Hi Steve,
thanks a lot for your review and comments. More inline.
Am 09.02.2016 um 13:34 schrieb Dr Stephen Henson:
On 09/02/2016 10:20, Rainer Jung wrote:
3) ssl_engine_ocsp.c
In modssl_verify_ocsp() the following code accesses the struct member "valid",
for which currently no accessor function exists in 1.1.0:
268 else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
269 /* don't do OCSP checking for valid self-issued certs */
270 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
271 "Skipping OCSP check for valid self-issued cert");
272 X509_STORE_CTX_set_error(ctx, X509_V_OK);
273 return 1;
274 }
It's not clear what that code is supposed to do. The check isn't for
"self-issued" because that would just require comparing the subject and issuer
names it is actually checking for a self signed certificate.
Is it supposed to be skipping OCSP checking for a trusted root?
The svn log message says "Don't do OCSP checks for valid self-issued
certs". The change was discussed here
http://marc.info/?t=129214629500002&r=1&w=2
with some older discussion here
http://marc.info/?t=119636863800005&r=1&w=2
As far as I get it, it is meant as an optimization to skip OCSP in cases
where it isn't needed or useful. But I'm far from being an expert here.
Kaspar, who introduced it originally formulated "prevents mod_ssl from
doing unnecessary OCSP checks (valid self-issued certs, i.e. trust
anchors configured through SSLCACertificate{File,Path})".
I'll CC Kaspar directly.
4) ssl_util_stapling.c
In ssl_stapling_init_cert() there's a compiler warning:
"passing argument 1 of 'sk_value' from incompatible pointer type
expected 'const struct _STACK *' but argument is of type
'struct stack_st_OPENSSL_STRING *'":
179 cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0));
In ssl_private.h the checks like this:
#ifndef sk_OPENSSL_STRING_value
#define sk_OPENSSL_STRING_value sk_value
#endif
no longer work because stacks are now inline functions. If you put that block
round an appropriate #ifdef it should be fine.
I had a quick look at the changes and did notice that some of the direct
structure access (extensions, X509_NAME) is unnecessary in existing versions of
OpenSSL. So in some cases you don't need to only use them for 1.1: they'll work
in all versions of OpenSSL but it's only in 1.1 they are enforced.
I'll get this tested/included. I kept the direct structure accesses for
pre-1.1.0 just for the moment to stay on the safe side. Once this works
reasonably well, I'll clean up the code to reduce the version dependent
ifdefs.
Getting closer :)
Regards,
Rainer
