source: mod_gnutls/test/tests/29_OCSP_server_no_async/

Last change on this file was eb21e89, checked in by Fiona Klute <fiona.klute@…>, 20 months ago

Fix server_rec references in mgs_get_ocsp_response()

During the handshake the base_server of the relevant conn_rec is
always the first vhost matching the host/port combination of the
incoming connection. By the time an OCSP response is requested
mod_gnutls may already have selected another server based on SNI, but
Apache hasn't updated the conn_rec yet. In that case c->base_server
does not refer to the right server, and if that server reference is
used to get the mod_gnutls configuration it'll be the wrong one.

That behavior caused a bug where caching a fresh OCSP response during
handshake failed if the initial vhost had OCSP stapling disabled,
because with stapling disabled the cache lifetime is set to -1. In
other cases a wrong cache lifetime might have been used.

The bug is fixed by using the mod_gnutls server configuration
referenced by the mod_gnutls connection structure, which has already
been updated by the SNI parsing code. It contains a reference to the
correct server_rec.

This commit also contains a regression test.

  • Property mode set to 100644
File size: 452 bytes
[eb21e89]1import os
2import re
3from mgstest import require_match
4from unittest import SkipTest
7def prepare_env():
8    if 'OCSP_PORT' not in os.environ:
9        raise SkipTest('OCSP_PORT is not set, check if openssl is available.')
12def post_check(conn_log, response_log):
13    print('Checking if the client actually got a stapled response:')
14    print(require_match(re.compile(r'^- Options: .*OCSP status request,'),
15                        conn_log).group(0))
Note: See TracBrowser for help on using the repository browser.