Previously in JBoss Enterprise Web Server, the code in the <filename>ssl_util_ocsp.c</filename> file was broken. As a result, when the <parameter>apr_bucket_read</parameter> parameter returned 0 bytes, it did not indicate the end of the file (<literal>EOF</literal>). Due to this problem, the code exits prematurely with a false EOF error for some OCSP responders.
This is fixed in JBoss Enterprise Web Server 2.1 so that the code in the <filename>ssl_util_ocsp.c</filename> file contains the <literal>EOF</literal> information and operates as expected.
Description of problem:
The code does this:
rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
if (rv == APR_EOF || (rv == APR_SUCCESS && len == 0)) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01984) "OCSP response: got EOF");
break;
}
This code is broken, as apr_bucket_read returning 0 bytes does not indicate EOF. I cannot find anywhere elsewhere in the codebase where this type of check is done.
As a result, with some OCSP responders, the code exits prematurely with a false EOF error.
Empty buckets are common from the bucket brigade, apparently. :)
Replacing the above code with:
if (rv == APR_EOF ) {
results in a working system.
Version-Release number of selected component (if applicable):
httpd-2.2.22-14.ep6.el6.src.rpm
How reproducible:
Every time
From the BZ, it seems like the fix that we've put in EAP 6.1.1 is needed for EWS as EWS 2.0.1 is shipped before EAP 6.1.1 and the fix in EAP is needed for EWS (probably in 2.0.2)
Comment 4Jean-frederic Clere
2014-02-13 13:56:54 UTC
Description of problem: The code does this: rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ); if (rv == APR_EOF || (rv == APR_SUCCESS && len == 0)) { ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01984) "OCSP response: got EOF"); break; } This code is broken, as apr_bucket_read returning 0 bytes does not indicate EOF. I cannot find anywhere elsewhere in the codebase where this type of check is done. As a result, with some OCSP responders, the code exits prematurely with a false EOF error. Empty buckets are common from the bucket brigade, apparently. :) Replacing the above code with: if (rv == APR_EOF ) { results in a working system. Version-Release number of selected component (if applicable): httpd-2.2.22-14.ep6.el6.src.rpm How reproducible: Every time