On 30.03.2014 21:25, yla...@apache.org wrote:
> Author: ylavic
> Date: Sun Mar 30 19:25:20 2014
> New Revision: 1583191
>
> URL: http://svn.apache.org/r1583191
> Log:
> mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce
> on/off. PR 56233.
> @@ -171,7 +174,8 @@ static int verify_ocsp_status(X509 *cert
> }
> }
>
> - if (rc == V_OCSP_CERTSTATUS_GOOD) {
> + if (rc == V_OCSP_CERTSTATUS_GOOD &&
> + sc->server->ocsp_use_request_nonce != FALSE) {
> if (OCSP_check_nonce(request, basicResponse) != 1) {
> ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
> "Bad OCSP responder answer (bad nonce)");
Perhaps rewrite this as
if (rc == V_OCSP_CERTSTATUS_GOOD &&
sc->server->ocsp_use_request_nonce != FALSE &&
OCSP_check_nonce(request, basicResponse) != 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
"Bad OCSP responder answer (bad nonce)");
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
?
> Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1583191&r1=1583190&r2=1583191&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Mar 30 19:25:20 2014
> @@ -614,6 +614,7 @@ typedef struct {
> SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
> apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
> #endif
> + int ocsp_use_request_nonce;
> } modssl_ctx_t;
modssl_ctx_t isn't a public struct, so I think it's preferrable to
insert this definition four lines earlier (after ocsp_responder_timeout,
see r1059917 for a similar case).
And last but not least, can you add docs for this new directive (and an
entry in CHANGES)?
Kaspar
