Instead of using sc->server, mctx should be used. It causes now weird behavior, since ocsp_mask is by default set to UNSET (which is -1, translated to signed int...). When proxy is set set on the same server, if-condition above will be true.
It was working before, because ocsp_enabled was by default set to FALSE. ocsp_mask is UNSET by default now and is set either to proxy or server structure in sc. If sc with is_proxy is passed here, it will result in bug.
Attaching patch. Please merge it to 2.4.x if possible.
Created attachment 36728
Patch fixing the bug
Hi all,
in the commit r1826995 a following change has been made to ssl_callback_ SSLVerify function in ssl_engine_ kernel. c:
- if (ok && sc->server- >ocsp_enabled == TRUE) { >ocsp_mask & SSL_OCSPCHECK_ CHAIN) || >ocsp_mask & SSL_OCSPCHECK_ LEAF))) ) {
+ if (ok && ((sc->server-
+ (errdepth == 0 && (sc->server-
Instead of using sc->server, mctx should be used. It causes now weird behavior, since ocsp_mask is by default set to UNSET (which is -1, translated to signed int...). When proxy is set set on the same server, if-condition above will be true.
I'm proposing this change:
- if (ok && sc->server- >ocsp_enabled) { CHAIN) || LEAF))) ) {
+ if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_
+ (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_
It was working before, because ocsp_enabled was by default set to FALSE. ocsp_mask is UNSET by default now and is set either to proxy or server structure in sc. If sc with is_proxy is passed here, it will result in bug.
Attaching patch. Please merge it to 2.4.x if possible.