From: Rainer Jung Date: Tue, 9 Feb 2016 23:20:50 +0000 (+0000) Subject: OpenSSL 1.1.0 support X-Git-Tag: 2.5.0-alpha~2155 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=30a6d5d0f9d90450bb70853dd83a2a0303742882;p=thirdparty%2Fapache%2Fhttpd.git OpenSSL 1.1.0 support - no need to check for opaque "valid" cert flag, since we get here only if internal certificate verification of OpenSSL returned ok=1. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729500 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c index 28016afddd5..6bdd2cdce13 100644 --- a/modules/ssl/ssl_engine_ocsp.c +++ b/modules/ssl/ssl_engine_ocsp.c @@ -262,17 +262,21 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc, "No cert available to check with OCSP"); return 1; } - /* XXX: OpenSSL 1.1.0: cert->valid not available in OpenSSL 1.1.0 - * and I have found no accessor method. What to do? */ #if OPENSSL_VERSION_NUMBER < 0x10100000L else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { +#else + /* No need to check cert->valid, because modssl_verify_ocsp() only + * is called if OpenSSL already successfully verified the certificate + * (parameter "ok" in ssl_callback_SSLVerify() must be true). + */ + else if (X509_check_issued(cert,cert) == X509_V_OK) { +#endif /* don't do OCSP checking for valid self-issued certs */ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "Skipping OCSP check for valid self-issued cert"); X509_STORE_CTX_set_error(ctx, X509_V_OK); return 1; } -#endif /* Create a temporary pool to constrain memory use (the passed-in * pool may be e.g. a connection pool). */