https://bz.apache.org/bugzilla/show_bug.cgi?id=63679
Bug ID: 63679
Summary: Usage of wrong mctx in ssl_callback_SSLVerify function
Product: Apache httpd-2
Version: 2.4.41
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 36728
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36728&action=edit
Patch fixing the bug
Hi all,
in the commit r1826995 a following change has been made to
ssl_callback_SSLVerify function in ssl_engine_kernel.c:
- if (ok && sc->server->ocsp_enabled == TRUE) {
+ if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+ (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
Instead of using sc->server, mctx should be used. It causes now weird behavior,
since ocsp_mask is by default set to UNSET (which is -1, translated to signed
int...). When proxy is set set on the same server, if-condition above will be
true.
I'm proposing this change:
- if (ok && sc->server->ocsp_enabled) {
+ if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+ (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
It was working before, because ocsp_enabled was by default set to FALSE.
ocsp_mask is UNSET by default now and is set either to proxy or server
structure in sc. If sc with is_proxy is passed here, it will result in bug.
Attaching patch. Please merge it to 2.4.x if possible.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
