httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: svn commit: r1679032 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_private.h modules/ssl/ssl_util_stapling.c
Date Wed, 13 May 2015 12:34:26 GMT
On 05/12/2015 04:50 PM, Jeff Trawick wrote:
> On 05/12/2015 03:32 PM, Yann Ylavic wrote:
>> On Tue, May 12, 2015 at 8:59 PM, <trawick@apache.org> wrote:
>>> Author: trawick
>>> Date: Tue May 12 18:59:29 2015
>>> New Revision: 1679032
>>>
>>> URL: http://svn.apache.org/r1679032
>>> Log:
>>> mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing
>>> the OCSP response for a different certificate.  mod_ssl has an 
>>> additional
>>> global mutex, "ssl-stapling-refresh".
>>>
>> []
>>> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c
>>> URL: 
>>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c?rev=1679032&r1=1679031&r2=1679032&view=diff
>>> ==============================================================================

>>>
>>> --- httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c (original)
>>> +++ httpd/httpd/trunk/modules/ssl/ssl_util_stapling.c Tue May 12 
>>> 18:59:29 2015
>> []
>>> +
>>> +static int get_and_check_cached_response(server_rec *s, 
>>> modssl_ctx_t *mctx,
>>> +                                         OCSP_RESPONSE **rsp, BOOL 
>>> *ok,
>>> +                                         certinfo *cinf, apr_pool_t 
>>> *p)
>>> +{
>>> +    int rv;
>>> +
>>> +    /* Check to see if we already have a response for this 
>>> certificate */
>>> +    rv = stapling_get_cached_response(s, rsp, ok, cinf, p);
>>> +    if (rv == FALSE) {
>>> +        return SSL_TLSEXT_ERR_ALERT_FATAL;
>>> +    }
>>> +
>>> +    if (*rsp) {
>>> +        /* see if response is acceptable */
>>> +        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01953)
>>> +                     "stapling_cb: retrieved cached response");
>>> +        rv = stapling_check_response(s, mctx, cinf, *rsp, NULL);
>>> +        if (rv == SSL_TLSEXT_ERR_ALERT_FATAL) {
>>> +            OCSP_RESPONSE_free(*rsp);
>>> +            return SSL_TLSEXT_ERR_ALERT_FATAL;
>>> +        }
>>> +        else if (rv == SSL_TLSEXT_ERR_NOACK) {
>>> +            /* Error in response. If this error was not present 
>>> when it was
>>> +             * stored (i.e. response no longer valid) then it can be
>>> +             * renewed straight away.
>>> +             *
>>> +             * If the error *was* present at the time it was stored 
>>> then we
>>> +             * don't renew the response straight away; we just wait 
>>> for the
>>> +             * cached response to expire.
>>> +             */
>>> +            if (ok) {
>> if (*ok) ?
>> Or maybe 'ok' shouldn't be a pointer (not updated here)?
>
> Thanks a bunch!  I'll sort it out tomorrow 

r1679192

> and make sure I'm testing more paths.

TBD :)

Thanks again!

>>
>>> + OCSP_RESPONSE_free(*rsp);
>>> +                *rsp = NULL;
>>> +            }
>>> +            else if (!mctx->stapling_return_errors) {
>>> +                OCSP_RESPONSE_free(*rsp);
>>> +                return SSL_TLSEXT_ERR_NOACK;
>>> +            }
>>> +        }
>>> +    }
>>> +    return 0;
>>> +}
>>> +
>> Regards,
>> Yann.
>


Mime
View raw message