From 924e07c32baa56dd30c4db8c7945b9653eef8104 Mon Sep 17 00:00:00 2001
From: Jeff Trawick <trawick@apache.org>
Date: Sun, 5 Jan 2014 21:18:28 +0000
Subject: [PATCH] Fix config merging of SSLOCSPEnable and
 SSLOCSPOverrideResponder.

Reviewed by: rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1555631 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         | 3 +++
 modules/ssl/ssl_engine_config.c | 4 ++--
 modules/ssl/ssl_engine_kernel.c | 2 +-
 modules/ssl/ssl_engine_ocsp.c   | 2 +-
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 30ddf6b2e3..8a0f446dac 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: Fix config merging of SSLOCSPEnable and SSLOCSPOverrideResponder.
+     [Jeff Trawick]
+
   *) Add HttpContentLengthHeadZero and HttpExpectStrict directives.
      [Yehuda Sadeh <yehuda inktank com>, Justin Erenkrantz]
 
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index da32499e29..efdcf00064 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -127,8 +127,8 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
     mctx->auth.verify_depth   = UNSET;
     mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
 
-    mctx->ocsp_enabled        = FALSE;
-    mctx->ocsp_force_default  = FALSE;
+    mctx->ocsp_enabled        = UNSET;
+    mctx->ocsp_force_default  = UNSET;
     mctx->ocsp_responder      = NULL;
     mctx->ocsp_resptime_skew  = UNSET;
     mctx->ocsp_resp_maxage    = UNSET;
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 062e235a8a..0bb37a3185 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1461,7 +1461,7 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
     /*
      * Perform OCSP-based revocation checks
      */
-    if (ok && sc->server->ocsp_enabled) {
+    if (ok && sc->server->ocsp_enabled == TRUE) {
         /* If there was an optional verification error, it's not
          * possible to perform OCSP validation since the issuer may be
          * missing/untrusted.  Fail in that case. */
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index 90da5c279f..b9fca6577d 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -61,7 +61,7 @@ static apr_uri_t *determine_responder_uri(SSLSrvConfigRec *sc, X509 *cert,
     /* Use default responder URL if forced by configuration, else use
      * certificate-specified responder, falling back to default if
      * necessary and possible. */
-    if (sc->server->ocsp_force_default) {
+    if (sc->server->ocsp_force_default == TRUE) {
         s = sc->server->ocsp_responder;
     }
     else {
-- 
2.40.0