From: Kaspar Brand <kbrand@apache.org>
Date: Sun, 28 Aug 2011 16:50:12 +0000 (+0000)
Subject: Better safe than sorry: with OpenSSL 1.0, X509_STORE_CTX_get_current_cert()
X-Git-Tag: 2.3.15~329
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ddcd7b615d0240ad3b677f2cba5cb8a0cc142298;p=thirdparty%2Fapache%2Fhttpd.git

Better safe than sorry: with OpenSSL 1.0, X509_STORE_CTX_get_current_cert()
may not always return a cert.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1162553 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index ff5ee35c3a9..df77cceb5ec 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -252,8 +252,15 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
     apr_pool_t *vpool;
     int rv;
 
-    /* don't do OCSP checking for valid self-issued certs */
-    if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+    if (!cert) {
+        /* starting with OpenSSL 1.0, X509_STORE_CTX_get_current_cert()
+         * may yield NULL. Return early, but leave the ctx error as is. */
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+                      "No cert available to check with OCSP");
+        return 1;
+    }
+    else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+        /* don't do OCSP checking for valid self-issued certs */
         ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
                       "Skipping OCSP check for valid self-issued cert");
         X509_STORE_CTX_set_error(ctx, X509_V_OK);