From: WIND Internet Date: Tue, 17 Mar 2020 21:04:15 +0000 (+0100) Subject: [SECURITY] Don't stop Certificate Revoked messages. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7db9795f45fd4688ceb13ee36090e4e2becbc709;p=thirdparty%2Fapache%2Fhttpd.git [SECURITY] Don't stop Certificate Revoked messages. Certificate Revoked Responder messages don't belong to 'error' class. When the server receives one, it MUST be passed on to the client. And stored for the normal period of basic responses. Also don't log an error each time it is retrieved from cache, only once when it is retrieved from the OCSP responder. --- diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index b40db52f4e..d75e9d061e 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -435,7 +435,7 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx, rv = SSL_TLSEXT_ERR_NOACK; } - if (status != V_OCSP_CERTSTATUS_GOOD) { + if (status != V_OCSP_CERTSTATUS_GOOD && pok) { char snum[MAX_STRING_LEN] = { '\0' }; BIO *bio = BIO_new(BIO_s_mem()); @@ -456,12 +456,6 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx, (reason != OCSP_REVOKED_STATUS_NOSTATUS) ? OCSP_crl_reason_str(reason) : "n/a", snum[0] ? snum : "[n/a]"); - - if (mctx->stapling_return_errors == FALSE) { - if (pok) - *pok = FALSE; - rv = SSL_TLSEXT_ERR_NOACK; - } } }