On 09/02/2016 10:20, Rainer Jung wrote:
>
> 3) ssl_engine_ocsp.c
>
> In modssl_verify_ocsp() the following code accesses the struct member "valid",
> for which currently no accessor function exists in 1.1.0:
>
> 268 else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
> 269 /* don't do OCSP checking for valid self-issued certs */
> 270 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
> 271 "Skipping OCSP check for valid self-issued cert");
> 272 X509_STORE_CTX_set_error(ctx, X509_V_OK);
> 273 return 1;
> 274 }
>
>
It's not clear what that code is supposed to do. The check isn't for
"self-issued" because that would just require comparing the subject and issuer
names it is actually checking for a self signed certificate.
Is it supposed to be skipping OCSP checking for a trusted root?
> 4) ssl_util_stapling.c
>
> In ssl_stapling_init_cert() there's a compiler warning:
> "passing argument 1 of 'sk_value' from incompatible pointer type
> expected 'const struct _STACK *' but argument is of type
> 'struct stack_st_OPENSSL_STRING *'":
>
> 179 cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
>
In ssl_private.h the checks like this:
#ifndef sk_OPENSSL_STRING_value
#define sk_OPENSSL_STRING_value sk_value
#endif
no longer work because stacks are now inline functions. If you put that block
round an appropriate #ifdef it should be fine.
I had a quick look at the changes and did notice that some of the direct
structure access (extensions, X509_NAME) is unnecessary in existing versions of
OpenSSL. So in some cases you don't need to only use them for 1.1: they'll work
in all versions of OpenSSL but it's only in 1.1 they are enforced.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
