You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2007/12/03 12:51:15 UTC
svn commit: r600493 - /httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
Author: jorton
Date: Mon Dec 3 03:51:14 2007
New Revision: 600493
URL: http://svn.apache.org/viewvc?rev=600493&view=rev
Log:
* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Extract the
validity period from the OCSP response and check it.
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=600493&r1=600492&r2=600493&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Mon Dec 3 03:51:14 2007
@@ -184,9 +184,10 @@
if (rc == V_OCSP_CERTSTATUS_GOOD) {
int reason = -1, status;
+ ASN1_GENERALIZEDTIME *thisup = NULL, *nextup = NULL;
rc = OCSP_resp_find_status(basicResponse, certID, &status,
- &reason, NULL, NULL, NULL);
+ &reason, NULL, &thisup, &nextup);
if (rc != 1) {
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
ssl_log_cxerror(APLOG_MARK, APLOG_ERR, 0, c, cert,
@@ -194,6 +195,27 @@
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
else {
+ rc = status;
+ }
+
+ /* TODO: make these configurable. */
+#define MAX_SKEW (60)
+#define MAX_AGE (360)
+
+ /* Check whether the response is inside the defined validity
+ * period; otherwise fail. */
+ if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
+ int vrc = OCSP_check_validity(thisup, nextup, MAX_SKEW, MAX_AGE);
+
+ if (vrc != 1) {
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
+ ssl_log_cxerror(APLOG_MARK, APLOG_ERR, 0, c, cert,
+ "OCSP response outside validity period");
+ rc = V_OCSP_CERTSTATUS_UNKNOWN;
+ }
+ }
+
+ {
int level =
(status == V_OCSP_CERTSTATUS_GOOD) ? APLOG_INFO : APLOG_ERR;
const char *result =
@@ -204,7 +226,6 @@
"OCSP validation completed, "
"certificate status: %s (%d, %d)",
result, status, reason);
- rc = status;
}
}