source: mod_gnutls/test/tests/29_OCSP_server_no_async/apache.conf

Last change on this file was eb21e89, checked in by Fiona Klute <fiona.klute@…>, 18 months ago

Fix server_rec references in mgs_get_ocsp_response()

During the handshake the base_server of the relevant conn_rec is
always the first vhost matching the host/port combination of the
incoming connection. By the time an OCSP response is requested
mod_gnutls may already have selected another server based on SNI, but
Apache hasn't updated the conn_rec yet. In that case c->base_server
does not refer to the right server, and if that server reference is
used to get the mod_gnutls configuration it'll be the wrong one.

That behavior caused a bug where caching a fresh OCSP response during
handshake failed if the initial vhost had OCSP stapling disabled,
because with stapling disabled the cache lifetime is set to -1. In
other cases a wrong cache lifetime might have been used.

The bug is fixed by using the mod_gnutls server configuration
referenced by the mod_gnutls connection structure, which has already
been updated by the SNI parsing code. It contains a reference to the
correct server_rec.

This commit also contains a regression test.

  • Property mode set to 100644
File size: 579 bytes
1Include ${srcdir}/base_apache.conf
4GnuTLSOCSPAutoRefresh off
5<VirtualHost _default_:${TEST_PORT}>
6        ServerName    
7        GnuTLSEnable            On
8        GnuTLSOCSPStapling      Off
9        GnuTLSCertificateFile   authority/server/x509-chain.pem
10        GnuTLSKeyFile           authority/server/secret.key
13<VirtualHost _default_:${TEST_PORT}>
14        ServerName              ${TEST_HOST}
15        GnuTLSEnable            On
16        GnuTLSOCSPCacheTimeout  120
17        GnuTLSOCSPFailureTimeout 20
18        GnuTLSCertificateFile   authority/subca/server/x509-chain.pem
19        GnuTLSKeyFile           authority/subca/server/secret.key
Note: See TracBrowser for help on using the repository browser.