Context Navigation

apache.conf

Visit:

mod_gnutls/0.12.0

Last change on this file was eb21e89, checked in by Fiona Klute <fiona.klute@…>, 18 months ago

Fix server_rec references in mgs_get_ocsp_response()

During the handshake the base_server of the relevant conn_rec is
always the first vhost matching the host/port combination of the
incoming connection. By the time an OCSP response is requested
mod_gnutls may already have selected another server based on SNI, but
Apache hasn't updated the conn_rec yet. In that case c->base_server
does not refer to the right server, and if that server reference is
used to get the mod_gnutls configuration it'll be the wrong one.

That behavior caused a bug where caching a fresh OCSP response during
handshake failed if the initial vhost had OCSP stapling disabled,
because with stapling disabled the cache lifetime is set to -1. In
other cases a wrong cache lifetime might have been used.

The bug is fixed by using the mod_gnutls server configuration
referenced by the mod_gnutls connection structure, which has already
been updated by the SNI parsing code. It contains a reference to the
correct server_rec.

This commit also contains a regression test.

Property mode set to 100644

File size: 579 bytes

Line
1	Include ${srcdir}/base_apache.conf
2	GnuTLSCache ${DEFAULT_CACHE}
3
4	GnuTLSOCSPAutoRefresh off
5	<VirtualHost _default_:${TEST_PORT}>
6	ServerName test.example.com
7	GnuTLSEnable On
8	GnuTLSOCSPStapling Off
9	GnuTLSCertificateFile authority/server/x509-chain.pem
10	GnuTLSKeyFile authority/server/secret.key
11	</VirtualHost>
12
13	<VirtualHost _default_:${TEST_PORT}>
14	ServerName ${TEST_HOST}
15	GnuTLSEnable On
16	GnuTLSOCSPCacheTimeout 120
17	GnuTLSOCSPFailureTimeout 20
18	GnuTLSCertificateFile authority/subca/server/x509-chain.pem
19	GnuTLSKeyFile authority/subca/server/secret.key
20	</VirtualHost>

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format