From 7db9795f45fd4688ceb13ee36090e4e2becbc709 Mon Sep 17 00:00:00 2001 From: WIND Internet Date: Tue, 17 Mar 2020 22:04:15 +0100 Subject: [PATCH] [SECURITY] Don't stop Certificate Revoked messages. Certificate Revoked Responder messages don't belong to 'error' class. When the server receives one, it MUST be passed on to the client. And stored for the normal period of basic responses. Also don't log an error each time it is retrieved from cache, only once when it is retrieved from the OCSP responder. --- modules/ssl/ssl_util_stapling.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index b40db52f4e..d75e9d061e 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -435,7 +435,7 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx, rv = SSL_TLSEXT_ERR_NOACK; } - if (status != V_OCSP_CERTSTATUS_GOOD) { + if (status != V_OCSP_CERTSTATUS_GOOD && pok) { char snum[MAX_STRING_LEN] = { '\0' }; BIO *bio = BIO_new(BIO_s_mem()); @@ -456,12 +456,6 @@ static int stapling_check_response(server_rec *s, modssl_ctx_t *mctx, (reason != OCSP_REVOKED_STATUS_NOSTATUS) ? OCSP_crl_reason_str(reason) : "n/a", snum[0] ? snum : "[n/a]"); - - if (mctx->stapling_return_errors == FALSE) { - if (pok) - *pok = FALSE; - rv = SSL_TLSEXT_ERR_NOACK; - } } } -- 2.47.3