httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r1137398 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_ocsp.c
Date Sun, 19 Jun 2011 18:19:43 GMT
Author: sf
Date: Sun Jun 19 18:19:42 2011
New Revision: 1137398

URL: http://svn.apache.org/viewvc?rev=1137398&view=rev
Log:
Don't do OCSP checks for valid self-issued certs

Submitted by: Kaspar Brand

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1137398&r1=1137397&r2=1137398&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Jun 19 18:19:42 2011
@@ -2,6 +2,8 @@
 
 Changes with Apache 2.3.13
 
+  *) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]
+
   *) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
      PR 48215. [Kaspar Brand]
 

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=1137398&r1=1137397&r2=1137398&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Sun Jun 19 18:19:42 2011
@@ -251,7 +251,15 @@ int modssl_verify_ocsp(X509_STORE_CTX *c
     X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
     apr_pool_t *vpool;
     int rv;
-    
+
+    /* don't do OCSP checking for valid self-issued certs */
+    if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+                      "Skipping OCSP check for valid self-issued cert");
+        X509_STORE_CTX_set_error(ctx, X509_V_OK);
+        return 1;
+    }
+
     /* Create a temporary pool to constrain memory use (the passed-in
      * pool may be e.g. a connection pool). */
     apr_pool_create(&vpool, pool);



Mime
View raw message