https://bz.apache.org/bugzilla/show_bug.cgi?id=66626
Bug ID: 66626 Summary: OCSP Stapling with Revoked Certificate are not Returning Proper Return Value Product: Apache httpd-2 Version: 2.4-HEAD Hardware: All OS: Linux Status: NEW Severity: normal Priority: P2 Component: mod_ssl Assignee: bugs@httpd.apache.org Reporter: q...@tenable.com Target Milestone: --- When contacting an OCSP server and the certificate is revoked, an OK is still being returned where there should an error returning. This will always cause a SSL_TLSEXT_ERR_OK to be returned when the certificate is revoked. rv is set in all other places in this function with the exception of this block. // ssl_util_stapling.c stapling_check_response() if (status != V_OCSP_CERTSTATUS_GOOD) { char snum[MAX_STRING_LEN] = { '\0' }; BIO *bio = BIO_new(BIO_s_mem()); if (bio) { int n; ASN1_INTEGER *pserial; OCSP_id_get0_info(NULL, NULL, NULL, &pserial, cinf->cid); if ((i2a_ASN1_INTEGER(bio, pserial) != -1) && ((n = BIO_read(bio, snum, sizeof snum - 1)) > 0)) snum[n] = '\0'; BIO_free(bio); } ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02969) "stapling_check_response: response has certificate " "status %s (reason: %s) for serial number %s", OCSP_cert_status_str(status), (reason != OCSP_REVOKED_STATUS_NOSTATUS) ? OCSP_crl_reason_str(reason) : "n/a", snum[0] ? snum : "[n/a]"); if (mctx->stapling_return_errors == FALSE) { if (pok) *pok = FALSE; rv = SSL_TLSEXT_ERR_NOACK; } } -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org