You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by yl...@apache.org on 2014/04/02 19:21:29 UTC
svn commit: r1584098 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_ocsp.c
modules/ssl/ssl_private.h
Author: ylavic
Date: Wed Apr 2 17:21:28 2014
New Revision: 1584098
URL: http://svn.apache.org/r1584098
Log:
mod_ssl: follow up to r1583191.
New SSLOCSPUseRequestNonce directive's manual and CHANGES.
Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce
grouped with other OCSP ones, nested if turned to a single AND condition).
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1584098&r1=1584097&r2=1584098&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Wed Apr 2 17:21:28 2014
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
+ OCSP requests should use a nonce to be checked against the responder's
+ one. PR 56233. [ Yann Ylavic ]
+
*) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
under the Event MPM. PR56216. [Frank Meier <frank meier ergon ch>]
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1584098&r1=1584097&r2=1584098&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Wed Apr 2 17:21:28 2014
@@ -2278,6 +2278,23 @@ which means that OCSP responses are cons
</directivesynopsis>
<directivesynopsis>
+<name>SSLOCSPUseRequestNonce</name>
+<description>Use a nonce within OCSP queries</description>
+<syntax>SSLOCSPUseRequestNonce on|off</syntax>
+<default>SSLOCSPUseRequestNonce on</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.4.10 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option determines whether queries to OCSP responders should contain
+a nonce or not. By default, a query nonce is always used and checked against
+the response's one. When the responder does not use nonces (eg. Microsoft OCSP
+Responder), this option ought to be turned <code>off</code>.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
<name>SSLInsecureRenegotiation</name>
<description>Option to enable support for insecure renegotiation</description>
<syntax>SSLInsecureRenegotiation on|off</syntax>
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=1584098&r1=1584097&r2=1584098&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Wed Apr 2 17:21:28 2014
@@ -175,12 +175,11 @@ static int verify_ocsp_status(X509 *cert
}
if (rc == V_OCSP_CERTSTATUS_GOOD &&
- sc->server->ocsp_use_request_nonce != FALSE) {
- if (OCSP_check_nonce(request, basicResponse) != 1) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
- "Bad OCSP responder answer (bad nonce)");
- rc = V_OCSP_CERTSTATUS_UNKNOWN;
- }
+ sc->server->ocsp_use_request_nonce != FALSE &&
+ OCSP_check_nonce(request, basicResponse) != 1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
+ "Bad OCSP responder answer (bad nonce)");
+ rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1584098&r1=1584097&r2=1584098&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Wed Apr 2 17:21:28 2014
@@ -610,11 +610,12 @@ typedef struct {
long ocsp_resptime_skew;
long ocsp_resp_maxage;
apr_interval_time_t ocsp_responder_timeout;
+ int ocsp_use_request_nonce;
+
#ifdef HAVE_SSL_CONF_CMD
SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
#endif
- int ocsp_use_request_nonce;
} modssl_ctx_t;
struct SSLSrvConfigRec {
Re: svn commit: r1584098 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_ocsp.c modules/ssl/ssl_private.h
Posted by Yann Ylavic <yl...@gmail.com>.
On Fri, Apr 4, 2014 at 9:57 AM, Yann Ylavic <yl...@gmail.com> wrote:
> On Fri, Apr 4, 2014 at 9:55 AM, Yann Ylavic <yl...@gmail.com> wrote:
>> I can now remove this requirement from all...
> And maybe the availability in httpd 2.3 and later too.
Done in r1584555.
Re: svn commit: r1584098 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_ocsp.c modules/ssl/ssl_private.h
Posted by Yann Ylavic <yl...@gmail.com>.
On Fri, Apr 4, 2014 at 9:55 AM, Yann Ylavic <yl...@gmail.com> wrote:
> I can now remove this requirement from all...
And maybe the availability in httpd 2.3 and later too.
Re: svn commit: r1584098 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_ocsp.c modules/ssl/ssl_private.h
Posted by Yann Ylavic <yl...@gmail.com>.
On Fri, Apr 4, 2014 at 9:21 AM, Ruediger Pluem <rp...@apache.org> wrote:
>
>
> Eric Covener wrote:
>>
>> On Thu, Apr 3, 2014 at 7:06 PM, Yann Ylavic <ylavic@apache.org <ma...@apache.org>> wrote:
>>
>> > +<compatibility>Available in httpd 2.4.10 and later, if using OpenSSL 0.9.7 or later</compatibility>
>
> Hmm. Isn't OpenSSL >= 0.9.8 already mandatory for httpd 2.4.x?
Correct, although all the SSLOCSP* directives refer to 0.9.7 (I
blindly copied this part).
I can now remove this requirement from all...
Regards,
Yann.
Re: svn commit: r1584098 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml
modules/ssl/ssl_engine_ocsp.c modules/ssl/ssl_private.h
Posted by Ruediger Pluem <rp...@apache.org>.
Eric Covener wrote:
>
> On Thu, Apr 3, 2014 at 7:06 PM, Yann Ylavic <ylavic@apache.org <ma...@apache.org>> wrote:
>
> > +<compatibility>Available in httpd 2.4.10 and later, if using OpenSSL 0.9.7 or later</compatibility>
Hmm. Isn't OpenSSL >= 0.9.8 already mandatory for httpd 2.4.x?
Regards
RĂ¼diger
Re: svn commit: r1584098 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_ocsp.c modules/ssl/ssl_private.h
Posted by Eric Covener <co...@gmail.com>.
On Thu, Apr 3, 2014 at 7:06 PM, Yann Ylavic <yl...@apache.org> wrote:
> > +<compatibility>Available in httpd 2.4.10 and later, if using OpenSSL
> 0.9.7 or later</compatibility>
I usually only do it for stuff I think will not be at all controversial
and proposed immediately
Otherwise, without/until 2.5.x releases from trunk, assume nobody will ask
when something went into trunk and just try to remember during backport.
--
Eric Covener
covener@gmail.com
Re: svn commit: r1584098 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_ocsp.c modules/ssl/ssl_private.h
Posted by Yann Ylavic <yl...@apache.org>.
On Wed, Apr 2, 2014 at 7:21 PM, <yl...@apache.org> wrote:
> Author: ylavic
> Date: Wed Apr 2 17:21:28 2014
> New Revision: 1584098
>
> URL: http://svn.apache.org/r1584098
> Log:
> mod_ssl: follow up to r1583191.
>
> New SSLOCSPUseRequestNonce directive's manual and CHANGES.
>
[snip]
>
> Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1584098&r1=1584097&r2=1584098&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Wed Apr 2 17:21:28 2014
> @@ -2278,6 +2278,23 @@ which means that OCSP responses are cons
> </directivesynopsis>
>
> <directivesynopsis>
> +<name>SSLOCSPUseRequestNonce</name>
> +<description>Use a nonce within OCSP queries</description>
> +<syntax>SSLOCSPUseRequestNonce on|off</syntax>
> +<default>SSLOCSPUseRequestNonce on</default>
> +<contextlist><context>server config</context>
> +<context>virtual host</context></contextlist>
> +<compatibility>Available in httpd 2.4.10 and later, if using OpenSSL 0.9.7 or later</compatibility>
I had to use the next version number here, while it is abviously not
yet accepted for backport.
What is the procedure in this case?
> +
> +<usage>
> +<p>This option determines whether queries to OCSP responders should contain
> +a nonce or not. By default, a query nonce is always used and checked against
> +the response's one. When the responder does not use nonces (eg. Microsoft OCSP
> +Responder), this option ought to be turned <code>off</code>.</p>
> +</usage>
> +</directivesynopsis>
> +
> +<directivesynopsis>
> <name>SSLInsecureRenegotiation</name>
> <description>Option to enable support for insecure renegotiation</description>
> <syntax>SSLInsecureRenegotiation on|off</syntax>
>