From: WIND Internet <info@windinternet.nl>
Date: Tue, 10 Mar 2020 23:50:06 +0000 (+0100)
Subject: Treat a SSLFakeTryLater generated response as a responder error.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a43f7c1f5af0280d46a3b068a7f2bae75374b80f;p=thirdparty%2Fapache%2Fhttpd.git

Treat a SSLFakeTryLater generated response as a responder error.

Any failure to obtain a response from the original OCSP responder
with SSLStaplingFakeTryLater set to ON should generate a cacheable response.
BUT the cached response has to be marked as an error at time of caching.
Otherwise it will be cached too long, AND the generated error response
will go out to the client even if SSLStaplingReturnResponderErrors
is set to OFF.

This change is in line with trunk and 2.5.
---

diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index b4f34179433..b40db52f4e8 100644
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -549,6 +549,7 @@ static BOOL stapling_renew_response(server_rec *s, modssl_ctx_t *mctx, SSL *ssl,
                      "stapling_renew_response: responder error");
         if (mctx->stapling_fake_trylater) {
             *prsp = OCSP_response_create(OCSP_RESPONSE_STATUS_TRYLATER, NULL);
+            *pok = FALSE;
         }
         else {
             goto done;