Changeset eb21e89 in mod_gnutls for test/tests


Ignore:
Timestamp:
Jul 29, 2021, 2:52:48 PM (4 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master
Children:
e809a17a
Parents:
b762e4e
Message:

Fix server_rec references in mgs_get_ocsp_response()

During the handshake the base_server of the relevant conn_rec is
always the first vhost matching the host/port combination of the
incoming connection. By the time an OCSP response is requested
mod_gnutls may already have selected another server based on SNI, but
Apache hasn't updated the conn_rec yet. In that case c->base_server
does not refer to the right server, and if that server reference is
used to get the mod_gnutls configuration it'll be the wrong one.

That behavior caused a bug where caching a fresh OCSP response during
handshake failed if the initial vhost had OCSP stapling disabled,
because with stapling disabled the cache lifetime is set to -1. In
other cases a wrong cache lifetime might have been used.

The bug is fixed by using the mod_gnutls server configuration
referenced by the mod_gnutls connection structure, which has already
been updated by the SNI parsing code. It contains a reference to the
correct server_rec.

This commit also contains a regression test.

Location:
test/tests
Files:
4 added
1 edited

Legend:

Unmodified
Added
Removed
  • test/tests/Makefile.am

    rb762e4e reb21e89  
    2222        27_OCSP_server/apache.conf 27_OCSP_server/hooks.py 27_OCSP_server/ocsp.conf 27_OCSP_server/test.yaml \
    2323        28_HTTP2_support/apache.conf 28_HTTP2_support/hooks.py \
     24        29_OCSP_server_no_async/apache.conf 29_OCSP_server_no_async/hooks.py 29_OCSP_server_no_async/ocsp.conf 29_OCSP_server_no_async/test.yaml \
    2425        30_ip_based_vhosts/apache.conf 30_ip_based_vhosts/hooks.py 30_ip_based_vhosts/test.yaml \
    2526        34_TLS_reverse_proxy_h2/apache.conf 34_TLS_reverse_proxy_h2/hooks.py 34_TLS_reverse_proxy_h2/backend.conf 34_TLS_reverse_proxy_h2/test.yaml \
Note: See TracChangeset for help on using the changeset viewer.