On 07/18/2018 11:04 AM, Stefan Eissing wrote:
> It looks as if that was added when ylavic backported?
>
> r1834089 has the change, but is supposed to be a merge of r1826995, r1827001
> where this change is not present? (If i read that correctly).
>
Good catch. Maybe a dirty working copy during backport? Yann?
Regards
Rüdiger
>> Am 18.07.2018 um 10:19 schrieb Frank Meier <[email protected]>:
>>
>> We experience a problem with OCSP since Apache HTTP Server 2.4.34.
>> Certificates, which do include a OCSP responder URL and worked well with
>> 2.4.33 are now reported that they don't. Log Message: "AH01918: no OCSP
>> responder specified in certificate and no default configured".
>>
>> After git bisect I found the commit which introduced this behaviour [1]. And
>> more more precisely the line in "ssl_engine_config.c" where
>> "ocsp_force_default" is initialized with "UNSET" where in 2.4.33 it was
>> initialized with "FALSE". This is a problem, because "ocsp_force_default" is
>> used in a if condition without comparison operator in ssl_engine_ocsp.c:64,
>> therefore resulting in TRUE even it is UNSET.
>>
>> I propose 2 ways of fixing this. Either let the initialization be like in
>> 2.4.33 (ocsp-fix.patch) or compare the "ocsp_force_default" flag with "TRUE"
>> where it is used (ocsp-fix2.patch).
>>
>> [1]
>> https://github.com/apache/httpd/commit/7c64b2e46820d5d7576d9f601142cd33c5c8c42b
>>
>> Cheers, Frank
>> <ocsp-fix.patch><ocsp-fix2.patch>
>
>
