git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ocsp_force_default initialized with UNSET in httpd 2.4.34


We experience a problem with OCSP since Apache HTTP Server 2.4.34. Certificates, which do include a OCSP responder URL and worked well with 2.4.33 are now reported that they don't. Log Message: "AH01918: no OCSP responder specified in certificate and no default configured".

After git bisect I found the commit which introduced this behaviour [1]. And more more precisely the line in "ssl_engine_config.c" where "ocsp_force_default" is initialized with "UNSET" where in 2.4.33 it was initialized with "FALSE". This is a problem, because "ocsp_force_default" is used in a if condition without comparison operator in ssl_engine_ocsp.c:64, therefore resulting in TRUE even it is UNSET.

I propose 2 ways of fixing this. Either let the initialization be like in 2.4.33 (ocsp-fix.patch) or compare the "ocsp_force_default" flag with "TRUE" where it is used (ocsp-fix2.patch).

[1] https://github.com/apache/httpd/commit/7c64b2e46820d5d7576d9f601142cd33c5c8c42b

Cheers, Frank
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 195380e2f3..05d728e4d5 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -138,7 +138,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
     mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
 
     mctx->ocsp_mask           = UNSET;
-    mctx->ocsp_force_default  = UNSET;
+    mctx->ocsp_force_default  = FALSE;
     mctx->ocsp_responder      = NULL;
     mctx->ocsp_resptime_skew  = UNSET;
     mctx->ocsp_resp_maxage    = UNSET;
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index bfb8952bf4..ef92c372c1 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -61,7 +61,7 @@ static apr_uri_t *determine_responder_uri(SSLSrvConfigRec *sc, X509 *cert,
     /* Use default responder URL if forced by configuration, else use
      * certificate-specified responder, falling back to default if
      * necessary and possible. */
-    if (sc->server->ocsp_force_default) {
+    if (sc->server->ocsp_force_default == TRUE) {
         s = sc->server->ocsp_responder;
     }
     else {