Klaus Demo nginx / 3ac176f
OCSP stapling: fixed segfault without nextUpdate. OCSP responses may contain no nextUpdate. As per RFC 6960, this means that nextUpdate checks should be bypassed. Handle this gracefully by using NGX_MAX_TIME_T_VALUE as "valid" in such a case. The problem was introduced by 6893a1007a7c (1.9.2). Reported by Matthew Baldwin. Maxim Dounin 6 years ago
1 changed file(s) with 10 addition(s) and 5 deletion(s). Raw diff Collapse all Expand all
636636 goto error;
637637 }
638638
639 valid = ngx_ssl_stapling_time(nextupdate);
640 if (valid == (time_t) NGX_ERROR) {
641 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
642 "invalid nextUpdate time in certificate status");
643 goto error;
639 if (nextupdate) {
640 valid = ngx_ssl_stapling_time(nextupdate);
641 if (valid == (time_t) NGX_ERROR) {
642 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
643 "invalid nextUpdate time in certificate status");
644 goto error;
645 }
646
647 } else {
648 valid = NGX_MAX_TIME_T_VALUE;
644649 }
645650
646651 OCSP_CERTID_free(id);