Re: svn commit: r1679032 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_private.h modules/ssl/ssl_util_stapling.c

Tue, 12 May 2015 12:33:07 -0700 

On Tue, May 12, 2015 at 8:59 PM,  <[email protected]> wrote:
> Author: trawick
> Date: Tue May 12 18:59:29 2015
> New Revision: 1679032
>
> URL: http://svn.apache.org/r1679032
> Log:
> mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
> the OCSP response for a different certificate.  mod_ssl has an additional
> global mutex, "ssl-stapling-refresh".
>
[]
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1679032&r1=1679031&r2=1679032&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Tue May 12 18:59:29 2015
[]
> +
> +static int get_and_check_cached_response(server_rec *s, modssl_ctx_t *mctx,
> +                                         OCSP_RESPONSE **rsp, BOOL *ok,
> +                                         certinfo *cinf, apr_pool_t *p)
> +{
> +    int rv;
> +
> +    /* Check to see if we already have a response for this certificate */
> +    rv = stapling_get_cached_response(s, rsp, ok, cinf, p);
> +    if (rv == FALSE) {
> +        return SSL_TLSEXT_ERR_ALERT_FATAL;
> +    }
> +
> +    if (*rsp) {
> +        /* see if response is acceptable */
> +        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01953)
> +                     "stapling_cb: retrieved cached response");
> +        rv = stapling_check_response(s, mctx, cinf, *rsp, NULL);
> +        if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) {
> +            OCSP_RESPONSE_free(*rsp);
> +            return SSL_TLSEXT_ERR_ALERT_FATAL;
> +        }
> +        else if (rv == SSL_TLSEXT_ERR_NOACK) {
> +            /* Error in response. If this error was not present when it was
> +             * stored (i.e. response no longer valid) then it can be
> +             * renewed straight away.
> +             *
> +             * If the error *was* present at the time it was stored then we
> +             * don't renew the response straight away; we just wait for the
> +             * cached response to expire.
> +             */
> +            if (ok) {

if (*ok) ?
Or maybe 'ok' shouldn't be a pointer (not updated here)?

> +                OCSP_RESPONSE_free(*rsp);
> +                *rsp = NULL;
> +            }
> +            else if (!mctx->stapling_return_errors) {
> +                OCSP_RESPONSE_free(*rsp);
> +                return SSL_TLSEXT_ERR_NOACK;
> +            }
> +        }
> +    }
> +    return 0;
> +}
> +

Regards,
Yann.

Reply via email to