trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bc...@apache.org
Subject [trafficserver] 04/06: Fixes OCSP warnings when cert has no OCSP URI attached to it
Date Thu, 05 Jul 2018 17:06:03 GMT
This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch 8.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit 4fd8a6dcf8e668361d2ddfd8fab2d5e06d2064b8
Author: Randall Meyer <randallmeyer@yahoo.com>
AuthorDate: Tue Jul 3 11:21:41 2018 -0700

    Fixes OCSP warnings when cert has no OCSP URI attached to it
    
    When a certificate does not have the OCSP URI attached to it,
    do not setup OCSP refreshing for it.
    
    (cherry picked from commit 1c089f2b217b4d6b7a74ba44f8bcec1d66288334)
---
 iocore/net/OCSPStapling.cc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 56ea7c8..dbd5819 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -166,8 +166,6 @@ ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname)
   cinf->is_expire   = true;
   cinf->expire_time = 0;
 
-  SSL_CTX_set_ex_data(ctx, ssl_stapling_index, cinf);
-
   issuer = stapling_get_issuer(ctx, cert);
   if (issuer == nullptr) {
     Note("cannot get issuer certificate from %s", certname);
@@ -183,13 +181,15 @@ ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname)
   aia = X509_get1_ocsp(cert);
   if (aia) {
     cinf->uri = sk_OPENSSL_STRING_pop(aia);
+    X509_email_free(aia);
   }
+
   if (!cinf->uri) {
     Note("no OCSP responder URI for %s", certname);
+    return false;
   }
-  if (aia) {
-    X509_email_free(aia);
-  }
+
+  SSL_CTX_set_ex_data(ctx, ssl_stapling_index, cinf);
 
   Note("successfully initialized stapling for %s into SSL_CTX: %p", certname, ctx);
   return true;
@@ -453,7 +453,7 @@ ssl_callback_ocsp_stapling(SSL *ssl)
   // originally was, cinf = stapling_get_cert_info(ssl->ctx);
   cinf = stapling_get_cert_info(SSL_get_SSL_CTX(ssl));
   if (cinf == nullptr) {
-    Error("ssl_callback_ocsp_stapling: failed to get certificate information");
+    Debug("ssl_ocsp", "ssl_callback_ocsp_stapling: failed to get certificate information");
     return SSL_TLSEXT_ERR_NOACK;
   }
 


Mime
View raw message