fix SSL server certificate validation in oidc_revoke_tokens

see #1141; thanks @mschmidt72; bump to 2.4.15rc7 Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>
OpenIDC · Nov 30, 2023 · 7624c40 · 7624c40
1 parent 71e551c
commit 7624c40
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+11/30/2023
+- fix SSL server certificate validation when revoking tokens
+  apply `OIDCSSLValidateServer` setting rather than `OIDCOAuthSSLValidateServer` in `oidc_revoke_tokens`
+  see https://github.com/OpenIDC/mod_auth_openidc/discussions/1141; thanks @mschmidt72
+- bump to 2.4.15rc7
+
 11/27/2023
 - use clang-format-17 for code formatting and reformat all code
 

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.15rc6],[hans.zandbelt@openidc.com])
+AC_INIT([mod_auth_openidc],[2.4.15rc7],[hans.zandbelt@openidc.com])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -2951,7 +2951,7 @@ static void oidc_revoke_tokens(request_rec *r, oidc_cfg *c, oidc_session_t *sess
 		apr_table_setn(params, OIDC_PROTO_TOKEN, token);
 
 		if (oidc_util_http_post_form(r, provider->revocation_endpoint_url, params, basic_auth, bearer_auth,
-					     c->oauth.ssl_validate_server, &response, &c->http_timeout_long,
+					     c->provider.ssl_validate_server, &response, &c->http_timeout_long,
 					     &c->outgoing_proxy, oidc_dir_cfg_pass_cookies(r), NULL, NULL,
 					     NULL) == FALSE) {
 			oidc_warn(r, "revoking refresh token failed");
@@ -2966,7 +2966,7 @@ static void oidc_revoke_tokens(request_rec *r, oidc_cfg *c, oidc_session_t *sess
 		apr_table_setn(params, OIDC_PROTO_TOKEN, token);
 
 		if (oidc_util_http_post_form(r, provider->revocation_endpoint_url, params, basic_auth, bearer_auth,
-					     c->oauth.ssl_validate_server, &response, &c->http_timeout_long,
+					     c->provider.ssl_validate_server, &response, &c->http_timeout_long,
 					     &c->outgoing_proxy, oidc_dir_cfg_pass_cookies(r), NULL, NULL,
 					     NULL) == FALSE) {
 			oidc_warn(r, "revoking access token failed");