From: Jim Jagielski Date: Wed, 7 May 2014 12:52:13 +0000 (+0000) Subject: Merge r1588853 from trunk: X-Git-Tag: 2.4.10~254 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ec031aa871fcda3174b959f1758750fd54af9aca;p=apache Merge r1588853 from trunk: ssl_stapling_init_cert: do not return success when no responder URI is found stapling_renew_response: abort early (before apr_uri_parse) if ocspuri is empty Submitted by: kbrand Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1593002 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index 733b4be9b9..5814b93289 100644 --- a/STATUS +++ b/STATUS @@ -100,11 +100,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_ssl: make SSL stapling init more robust for certs w/o responder URI - trunk patch: https://svn.apache.org/r1588853 - 2.4.x patch: trunk patch works (w/o docs/log-message-tags/next-number) - +1: kbrand, ylavic, jim - * mod_ssl: restore argument structure for exec-type SSLPassPhraseDialog programs, and implement a special merging algorithm for SSLCertificate[Key]File to emulate the behavior in versions <= 2.4.7 diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index 7633648ce2..2dc8fceaaa 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -145,14 +145,15 @@ int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) X509_digest(x, EVP_sha1(), cinf->idx, NULL); aia = X509_get1_ocsp(x); - if (aia) + if (aia) { cinf->uri = sk_OPENSSL_STRING_pop(aia); + X509_email_free(aia); + } if (!cinf->uri && !mctx->stapling_force_url) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218) "ssl_stapling_init_cert: no responder URL"); + return 0; } - if (aia) - X509_email_free(aia); return 1; } @@ -403,6 +404,13 @@ static BOOL stapling_renew_response(server_rec *s, modssl_ctx_t *mctx, SSL *ssl, else ocspuri = cinf->uri; + if (!ocspuri) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621) + "stapling_renew_response: no uri for responder"); + rv = FALSE; + goto done; + } + /* Create a temporary pool to constrain memory use */ apr_pool_create(&vpool, conn->pool);