On 09/02/2016 10:20, Rainer Jung wrote: > > 3) ssl_engine_ocsp.c > > In modssl_verify_ocsp() the following code accesses the struct member "valid", > for which currently no accessor function exists in 1.1.0: > > 268 else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) { > 269 /* don't do OCSP checking for valid self-issued certs */ > 270 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, > 271 "Skipping OCSP check for valid self-issued cert"); > 272 X509_STORE_CTX_set_error(ctx, X509_V_OK); > 273 return 1; > 274 } > >
It's not clear what that code is supposed to do. The check isn't for "self-issued" because that would just require comparing the subject and issuer names it is actually checking for a self signed certificate. Is it supposed to be skipping OCSP checking for a trusted root? > 4) ssl_util_stapling.c > > In ssl_stapling_init_cert() there's a compiler warning: > "passing argument 1 of 'sk_value' from incompatible pointer type > expected 'const struct _STACK *' but argument is of type > 'struct stack_st_OPENSSL_STRING *'": > > 179 cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0)); > In ssl_private.h the checks like this: #ifndef sk_OPENSSL_STRING_value #define sk_OPENSSL_STRING_value sk_value #endif no longer work because stacks are now inline functions. If you put that block round an appropriate #ifdef it should be fine. I had a quick look at the changes and did notice that some of the direct structure access (extensions, X509_NAME) is unnecessary in existing versions of OpenSSL. So in some cases you don't need to only use them for 1.1: they'll work in all versions of OpenSSL but it's only in 1.1 they are enforced. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com