DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41123>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41123 ------- Additional Comments From [EMAIL PROTECTED] 2007-11-16 04:53 ------- Some comments on the latest patch. 1. The function extract_responder_uri() has a memory leak. It should call: AUTHORITY_INFO_ACCESS_free(values); instead of: sk_ACCESS_DESCRIPTION_free(values); 2. After the call to apr_uri_parse() shouldn't we check the scheme is really "http"? I've heard of some responders which use "https". There is also the possibility that the URL will be split up into a path and query string which should be concatenated when passed to OpenSSL. 3. The OCSP query code doesn't include a timeout. This is a problem with the OpenSSL's rather simplistic OCSP handler and the fact that there is no generalized socket timeout code in OpenSSL. There are several ways to work around this. The easiest is to use APR sockets with a timeout. See my OCSP query code in Bug 43822 4. The code unconditionally uses an OCSP nonce. Some responders do not sign every request but just server pre-cached responses. As a result the nonce value can't be honoured and an error will occur when attempting to use such responders. The most notable example is VeriSign's OCSP responder but there are others. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
