You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2014/03/30 21:25:20 UTC
svn commit: r1583191 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c
ssl_engine_config.c ssl_engine_ocsp.c ssl_private.h
Author: ylavic
Date: Sun Mar 30 19:25:20 2014
New Revision: 1583191
URL: http://svn.apache.org/r1583191
Log:
mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.
Modified:
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1583191&r1=1583190&r2=1583191&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sun Mar 30 19:25:20 2014
@@ -238,6 +238,8 @@ static const command_rec ssl_config_cmds
"Maximum age of OCSP responses")
SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
"OCSP responder query timeout")
+ SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
+ "Whether OCSP queries use a nonce or not ('on', 'off')")
#ifdef HAVE_OCSP_STAPLING
/*
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1583191&r1=1583190&r2=1583191&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Sun Mar 30 19:25:20 2014
@@ -133,6 +133,7 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->ocsp_resptime_skew = UNSET;
mctx->ocsp_resp_maxage = UNSET;
mctx->ocsp_responder_timeout = UNSET;
+ mctx->ocsp_use_request_nonce = UNSET;
#ifdef HAVE_OCSP_STAPLING
mctx->stapling_enabled = UNSET;
@@ -275,6 +276,7 @@ static void modssl_ctx_cfg_merge(apr_poo
cfgMergeInt(ocsp_resptime_skew);
cfgMergeInt(ocsp_resp_maxage);
cfgMergeInt(ocsp_responder_timeout);
+ cfgMergeBool(ocsp_use_request_nonce);
#ifdef HAVE_OCSP_STAPLING
cfgMergeBool(stapling_enabled);
cfgMergeInt(stapling_resptime_skew);
@@ -1605,6 +1607,16 @@ const char *ssl_cmd_SSLOCSPResponderTime
return NULL;
}
+const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->ocsp_use_request_nonce = flag ? SSL_ENABLED_TRUE
+ : SSL_ENABLED_FALSE;
+
+ return NULL;
+}
+
const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=1583191&r1=1583190&r2=1583191&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Sun Mar 30 19:25:20 2014
@@ -104,7 +104,8 @@ static apr_uri_t *determine_responder_ur
* request object on success, or NULL on error. */
static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
OCSP_CERTID **certid,
- server_rec *s, apr_pool_t *p)
+ server_rec *s, apr_pool_t *p,
+ SSLSrvConfigRec *sc)
{
OCSP_REQUEST *req = OCSP_REQUEST_new();
@@ -116,7 +117,9 @@ static OCSP_REQUEST *create_request(X509
return NULL;
}
- OCSP_request_add1_nonce(req, 0, -1);
+ if (sc->server->ocsp_use_request_nonce != FALSE) {
+ OCSP_request_add1_nonce(req, 0, -1);
+ }
return req;
}
@@ -139,7 +142,7 @@ static int verify_ocsp_status(X509 *cert
return V_OCSP_CERTSTATUS_UNKNOWN;
}
- request = create_request(ctx, cert, &certID, s, pool);
+ request = create_request(ctx, cert, &certID, s, pool, sc);
if (request) {
apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ?
apr_time_from_sec(DEFAULT_OCSP_TIMEOUT) :
@@ -171,7 +174,8 @@ static int verify_ocsp_status(X509 *cert
}
}
- if (rc == V_OCSP_CERTSTATUS_GOOD) {
+ if (rc == V_OCSP_CERTSTATUS_GOOD &&
+ sc->server->ocsp_use_request_nonce != FALSE) {
if (OCSP_check_nonce(request, basicResponse) != 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
"Bad OCSP responder answer (bad nonce)");
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1583191&r1=1583190&r2=1583191&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Mar 30 19:25:20 2014
@@ -614,6 +614,7 @@ typedef struct {
SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
#endif
+ int ocsp_use_request_nonce;
} modssl_ctx_t;
struct SSLSrvConfigRec {
@@ -731,6 +732,7 @@ const char *ssl_cmd_SSLOCSPDefaultRespon
const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
#ifdef HAVE_SSL_CONF_CMD
Re: svn commit: r1583191 - in /httpd/httpd/trunk/modules/ssl:
mod_ssl.c ssl_engine_config.c ssl_engine_ocsp.c ssl_private.h
Posted by Yann Ylavic <yl...@gmail.com>.
Done in r1584098.
On Wed, Apr 2, 2014 at 8:21 AM, Kaspar Brand <ht...@velox.ch> wrote:
> On 30.03.2014 21:25, ylavic@apache.org wrote:
>> Author: ylavic
>> Date: Sun Mar 30 19:25:20 2014
>> New Revision: 1583191
>>
>> URL: http://svn.apache.org/r1583191
>> Log:
>> mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.
>
>> @@ -171,7 +174,8 @@ static int verify_ocsp_status(X509 *cert
>> }
>> }
>>
>> - if (rc == V_OCSP_CERTSTATUS_GOOD) {
>> + if (rc == V_OCSP_CERTSTATUS_GOOD &&
>> + sc->server->ocsp_use_request_nonce != FALSE) {
>> if (OCSP_check_nonce(request, basicResponse) != 1) {
>> ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
>> "Bad OCSP responder answer (bad nonce)");
>
> Perhaps rewrite this as
>
> if (rc == V_OCSP_CERTSTATUS_GOOD &&
> sc->server->ocsp_use_request_nonce != FALSE &&
> OCSP_check_nonce(request, basicResponse) != 1) {
> ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
> "Bad OCSP responder answer (bad nonce)");
> rc = V_OCSP_CERTSTATUS_UNKNOWN;
> }
> }
>
> ?
>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1583191&r1=1583190&r2=1583191&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Mar 30 19:25:20 2014
>> @@ -614,6 +614,7 @@ typedef struct {
>> SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
>> apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
>> #endif
>> + int ocsp_use_request_nonce;
>> } modssl_ctx_t;
>
> modssl_ctx_t isn't a public struct, so I think it's preferrable to
> insert this definition four lines earlier (after ocsp_responder_timeout,
> see r1059917 for a similar case).
>
> And last but not least, can you add docs for this new directive (and an
> entry in CHANGES)?
>
> Kaspar
Re: svn commit: r1583191 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c
ssl_engine_config.c ssl_engine_ocsp.c ssl_private.h
Posted by Kaspar Brand <ht...@velox.ch>.
On 30.03.2014 21:25, ylavic@apache.org wrote:
> Author: ylavic
> Date: Sun Mar 30 19:25:20 2014
> New Revision: 1583191
>
> URL: http://svn.apache.org/r1583191
> Log:
> mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.
> @@ -171,7 +174,8 @@ static int verify_ocsp_status(X509 *cert
> }
> }
>
> - if (rc == V_OCSP_CERTSTATUS_GOOD) {
> + if (rc == V_OCSP_CERTSTATUS_GOOD &&
> + sc->server->ocsp_use_request_nonce != FALSE) {
> if (OCSP_check_nonce(request, basicResponse) != 1) {
> ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
> "Bad OCSP responder answer (bad nonce)");
Perhaps rewrite this as
if (rc == V_OCSP_CERTSTATUS_GOOD &&
sc->server->ocsp_use_request_nonce != FALSE &&
OCSP_check_nonce(request, basicResponse) != 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
"Bad OCSP responder answer (bad nonce)");
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
?
> Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1583191&r1=1583190&r2=1583191&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Mar 30 19:25:20 2014
> @@ -614,6 +614,7 @@ typedef struct {
> SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
> apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
> #endif
> + int ocsp_use_request_nonce;
> } modssl_ctx_t;
modssl_ctx_t isn't a public struct, so I think it's preferrable to
insert this definition four lines earlier (after ocsp_responder_timeout,
see r1059917 for a similar case).
And last but not least, can you add docs for this new directive (and an
entry in CHANGES)?
Kaspar