https://bz.apache.org/bugzilla/show_bug.cgi?id=66626
Bug ID: 66626
Summary: OCSP Stapling with Revoked Certificate are not
Returning Proper Return Value
Product: Apache httpd-2
Version: 2.4-HEAD
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: q...@tenable.com
Target Milestone: ---
When contacting an OCSP server and the certificate is revoked, an OK is still
being returned where there should an error returning. This will always cause a
SSL_TLSEXT_ERR_OK to be returned when the certificate is revoked. rv is set in
all other places in this function with the exception of this block.
// ssl_util_stapling.c stapling_check_response()
if (status != V_OCSP_CERTSTATUS_GOOD) {
char snum[MAX_STRING_LEN] = { '\0' };
BIO *bio = BIO_new(BIO_s_mem());
if (bio) {
int n;
ASN1_INTEGER *pserial;
OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid);
if ((i2a_ASN1_INTEGER(bio, pserial) != -1) &&
((n = BIO_read(bio, snum, sizeof snum - 1)) > 0))
snum[n] = '\0';
BIO_free(bio);
}
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02969)
"stapling_check_response: response has certificate "
"status %s (reason: %s) for serial number %s",
OCSP_cert_status_str(status),
(reason != OCSP_REVOKED_STATUS_NOSTATUS) ?
OCSP_crl_reason_str(reason) : "n/a",
snum[0] ? snum : "[n/a]");
if (mctx->stapling_return_errors == FALSE) {
if (pok)
*pok = FALSE;
rv = SSL_TLSEXT_ERR_NOACK;
}
}
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
