Don't do OCSP checks for valid self-issued certs

author Stefan Fritsch <sf@apache.org>

Sun, 19 Jun 2011 18:19:42 +0000 (18:19 +0000)

committer Stefan Fritsch <sf@apache.org>

Sun, 19 Jun 2011 18:19:42 +0000 (18:19 +0000)
author Stefan Fritsch <sf@apache.org>
Sun, 19 Jun 2011 18:19:42 +0000 (18:19 +0000)
committer Stefan Fritsch <sf@apache.org>
Sun, 19 Jun 2011 18:19:42 +0000 (18:19 +0000)
diff --git a/CHANGES b/CHANGES

index 7d1c8e8b627f3d78e4ac7d3c5b451bfde2cef436..03d63083567225cbdd0dd013e0fee7a4dbc625c9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,8 @@
  
  Changes with Apache 2.3.13
  
+  *) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]
+
    *) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
       PR 48215. [Kaspar Brand]
  
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c

index d52bc5e1a3cc750e76d83d6bdd456f76bf230899..28ace8a672a36b7908eb64cd830fae0a199e52d8 100644 (file)
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -251,7 +251,15 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
      X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
      apr_pool_t *vpool;
      int rv;
-    
+
+    /* don't do OCSP checking for valid self-issued certs */
+    if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+                      "Skipping OCSP check for valid self-issued cert");
+        X509_STORE_CTX_set_error(ctx, X509_V_OK);
+        return 1;
+    }
+
      /* Create a temporary pool to constrain memory use (the passed-in
       * pool may be e.g. a connection pool). */
      apr_pool_create(&vpool, pool);
author	Stefan Fritsch <sf@apache.org>
	Sun, 19 Jun 2011 18:19:42 +0000 (18:19 +0000)
committer	Stefan Fritsch <sf@apache.org>
	Sun, 19 Jun 2011 18:19:42 +0000 (18:19 +0000)
CHANGES		patch \| blob \| history
modules/ssl/ssl_engine_ocsp.c		patch \| blob \| history