mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: rejects OCSP response without nextupdate.

Browse Source 
To cache an OCSP Response without expiration time is not safe.
This commit is contained in:
Emeric Brun 2014-06-20 15:44:34 +02:00 committed by Willy Tarreau
parent 98637e5bff
commit 13a6b48e24
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/ssl_sock.c
View File

@ -139,7 +139,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
OCSP_SINGLERESP *sr; OCSP_SINGLERESP *sr;
unsigned char *p = (unsigned char *)ocsp_response->str; unsigned char *p = (unsigned char *)ocsp_response->str;
int rc , count_sr; int rc , count_sr;
ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd; ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
int reason; int reason;
int ret = 1; int ret = 1;
@ -179,6 +179,11 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
goto out; goto out;
} }
if (!nextupd) {
memprintf(err, "OCSP single response: missing nextupdate");
goto out;
}
rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1); rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
if (!rc) { if (!rc) {
memprintf(err, "OCSP single response: no longer valid."); memprintf(err, "OCSP single response: no longer valid.");