httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rj...@apache.org
Subject svn commit: r1729500 - /httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
Date Tue, 09 Feb 2016 23:20:50 GMT
Author: rjung
Date: Tue Feb  9 23:20:50 2016
New Revision: 1729500

URL: http://svn.apache.org/viewvc?rev=1729500&view=rev
Log:
OpenSSL 1.1.0 support
- no need to check for opaque "valid" cert
  flag, since we get here only if internal
  certificate verification of OpenSSL returned
  ok=1.

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=1729500&r1=1729499&r2=1729500&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Tue Feb  9 23:20:50 2016
@@ -262,17 +262,21 @@ int modssl_verify_ocsp(X509_STORE_CTX *c
                       "No cert available to check with OCSP");
         return 1;
     }
-    /* XXX: OpenSSL 1.1.0: cert->valid not available in OpenSSL 1.1.0
-     * and I have found no accessor method. What to do? */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
     else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+#else
+    /* No need to check cert->valid, because modssl_verify_ocsp() only
+     * is called if OpenSSL already successfully verified the certificate
+     * (parameter "ok" in ssl_callback_SSLVerify() must be true).
+     */
+    else if (X509_check_issued(cert,cert) == X509_V_OK) {
+#endif
         /* don't do OCSP checking for valid self-issued certs */
         ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
                       "Skipping OCSP check for valid self-issued cert");
         X509_STORE_CTX_set_error(ctx, X509_V_OK);
         return 1;
     }
-#endif
 
     /* Create a temporary pool to constrain memory use (the passed-in
      * pool may be e.g. a connection pool). */



Mime
View raw message