From: Yann Ylavic <ylavic@apache.org>
Date: Fri, 23 Aug 2019 10:31:01 +0000 (+0000)
Subject: mod_ssl: OCSP does not apply to proxy mode, fix verify context.
X-Git-Tag: 2.5.0-alpha2-ci-test-only~1920
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2c35e93608e737d28d8dd51ad15972df5c72f71;p=thirdparty%2Fapache%2Fhttpd.git

mod_ssl: OCSP does not apply to proxy mode, fix verify context.

Since ssl_callback_SSLVerify() is called for both server and proxy modes,
use myCtxConfig()->ocsp_mask to check the right mode/configuration (i.e.
none for proxy in any case).

PR 63679.
Submitted by: Lubos Uhliarik <luhliari redhat.com>


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1865740 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 488e6abf357..a29eebb4e8a 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1831,8 +1831,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     /*
      * Perform OCSP-based revocation checks
      */
-    if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
-         (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {     
+    if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+         (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {     
         /* If there was an optional verification error, it's not
          * possible to perform OCSP validation since the issuer may be
          * missing/untrusted.  Fail in that case. */