summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Fritsch <sf@apache.org>2011-06-19 20:19:42 +0200
committerStefan Fritsch <sf@apache.org>2011-06-19 20:19:42 +0200
commitc1ce191dbe4802a2fec2b3c91084d597aca1e7ee (patch)
tree6186e209accfee291a41c92311ebaac4cfa25e40
parentAvoid unnecessary renegotiations with SSLVerifyDepth 0. (diff)
downloadapache2-c1ce191dbe4802a2fec2b3c91084d597aca1e7ee.tar.xz
apache2-c1ce191dbe4802a2fec2b3c91084d597aca1e7ee.zip
Don't do OCSP checks for valid self-issued certs
Submitted by: Kaspar Brand git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1137398 13f79535-47bb-0310-9956-ffa450edef68
Diffstat
-rw-r--r--CHANGES2
-rw-r--r--modules/ssl/ssl_engine_ocsp.c10
2 files changed, 11 insertions, 1 deletions
diff --git a/CHANGES b/CHANGES
index 7d1c8e8b62..03d6308356 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,8 @@
Changes with Apache 2.3.13
+ *) mod_ssl: Don't do OCSP checks for valid self-issued certs. [Kaspar Brand]
+
*) mod_ssl: Avoid unnecessary renegotiations with SSLVerifyDepth 0.
PR 48215. [Kaspar Brand]
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index d52bc5e1a3..28ace8a672 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -251,7 +251,15 @@ int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
apr_pool_t *vpool;
int rv;
-
+
+ /* don't do OCSP checking for valid self-issued certs */
+ if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+ "Skipping OCSP check for valid self-issued cert");
+ X509_STORE_CTX_set_error(ctx, X509_V_OK);
+ return 1;
+ }
+
/* Create a temporary pool to constrain memory use (the passed-in
* pool may be e.g. a connection pool). */
apr_pool_create(&vpool, pool);
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-22 14:36:15 +0100