[trafficserver] branch 7.1.x updated: Fixes OCSP warnings when cert has no OCSP URI attached to it

Fri, 06 Jul 2018 10:14:17 -0700 

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/7.1.x by this push:
     new 06654a4  Fixes OCSP warnings when cert has no OCSP URI attached to it
06654a4 is described below

commit 06654a472f5995301719415591eb226053db82a7
Author: Randall Meyer <randallme...@yahoo.com>
AuthorDate: Tue Jul 3 11:21:41 2018 -0700

    Fixes OCSP warnings when cert has no OCSP URI attached to it
    
    When a certificate does not have the OCSP URI attached to it,
    do not setup OCSP refreshing for it.
    
    (cherry picked from commit 1a35e1032d98ffdd81c4c3dbd13556bc8be2fecb)
---
 iocore/net/OCSPStapling.cc | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 3259b24..aa300f6 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -162,8 +162,6 @@ ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char 
*certname)
   cinf->is_expire   = true;
   cinf->expire_time = 0;
 
-  SSL_CTX_set_ex_data(ctx, ssl_stapling_index, cinf);
-
   issuer = stapling_get_issuer(ctx, cert);
   if (issuer == nullptr) {
     Note("cannot get issuer certificate from %s", certname);
@@ -176,13 +174,17 @@ ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const 
char *certname)
   X509_digest(cert, EVP_sha1(), cinf->idx, nullptr);
 
   aia = X509_get1_ocsp(cert);
-  if (aia)
+  if (aia) {
     cinf->uri = sk_OPENSSL_STRING_pop(aia);
+    X509_email_free(aia);
+  }
+
   if (!cinf->uri) {
     Note("no responder URI for %s", certname);
+    return false;
   }
-  if (aia)
-    X509_email_free(aia);
+
+  SSL_CTX_set_ex_data(ctx, ssl_stapling_index, cinf);
 
   Note("successfully initialized certinfo for %s into SSL_CTX: %p", certname, 
ctx);
   return true;
@@ -437,7 +439,7 @@ ssl_callback_ocsp_stapling(SSL *ssl)
   // originally was, cinf = stapling_get_cert_info(ssl->ctx);
   cinf = stapling_get_cert_info(SSL_get_SSL_CTX(ssl));
   if (cinf == nullptr) {
-    Error("ssl_callback_ocsp_stapling: failed to get certificate information");
+    Debug("ssl_ocsp", "ssl_callback_ocsp_stapling: failed to get certificate 
information");
     return SSL_TLSEXT_ERR_NOACK;
   }

Reply via email to