]> granicus.if.org Git - apache/commitdiff
projects / apache / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5f2e0d2)
Merge r1588853 from trunk:
authorJim Jagielski <jim@apache.org>
Wed, 7 May 2014 12:52:13 +0000 (12:52 +0000)
committerJim Jagielski <jim@apache.org>
Wed, 7 May 2014 12:52:13 +0000 (12:52 +0000)
ssl_stapling_init_cert: do not return success when no responder URI is found
stapling_renew_response: abort early (before apr_uri_parse) if ocspuri is empty

Submitted by: kbrand
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1593002 13f79535-47bb-0310-9956-ffa450edef68

STATUS patch | blob | history
modules/ssl/ssl_util_stapling.c patch | blob | history

diff --git a/STATUS b/STATUS
index 733b4be9b92bb17ca9fea017721a136265031f8c..5814b93289d6a08ef3f5c66d9dce377db60284a9 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -100,11 +100,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: make SSL stapling init more robust for certs w/o responder URI
-     trunk patch: https://svn.apache.org/r1588853
-     2.4.x patch: trunk patch works (w/o docs/log-message-tags/next-number)
-     +1: kbrand, ylavic, jim
-
    * mod_ssl: restore argument structure for exec-type SSLPassPhraseDialog
      programs, and implement a special merging algorithm for
      SSLCertificate[Key]File to emulate the behavior in versions <= 2.4.7
diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c
index 7633648ce2df823d180120cdc5eb62fade6c6aa7..2dc8fceaaa8a2419a627c0e8d1d946b06ea0fc37 100644 (file)
--- a/modules/ssl/ssl_util_stapling.c
+++ b/modules/ssl/ssl_util_stapling.c
@@ -145,14 +145,15 @@ int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x)
     X509_digest(x, EVP_sha1(), cinf->idx, NULL);
 
     aia = X509_get1_ocsp(x);
-    if (aia)
+    if (aia) {
         cinf->uri = sk_OPENSSL_STRING_pop(aia);
+        X509_email_free(aia);
+    }
     if (!cinf->uri && !mctx->stapling_force_url) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218)
                      "ssl_stapling_init_cert: no responder URL");
+        return 0;
     }
-    if (aia)
-        X509_email_free(aia);
     return 1;
 }
 
@@ -403,6 +404,13 @@ static BOOL stapling_renew_response(server_rec *s, modssl_ctx_t *mctx, SSL *ssl,
     else
         ocspuri = cinf->uri;
 
+    if (!ocspuri) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621)
+                     "stapling_renew_response: no uri for responder");
+        rv = FALSE;
+        goto done;
+    }
+
     /* Create a temporary pool to constrain memory use */
     apr_pool_create(&vpool, conn->pool);
 
Unnamed repository; edit this file 'description' to name the repository.