Re: svn commit: r1679032 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_private.h modules/ssl/ssl_util_stapling.c

Wed, 13 May 2015 05:35:33 -0700 

On 05/12/2015 04:50 PM, Jeff Trawick wrote:

On 05/12/2015 03:32 PM, Yann Ylavic wrote:

On Tue, May 12, 2015 at 8:59 PM, <traw...@apache.org> wrote:

Author: trawick
Date: Tue May 12 18:59:29 2015
New Revision: 1679032

URL: http://svn.apache.org/r1679032
Log:
mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
the OCSP response for a different certificate. mod_ssl has an additional 
global mutex, "ssl-stapling-refresh".


[]

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1679032&r1=1679031&r2=1679032&view=diff ============================================================================== 
--- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Tue May 12 18:59:29 2015 
[]

+
+static int get_and_check_cached_response(server_rec *s, modssl_ctx_t *mctx, + OCSP_RESPONSE **rsp, BOOL *ok, + certinfo *cinf, apr_pool_t *p) 
+{
+    int rv;
+
+ /* Check to see if we already have a response for this certificate */ 
+    rv = stapling_get_cached_response(s, rsp, ok, cinf, p);
+    if (rv == FALSE) {
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+
+    if (*rsp) {
+        /* see if response is acceptable */
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01953)
+                     "stapling_cb: retrieved cached response");
+        rv = stapling_check_response(s, mctx, cinf, *rsp, NULL);
+        if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) {
+            OCSP_RESPONSE_free(*rsp);
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+        else if (rv == SSL_TLSEXT_ERR_NOACK) {
+ /* Error in response. If this error was not present when it was 
+             * stored (i.e. response no longer valid) then it can be
+             * renewed straight away.
+             *
+ * If the error *was* present at the time it was stored then we + * don't renew the response straight away; we just wait for the 
+             * cached response to expire.
+             */
+            if (ok) {

if (*ok) ?
Or maybe 'ok' shouldn't be a pointer (not updated here)?
Thanks a bunch! I'll sort it out tomorrow 

r1679192


and make sure I'm testing more paths.


TBD :)

Thanks again!




+ OCSP_RESPONSE_free(*rsp);
+                *rsp = NULL;
+            }
+            else if (!mctx->stapling_return_errors) {
+                OCSP_RESPONSE_free(*rsp);
+                return SSL_TLSEXT_ERR_NOACK;
+            }
+        }
+    }
+    return 0;
+}
+

Regards,
Yann.

Reply via email to