This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 7.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/7.1.x by this push: new 06654a4 Fixes OCSP warnings when cert has no OCSP URI attached to it 06654a4 is described below commit 06654a472f5995301719415591eb226053db82a7 Author: Randall Meyer <randallme...@yahoo.com> AuthorDate: Tue Jul 3 11:21:41 2018 -0700 Fixes OCSP warnings when cert has no OCSP URI attached to it When a certificate does not have the OCSP URI attached to it, do not setup OCSP refreshing for it. (cherry picked from commit 1a35e1032d98ffdd81c4c3dbd13556bc8be2fecb) --- iocore/net/OCSPStapling.cc | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc index 3259b24..aa300f6 100644 --- a/iocore/net/OCSPStapling.cc +++ b/iocore/net/OCSPStapling.cc @@ -162,8 +162,6 @@ ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname) cinf->is_expire = true; cinf->expire_time = 0; - SSL_CTX_set_ex_data(ctx, ssl_stapling_index, cinf); - issuer = stapling_get_issuer(ctx, cert); if (issuer == nullptr) { Note("cannot get issuer certificate from %s", certname); @@ -176,13 +174,17 @@ ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname) X509_digest(cert, EVP_sha1(), cinf->idx, nullptr); aia = X509_get1_ocsp(cert); - if (aia) + if (aia) { cinf->uri = sk_OPENSSL_STRING_pop(aia); + X509_email_free(aia); + } + if (!cinf->uri) { Note("no responder URI for %s", certname); + return false; } - if (aia) - X509_email_free(aia); + + SSL_CTX_set_ex_data(ctx, ssl_stapling_index, cinf); Note("successfully initialized certinfo for %s into SSL_CTX: %p", certname, ctx); return true; @@ -437,7 +439,7 @@ ssl_callback_ocsp_stapling(SSL *ssl) // originally was, cinf = stapling_get_cert_info(ssl->ctx); cinf = stapling_get_cert_info(SSL_get_SSL_CTX(ssl)); if (cinf == nullptr) { - Error("ssl_callback_ocsp_stapling: failed to get certificate information"); + Debug("ssl_ocsp", "ssl_callback_ocsp_stapling: failed to get certificate information"); return SSL_TLSEXT_ERR_NOACK; }