Changeset eb21e89 in mod_gnutls


Ignore:
Timestamp:
Jul 29, 2021, 2:52:48 PM (2 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master
Children:
e809a17a
Parents:
b762e4e
Message:

Fix server_rec references in mgs_get_ocsp_response()

During the handshake the base_server of the relevant conn_rec is
always the first vhost matching the host/port combination of the
incoming connection. By the time an OCSP response is requested
mod_gnutls may already have selected another server based on SNI, but
Apache hasn't updated the conn_rec yet. In that case c->base_server
does not refer to the right server, and if that server reference is
used to get the mod_gnutls configuration it'll be the wrong one.

That behavior caused a bug where caching a fresh OCSP response during
handshake failed if the initial vhost had OCSP stapling disabled,
because with stapling disabled the cache lifetime is set to -1. In
other cases a wrong cache lifetime might have been used.

The bug is fixed by using the mod_gnutls server configuration
referenced by the mod_gnutls connection structure, which has already
been updated by the SNI parsing code. It contains a reference to the
correct server_rec.

This commit also contains a regression test.

Files:
4 added
3 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    rb762e4e reb21e89  
    816816
    817817    apr_status_t rv = mgs_cache_fetch(sc->ocsp_cache,
    818                                       ctxt->c->base_server,
     818                                      sc->s,
    819819                                      req_data->fingerprint,
    820820                                      ocsp_response,
     
    829829        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
    830830                      "Cached OCSP failure found for %s.",
    831                       ctxt->c->base_server->server_hostname);
     831                      sc->s->server_hostname);
    832832        goto fail_cleanup;
    833833    }
     
    853853         * Apache Mutex directive. */
    854854        rv = mgs_cache_fetch(sc->ocsp_cache,
    855                              ctxt->c->base_server,
     855                             sc->s,
    856856                             req_data->fingerprint,
    857857                             ocsp_response,
     
    865865                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, ctxt->c,
    866866                              "Cached OCSP failure found for %s.",
    867                               ctxt->c->base_server->server_hostname);
     867                              sc->s->server_hostname);
    868868                goto fail_cleanup;
    869869            }
     
    878878    }
    879879
    880     rv = mgs_cache_ocsp_response(ctxt->c->base_server, req_data, NULL);
     880    rv = mgs_cache_ocsp_response(sc->s, req_data, NULL);
    881881    if (rv != APR_SUCCESS)
    882882    {
     
    884884                      "Caching a fresh OCSP response failed");
    885885        /* cache failure to rate limit retries */
    886         mgs_cache_ocsp_failure(ctxt->c->base_server,
     886        mgs_cache_ocsp_failure(sc->s,
    887887                               req_data,
    888888                               sc->ocsp_failure_timeout);
     
    894894    /* retry reading from cache */
    895895    rv = mgs_cache_fetch(sc->ocsp_cache,
    896                          ctxt->c->base_server,
     896                         sc->s,
    897897                         req_data->fingerprint,
    898898                         ocsp_response,
  • test/Makefile.am

    rb762e4e reb21e89  
    3939        test-27_OCSP_server.bash \
    4040        test-28_HTTP2_support.bash \
     41        test-29_OCSP_server_no_async.bash \
    4142        test-30_ip_based_vhosts.bash \
    4243        test-34_TLS_reverse_proxy_h2.bash \
  • test/tests/Makefile.am

    rb762e4e reb21e89  
    2222        27_OCSP_server/apache.conf 27_OCSP_server/hooks.py 27_OCSP_server/ocsp.conf 27_OCSP_server/test.yaml \
    2323        28_HTTP2_support/apache.conf 28_HTTP2_support/hooks.py \
     24        29_OCSP_server_no_async/apache.conf 29_OCSP_server_no_async/hooks.py 29_OCSP_server_no_async/ocsp.conf 29_OCSP_server_no_async/test.yaml \
    2425        30_ip_based_vhosts/apache.conf 30_ip_based_vhosts/hooks.py 30_ip_based_vhosts/test.yaml \
    2526        34_TLS_reverse_proxy_h2/apache.conf 34_TLS_reverse_proxy_h2/hooks.py 34_TLS_reverse_proxy_h2/backend.conf 34_TLS_reverse_proxy_h2/test.yaml \
Note: See TracChangeset for help on using the changeset viewer.