fix MDStapleOthers inheritance (#400)

* fix regression in 77abeb3 the borked MDStapleOthers inheritance

Add test case for verifying that stapling others is attempted.

Author: icing

ChangeLog

@@ -1,3 +1,5 @@
+v2.6.6
+----------------------------------------------------------------------------------------------------
  * Fix a small memory leak when using OpenSSL's BIGNUMs. [Theo Buehler]
  * Fix reuse of curl easy handles by resetting them. [Michael Kaufmann]
 

configure.ac

@@ -14,7 +14,7 @@
 #
 
 AC_PREREQ([2.69])
-AC_INIT([mod_md], [2.6.5], [[email protected]])
+AC_INIT([mod_md], [2.6.6], [[email protected]])
 
 LT_PREREQ([2.2.6])
 LT_INIT()

src/md_version.h

@@ -27,15 +27,15 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "2.6.5-git"
+#define MOD_MD_VERSION "2.6.6-git"
 
 /**
  * @macro
  * Numerical representation of the version number of the md module
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x020605
+#define MOD_MD_VERSION_NUM 0x020606
 
 #define MD_ACME_DEF_URL         "https://acme-v02.api.letsencrypt.org/directory"
 

src/mod_md_config.c

@@ -282,6 +282,7 @@ static void *md_config_merge(apr_pool_t *pool, void *basev, void *addv)
     nsc->profile = add->profile? add->profile : base->profile;
     nsc->profile_mandatory = (add->profile_mandatory != DEF_VAL)? add->profile_mandatory : base->profile_mandatory;
     nsc->stapling = (add->stapling != DEF_VAL)? add->stapling : base->stapling;
+    nsc->staple_others = (add->staple_others != DEF_VAL)? add->staple_others : base->staple_others;
     nsc->ari_renewals = (add->ari_renewals != DEF_VAL)? add->ari_renewals : base->ari_renewals;
     nsc->dns01_cmd = (add->dns01_cmd)? add->dns01_cmd : base->dns01_cmd;
     nsc->current = NULL;

src/mod_md_ocsp.c

@@ -61,8 +61,18 @@ int md_ocsp_prime_status(server_rec *s, apr_pool_t *p,
     apr_array_header_t *chain;
     apr_status_t rv = APR_ENOENT;
 
+    ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, "ocsp prime status call for: %s",
+                 s->server_hostname);
     sc = md_config_get(s);
-    if (!staple_here(sc)) goto cleanup;
+    if (!staple_here(sc)) {
+        ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
+                     "ocsp prime does not apply here: server=%s, sc=%d"
+                     "ocsp=%d, conf-ocsp=%d conf-others=%d",
+                     s->server_hostname, !!sc, sc? !!sc->mc->ocsp : 0,
+                     md_config_geti(sc, MD_CONFIG_STAPLING),
+                     md_config_geti(sc, MD_CONFIG_STAPLE_OTHERS));
+        goto cleanup;
+    }
 
     md = ((sc->assigned && sc->assigned->nelts == 1)?
           APR_ARRAY_IDX(sc->assigned, 0, const md_t*) : NULL);

test/modules/md/test_801_stapling.py

@@ -1,6 +1,7 @@
 # test mod_md stapling support
 
 import os
+import re
 import time
 from datetime import timedelta
 import pytest
@@ -37,10 +38,11 @@ def _method_scope(self, env, request):
         yield
         env.apache_stop()
 
-    def configure_httpd(self, env, domains=None, add_lines="", ssl_stapling=False):
+    def configure_httpd(self, env, domains=None, add_lines="", ssl_stapling=False,
+                        std_vhosts=True):
         if not isinstance(domains, list):
             domains = [domains] if domains else []
-        conf = MDConf(env)
+        conf = MDConf(env, std_vhosts=std_vhosts)
         conf.add("""
         <IfModule tls_module>
             LogLevel tls:trace4
@@ -423,3 +425,29 @@ def test_md_801_011(self, env):
             stat = env.await_ocsp_status(domain)
             assert stat['ocsp'] == "successful (0x0)"
             assert stat['verify'] == "0 (ok)"
+
+    # test MDStapleOthers setting
+    def test_md_801_012(self, env):
+        # turn stapling on, wait for it to appear in connections
+        md = self.mdA
+        conf = self.configure_httpd(env, std_vhosts=False)
+        conf.add("MDStapling on")
+        conf.add("MDStapleOthers on")
+        conf.add("LogLevel md:debug")
+        conf.start_vhost(md)
+        conf.add_certificate(env.store_domain_file(md, 'pubcert.pem'),
+                             env.store_domain_file(md, 'privkey.pem'))
+        conf.end_vhost()
+        conf.install()
+        env.httpd_error_log.clear_log()
+        assert env.apache_restart() == 0, f'{env.apachectl_stderr}'
+        try:
+            stat = env.await_ocsp_status(md, timeout=1)
+        except TimeoutError:
+            pass
+        if env.lacks_ocsp():
+            assert env.httpd_error_log.scan_recent(
+                pattern=re.compile(r'.*md\[other]: certificate with serial .* has no OCSP responder URL'))
+        else:
+            assert stat['ocsp'] == "successful (0x0)"
+            assert stat['verify'] == "0 (ok)"