httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 56233] Make OCSP nonce extension for client certificate revocation checking configurable
Date Sun, 30 Mar 2014 08:56:10 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=56233

--- Comment #5 from Kaspar Brand <asfbugz@velox.ch> ---
(In reply to Yann Ylavic from comment #4)
> This patch (trunk/2.4.x/2.4.9) adds the new SSLOCSPUseQueryNonce directive
> to enable (default) or disable the nonce in OCSP queries.

Thanks for taking this up, Yann. You also need to wrap the OCSP_check_nonce
call with an "if (sc->server->ocsp_use_query_nonce != FALSE)" - from OpenSSL's
crypto/ocsp/ocsp_ext.c:

/* Check nonce validity in a request and response.
 * Return value reflects result:
 *  1: nonces present and equal.
 *  2: nonces both absent.
 *  3: nonce present in response only.
 *  0: nonces both present and not equal.
 * -1: nonce in request only.
 *
 *  For most responders clients can check return > 0.
 *  If responder doesn't handle nonces return != 0 may be
 *  necessary. return == 0 is always an error.
 */

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message