You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2014/07/08 15:13:49 UTC
svn commit: r1608758 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_ocsp.c
modules/ssl/ssl_private.h
Author: jim
Date: Tue Jul 8 13:13:49 2014
New Revision: 1608758
URL: http://svn.apache.org/r1608758
Log:
Merge r1583191, r1584098, r1584665, r1591401 from trunk:
mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.
mod_ssl: follow up to r1583191.
New SSLOCSPUseRequestNonce directive's manual and CHANGES.
Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce
grouped with other OCSP ones, nested if turned to a single AND condition).
Remove SSLOCSPUseRequestNonce OpenSSL-0.9.7 requirement (0.9.8 already required by httpd-2.4) and set availability to 2.5-dev until further notice.
mod_ssl: follow up to r1583191.
Use type BOOL for modssl_ctx_t's field ocsp_use_request_nonce.
Suggested by: kbrand.
Submitted by: ylavic
Reviewed/backported by: jim
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_ocsp.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1583191,1584098,1584665,1591401
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1608758&r1=1608757&r2=1608758&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Jul 8 13:13:49 2014
@@ -71,6 +71,10 @@ Changes with Apache 2.4.10
programs to the form used in releases up to 2.4.7, and emulate
a backwards-compatible behavior for existing setups. [Kaspar Brand]
+ *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
+ OCSP requests should use a nonce to be checked against the responder's
+ one. PR 56233. [Yann Ylavic, Kaspar Brand]
+
*) mod_lua: Enforce the max post size allowed via r:parsebody()
[Daniel Gruno]
Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml?rev=1608758&r1=1608757&r2=1608758&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml Tue Jul 8 13:13:49 2014
@@ -2278,6 +2278,23 @@ which means that OCSP responses are cons
</directivesynopsis>
<directivesynopsis>
+<name>SSLOCSPUseRequestNonce</name>
+<description>Use a nonce within OCSP queries</description>
+<syntax>SSLOCSPUseRequestNonce on|off</syntax>
+<default>SSLOCSPUseRequestNonce on</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.4.10 and later</compatibility>
+
+<usage>
+<p>This option determines whether queries to OCSP responders should contain
+a nonce or not. By default, a query nonce is always used and checked against
+the response's one. When the responder does not use nonces (eg. Microsoft OCSP
+Responder), this option ought to be turned <code>off</code>.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
<name>SSLInsecureRenegotiation</name>
<description>Option to enable support for insecure renegotiation</description>
<syntax>SSLInsecureRenegotiation on|off</syntax>
Modified: httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c?rev=1608758&r1=1608757&r2=1608758&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c Tue Jul 8 13:13:49 2014
@@ -233,6 +233,8 @@ static const command_rec ssl_config_cmds
"Maximum age of OCSP responses")
SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
"OCSP responder query timeout")
+ SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
+ "Whether OCSP queries use a nonce or not ('on', 'off')")
#ifdef HAVE_OCSP_STAPLING
/*
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?rev=1608758&r1=1608757&r2=1608758&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c Tue Jul 8 13:13:49 2014
@@ -133,6 +133,7 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->ocsp_resptime_skew = UNSET;
mctx->ocsp_resp_maxage = UNSET;
mctx->ocsp_responder_timeout = UNSET;
+ mctx->ocsp_use_request_nonce = UNSET;
#ifdef HAVE_OCSP_STAPLING
mctx->stapling_enabled = UNSET;
@@ -275,6 +276,7 @@ static void modssl_ctx_cfg_merge(apr_poo
cfgMergeInt(ocsp_resptime_skew);
cfgMergeInt(ocsp_resp_maxage);
cfgMergeInt(ocsp_responder_timeout);
+ cfgMergeBool(ocsp_use_request_nonce);
#ifdef HAVE_OCSP_STAPLING
cfgMergeBool(stapling_enabled);
cfgMergeInt(stapling_resptime_skew);
@@ -1625,6 +1627,15 @@ const char *ssl_cmd_SSLOCSPResponderTime
return NULL;
}
+const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->ocsp_use_request_nonce = flag ? TRUE : FALSE;
+
+ return NULL;
+}
+
const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_ocsp.c?rev=1608758&r1=1608757&r2=1608758&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_ocsp.c Tue Jul 8 13:13:49 2014
@@ -104,7 +104,8 @@ static apr_uri_t *determine_responder_ur
* request object on success, or NULL on error. */
static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
OCSP_CERTID **certid,
- server_rec *s, apr_pool_t *p)
+ server_rec *s, apr_pool_t *p,
+ SSLSrvConfigRec *sc)
{
OCSP_REQUEST *req = OCSP_REQUEST_new();
@@ -116,7 +117,9 @@ static OCSP_REQUEST *create_request(X509
return NULL;
}
- OCSP_request_add1_nonce(req, 0, -1);
+ if (sc->server->ocsp_use_request_nonce != FALSE) {
+ OCSP_request_add1_nonce(req, 0, -1);
+ }
return req;
}
@@ -139,7 +142,7 @@ static int verify_ocsp_status(X509 *cert
return V_OCSP_CERTSTATUS_UNKNOWN;
}
- request = create_request(ctx, cert, &certID, s, pool);
+ request = create_request(ctx, cert, &certID, s, pool, sc);
if (request) {
apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ?
apr_time_from_sec(DEFAULT_OCSP_TIMEOUT) :
@@ -171,12 +174,12 @@ static int verify_ocsp_status(X509 *cert
}
}
- if (rc == V_OCSP_CERTSTATUS_GOOD) {
- if (OCSP_check_nonce(request, basicResponse) != 1) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
- "Bad OCSP responder answer (bad nonce)");
- rc = V_OCSP_CERTSTATUS_UNKNOWN;
- }
+ if (rc == V_OCSP_CERTSTATUS_GOOD &&
+ sc->server->ocsp_use_request_nonce != FALSE &&
+ OCSP_check_nonce(request, basicResponse) != 1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
+ "Bad OCSP responder answer (bad nonce)");
+ rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1608758&r1=1608757&r2=1608758&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Tue Jul 8 13:13:49 2014
@@ -609,6 +609,8 @@ typedef struct {
long ocsp_resptime_skew;
long ocsp_resp_maxage;
apr_interval_time_t ocsp_responder_timeout;
+ BOOL ocsp_use_request_nonce;
+
#ifdef HAVE_SSL_CONF_CMD
SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
@@ -730,6 +732,7 @@ const char *ssl_cmd_SSLOCSPDefaultRespon
const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
#ifdef HAVE_SSL_CONF_CMD