Created attachment 29422 [details] Bug Fix for the double apr_pool_destroy() When OCSP checking is enabled, the code checks the OCSP server. If the OCSP server is contacted everything goes fine. However if the OCSP server cannot be contacted, this leads to a double apr_pool_destroy() that crashes the thread, can lead to TOMCAT crash. The problem exists in static int ssl_ocsp_request(X509 *cert, X509 *issuer); and the problem exists in the following code: if (ocsp_urls != NULL) { OCSP_RESPONSE *resp; /* for the time being just check for the fist response .. a better approach is to iterate for all the possible ocsp urls */ resp = get_ocsp_response(cert, issuer, ocsp_urls[0]); apr_pool_destroy(p); if (resp != NULL) return process_ocsp_response(resp); } apr_pool_destroy(p); return OCSP_STATUS_UNKNOWN; } If get_ocsp_response returns NULL, then apr_pool_destroy(p) is called twice. I believe that this should also affect 1.1.23 A bug fix is included in the attached patch
Fixed in 1.1 branch. Will be available in 1.1.28.