Repository: trafficserver Updated Branches: refs/heads/master dd7e538c9 -> 10d953e67
TS-3001: GlobalSign responds 403 when OCSP request posted without Host header Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/10d953e6 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/10d953e6 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/10d953e6 Branch: refs/heads/master Commit: 10d953e672fe7a5b29e70aecaa2ffdbbc1e4e212 Parents: dd7e538 Author: Ryo Okubo <[email protected]> Authored: Mon Aug 18 11:28:34 2014 -0700 Committer: Bryan Call <[email protected]> Committed: Mon Aug 18 11:28:34 2014 -0700 ---------------------------------------------------------------------- CHANGES | 2 ++ iocore/net/OCSPStapling.cc | 9 ++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/10d953e6/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index 13da8b1..8d04e35 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.1.0 + *) [TS-3001] GlobalSign responds 403 when OCSP request posted without Host header + *) [TS-2722] authproxy: Eliminate the DNS lookup state, just use the client *) [TS-2933] Fix post remap and effective URL. http://git-wip-us.apache.org/repos/asf/trafficserver/blob/10d953e6/iocore/net/OCSPStapling.cc ---------------------------------------------------------------------- diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc index ca27b00..88c6b71 100644 --- a/iocore/net/OCSPStapling.cc +++ b/iocore/net/OCSPStapling.cc @@ -239,7 +239,7 @@ stapling_check_response(certinfo *cinf, OCSP_RESPONSE *rsp) } static OCSP_RESPONSE * -query_responder(BIO *b, char *path, OCSP_REQUEST *req, int req_timeout) +query_responder(BIO *b, char *host, char *path, OCSP_REQUEST *req, int req_timeout) { ink_hrtime start, end; OCSP_RESPONSE *resp = NULL; @@ -249,7 +249,10 @@ query_responder(BIO *b, char *path, OCSP_REQUEST *req, int req_timeout) start = ink_get_hrtime(); end = ink_hrtime_add(start, ink_hrtime_from_sec(req_timeout)); - ctx = OCSP_sendreq_new(b, path, req, -1); + ctx = OCSP_sendreq_new(b, path, NULL, -1); + OCSP_REQ_CTX_add1_header(ctx, "Host", host); + OCSP_REQ_CTX_set1_req(ctx, req); + do { rv = OCSP_sendreq_nbio(&resp, ctx); ink_hrtime_sleep(HRTIME_MSECONDS(1)); @@ -281,7 +284,7 @@ process_responder(OCSP_REQUEST *req, Debug("ssl", "process_responder: fail to connect to OCSP respond server"); goto end; } - resp = query_responder(cbio, path, req, req_timeout); + resp = query_responder(cbio, host, path, req, req_timeout); end: if (cbio)
