|
 |
ad4e62 |
From b2c35e93608e737d28d8dd51ad15972df5c72f71 Mon Sep 17 00:00:00 2001
|
|
|
ad4e62 |
From: Yann Ylavic <ylavic@apache.org>
|
|
|
ad4e62 |
Date: Fri, 23 Aug 2019 10:31:01 +0000
|
|
|
ad4e62 |
Subject: [PATCH] mod_ssl: OCSP does not apply to proxy mode, fix verify
|
|
|
ad4e62 |
context.
|
|
|
ad4e62 |
|
|
|
ad4e62 |
Since ssl_callback_SSLVerify() is called for both server and proxy modes,
|
|
|
ad4e62 |
use myCtxConfig()->ocsp_mask to check the right mode/configuration (i.e.
|
|
|
ad4e62 |
none for proxy in any case).
|
|
|
ad4e62 |
|
|
|
ad4e62 |
PR 63679.
|
|
|
ad4e62 |
Submitted by: Lubos Uhliarik <luhliari redhat.com>
|
|
|
ad4e62 |
|
|
|
ad4e62 |
|
|
|
ad4e62 |
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1865740 13f79535-47bb-0310-9956-ffa450edef68
|
|
|
ad4e62 |
---
|
|
|
ad4e62 |
modules/ssl/ssl_engine_kernel.c | 4 ++--
|
|
|
ad4e62 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
ad4e62 |
|
|
|
ad4e62 |
|
|
|
ad4e62 |
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
|
|
|
ad4e62 |
index e34fc55..d6aa051 100644
|
|
|
ad4e62 |
--- a/modules/ssl/ssl_engine_kernel.c
|
|
|
ad4e62 |
+++ b/modules/ssl/ssl_engine_kernel.c
|
|
|
ad4e62 |
@@ -1651,8 +1651,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
|
|
|
ad4e62 |
/*
|
|
|
ad4e62 |
* Perform OCSP-based revocation checks
|
|
|
ad4e62 |
*/
|
|
|
ad4e62 |
- if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
|
|
|
ad4e62 |
- (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
|
|
|
ad4e62 |
+ if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
|
|
|
ad4e62 |
+ (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
|
|
|
ad4e62 |
/* If there was an optional verification error, it's not
|
|
|
ad4e62 |
* possible to perform OCSP validation since the issuer may be
|
|
|
ad4e62 |
* missing/untrusted. Fail in that case. */
|