On Tue, May 12, 2015 at 8:59 PM, <traw...@apache.org> wrote: > Author: trawick > Date: Tue May 12 18:59:29 2015 > New Revision: 1679032 > > URL: http://svn.apache.org/r1679032 > Log: > mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing > the OCSP response for a different certificate. mod_ssl has an additional > global mutex, "ssl-stapling-refresh". > [] > > Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1679032&r1=1679031&r2=1679032&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Tue May 12 18:59:29 2015 [] > + > +static int get_and_check_cached_response(server_rec *s, modssl_ctx_t *mctx, > + OCSP_RESPONSE **rsp, BOOL *ok, > + certinfo *cinf, apr_pool_t *p) > +{ > + int rv; > + > + /* Check to see if we already have a response for this certificate */ > + rv = stapling_get_cached_response(s, rsp, ok, cinf, p); > + if (rv == FALSE) { > + return SSL_TLSEXT_ERR_ALERT_FATAL; > + } > + > + if (*rsp) { > + /* see if response is acceptable */ > + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01953) > + "stapling_cb: retrieved cached response"); > + rv = stapling_check_response(s, mctx, cinf, *rsp, NULL); > + if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) { > + OCSP_RESPONSE_free(*rsp); > + return SSL_TLSEXT_ERR_ALERT_FATAL; > + } > + else if (rv == SSL_TLSEXT_ERR_NOACK) { > + /* Error in response. If this error was not present when it was > + * stored (i.e. response no longer valid) then it can be > + * renewed straight away. > + * > + * If the error *was* present at the time it was stored then we > + * don't renew the response straight away; we just wait for the > + * cached response to expire. > + */ > + if (ok) {
if (*ok) ? Or maybe 'ok' shouldn't be a pointer (not updated here)? > + OCSP_RESPONSE_free(*rsp); > + *rsp = NULL; > + } > + else if (!mctx->stapling_return_errors) { > + OCSP_RESPONSE_free(*rsp); > + return SSL_TLSEXT_ERR_NOACK; > + } > + } > + } > + return 0; > +} > + Regards, Yann.