.org>
Date: Wed, 18 Mar 2020 11:31:20 +0000 (+0000)
Subject: * modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't send
X-Git-Tag: 2.5.0-alpha2-ci-test-only~1579
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6289dfffa43b142bed34629967a4f1a4cf051171;p=thirdparty%2Fapache%2Fhttpd.git

* modules/ssl/ssl_util_stapling.c (stapling_check_response) Don't send
  out an OCSP response that can't be parsed.

  If the crypto/ASN library can't parse a response as 'basic OCSP'
  even if it leads with a OCSP successful status, then don't pass it
  to the client. There is nothing to say at all it isn't just garbage.
  And if other types of messages are standardized they can be added.

PR: 60182
Obtained from: https://github.com/apache/httpd/commit/e72154c75dab1cc043ea1aad36758806855efb25.diff
Submitted by: <gmoniker@gmail.com>
Reviewed by: rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1875356 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index 6b98bf9a7f4..7f15eeeceff 100644
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -397,10 +397,10 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx,
 
     bs = OCSP_response_get1_basic(rsp);
     if (bs == NULL) {
-        /* If we can't parse response just pass it to client */
+        /* If we can't parse response as OCSP basic, then don't pass it to client */
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01934)
                      "stapling_check_response: Error Parsing Response!");
-        return SSL_TLSEXT_ERR_OK;
+        return SSL_TLSEXT_ERR_NOACK;
     }
 
     if (!OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,