main
|
Last change
on this file was
eb21e89,
checked in by Fiona Klute <fiona.klute@…>, 20 months ago
|
|
Fix server_rec references in mgs_get_ocsp_response()
During the handshake the base_server of the relevant conn_rec is
always the first vhost matching the host/port combination of the
incoming connection. By the time an OCSP response is requested
mod_gnutls may already have selected another server based on SNI, but
Apache hasn't updated the conn_rec yet. In that case c->base_server
does not refer to the right server, and if that server reference is
used to get the mod_gnutls configuration it'll be the wrong one.
That behavior caused a bug where caching a fresh OCSP response during
handshake failed if the initial vhost had OCSP stapling disabled,
because with stapling disabled the cache lifetime is set to -1. In
other cases a wrong cache lifetime might have been used.
The bug is fixed by using the mod_gnutls server configuration
referenced by the mod_gnutls connection structure, which has already
been updated by the SNI parsing code. It contains a reference to the
correct server_rec.
This commit also contains a regression test.
|
-
Property mode set to
100644
|
|
File size:
452 bytes
|
| Rev | Line | |
|---|
| [eb21e89] | 1 | import os |
|---|
| 2 | import re |
|---|
| 3 | from mgstest import require_match |
|---|
| 4 | from unittest import SkipTest |
|---|
| 5 | |
|---|
| 6 | |
|---|
| 7 | def prepare_env(): |
|---|
| 8 | if 'OCSP_PORT' not in os.environ: |
|---|
| 9 | raise SkipTest('OCSP_PORT is not set, check if openssl is available.') |
|---|
| 10 | |
|---|
| 11 | |
|---|
| 12 | def post_check(conn_log, response_log): |
|---|
| 13 | print('Checking if the client actually got a stapled response:') |
|---|
| 14 | print(require_match(re.compile(r'^- Options: .*OCSP status request,'), |
|---|
| 15 | conn_log).group(0)) |
|---|
Note: See
TracBrowser
for help on using the repository browser.
