Launchpad has imported 4 comments from the remote bug at https://bz.apache.org/bugzilla/show_bug.cgi?id=63679.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2019-08-21T12:01:44+00:00 Luhliari wrote: Created attachment 36728 Patch fixing the bug Hi all, in the commit r1826995 a following change has been made to ssl_callback_SSLVerify function in ssl_engine_kernel.c: - if (ok && sc->server->ocsp_enabled == TRUE) { + if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) || + (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) { Instead of using sc->server, mctx should be used. It causes now weird behavior, since ocsp_mask is by default set to UNSET (which is -1, translated to signed int...). When proxy is set set on the same server, if-condition above will be true. I'm proposing this change: - if (ok && sc->server->ocsp_enabled) { + if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) || + (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) { It was working before, because ocsp_enabled was by default set to FALSE. ocsp_mask is UNSET by default now and is set either to proxy or server structure in sc. If sc with is_proxy is passed here, it will result in bug. Attaching patch. Please merge it to 2.4.x if possible. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1930430/comments/0 ------------------------------------------------------------------------ On 2019-08-23T10:46:13+00:00 Ylavic-dev wrote: Thanks for spotting and the patch, applied in r1865740. I will propose it for backport soon, waiting a bit for others' review. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1930430/comments/1 ------------------------------------------------------------------------ On 2020-01-02T13:32:00+00:00 Ylavic-dev wrote: Backported to 2.4.x (r1872226), will be in the next release. Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1930430/comments/2 ------------------------------------------------------------------------ On 2020-06-20T12:21:16+00:00 tititou wrote: This is part of 2.4.42 Reply at: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1930430/comments/3 ** Changed in: apache2 Status: Unknown => Fix Released ** Changed in: apache2 Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930430 Title: Apache2 Certificate Chain Verification within Proxy not Working after dist-upgrade to focal To manage notifications about this bug go to: https://bugs.launchpad.net/apache2/+bug/1930430/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
