Comment 2 for bug 1930430

Created attachment 36728
Patch fixing the bug

Hi all,

in the commit r1826995 a following change has been made to ssl_callback_SSLVerify function in ssl_engine_kernel.c:

- if (ok && sc->server->ocsp_enabled == TRUE) {
+ if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+ (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {

Instead of using sc->server, mctx should be used. It causes now weird behavior, since ocsp_mask is by default set to UNSET (which is -1, translated to signed int...). When proxy is set set on the same server, if-condition above will be true.

I'm proposing this change:

- if (ok && sc->server->ocsp_enabled) {
+ if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
+ (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {

It was working before, because ocsp_enabled was by default set to FALSE. ocsp_mask is UNSET by default now and is set either to proxy or server structure in sc. If sc with is_proxy is passed here, it will result in bug.

Attaching patch. Please merge it to 2.4.x if possible.