diff options
| author | Yann Ylavic <ylavic@apache.org> | 2014-03-30 19:25:20 +0000 |
|---|---|---|
| committer | Yann Ylavic <ylavic@apache.org> | 2014-03-30 19:25:20 +0000 |
| commit | 6508ac17c253825aec9665f0ad93ba65ac54235f (patch) | |
| tree | f6fd95bdeea6ac7e1298e13661954845d843eb75 /modules/ssl/ssl_engine_ocsp.c | |
| parent | 8ac4515e6045c5f8b79d964b16c2a107c1c8162d (diff) | |
| download | httpd-6508ac17c253825aec9665f0ad93ba65ac54235f.tar.gz | |
mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1583191 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/ssl/ssl_engine_ocsp.c')
| -rw-r--r-- | modules/ssl/ssl_engine_ocsp.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c index b9fca6577d..3992dff4b0 100644 --- a/modules/ssl/ssl_engine_ocsp.c +++ b/modules/ssl/ssl_engine_ocsp.c @@ -104,7 +104,8 @@ static apr_uri_t *determine_responder_uri(SSLSrvConfigRec *sc, X509 *cert, * request object on success, or NULL on error. */ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert, OCSP_CERTID **certid, - server_rec *s, apr_pool_t *p) + server_rec *s, apr_pool_t *p, + SSLSrvConfigRec *sc) { OCSP_REQUEST *req = OCSP_REQUEST_new(); @@ -116,7 +117,9 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert, return NULL; } - OCSP_request_add1_nonce(req, 0, -1); + if (sc->server->ocsp_use_request_nonce != FALSE) { + OCSP_request_add1_nonce(req, 0, -1); + } return req; } @@ -139,7 +142,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, return V_OCSP_CERTSTATUS_UNKNOWN; } - request = create_request(ctx, cert, &certID, s, pool); + request = create_request(ctx, cert, &certID, s, pool, sc); if (request) { apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ? apr_time_from_sec(DEFAULT_OCSP_TIMEOUT) : @@ -171,7 +174,8 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, } } - if (rc == V_OCSP_CERTSTATUS_GOOD) { + if (rc == V_OCSP_CERTSTATUS_GOOD && + sc->server->ocsp_use_request_nonce != FALSE) { if (OCSP_check_nonce(request, basicResponse) != 1) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924) "Bad OCSP responder answer (bad nonce)"); |