source: mod_gnutls/src/gnutls_ocsp.h @ 333bbc7

debian/masterdebian/stretch-backportsproxy-ticketupstream
Last change on this file since 333bbc7 was 333bbc7, checked in by Thomas Klute <thomas2.klute@…>, 4 years ago

Configurable OCSP socket timeout

Stalled OCSP requests must time out after a while to prevent stalling
the server too much. However, if the timeout is too short requests may
fail with a slow OCSP responder or high latency network
connection. Using the new GnuTLSOCSPFailureTimeout parameter users can
adjust the timeout if necessary.

All macros defining default values for OCSP related times are now
collected in gnutls_ocsp.h.

  • Property mode set to 100644
File size: 3.5 KB
Line 
1/**
2 *  Copyright 2016 Thomas Klute
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License");
5 *  you may not use this file except in compliance with the License.
6 *  You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 *  See the License for the specific language governing permissions and
14 *  limitations under the License.
15 */
16
17#ifndef __MOD_GNUTLS_OCSP_H__
18#define __MOD_GNUTLS_OCSP_H__
19
20#include "gnutls/gnutls.h"
21#include "gnutls/x509.h"
22#include "httpd.h"
23#include "http_config.h"
24
25#define MGS_OCSP_MUTEX_NAME "gnutls-ocsp"
26
27/* Default OCSP response grace time in seconds */
28#define MGS_GRACE_TIME 60
29/* Default OCSP failure timeout in seconds */
30#define MGS_OCSP_FAILURE_TIMEOUT 300
31/* Default socket timeout for OCSP responder connections, in
32 * seconds. Note that the timeout applies to "absolutely no data sent
33 * or received", not the whole connection. 10 seconds in mod_ssl. */
34#define MGS_OCSP_SOCKET_TIMEOUT 6
35
36/**
37 * Vhost specific OCSP data structure
38 */
39struct mgs_ocsp_data {
40    /* OCSP URI extracted from the server certificate. NULL if
41     * unset. */
42    apr_uri_t *uri;
43    /* Trust list to verify OCSP responses for stapling. Should
44     * usually only contain the CA that signed the server
45     * certificate. */
46    gnutls_x509_trust_list_t *trust;
47    /* Server certificate fingerprint, used as cache key for the OCSP
48     * response */
49    gnutls_datum_t fingerprint;
50};
51
52const char *mgs_ocsp_stapling_enable(cmd_parms *parms,
53                                     void *dummy __attribute__((unused)),
54                                     const int arg);
55
56const char *mgs_store_ocsp_response_path(cmd_parms * parms,
57                                         void *dummy __attribute__((unused)),
58                                         const char *arg);
59
60/*
61 * Create a trust list from a certificate chain (one or more
62 * certificates).
63 *
64 * tl: This trust list will be initialized and filled with the
65 * specified certificate(s)
66 *
67 * chain: certificate chain, must contain at least num certifictes
68 *
69 * num: number of certificates to load from chain
70 *
71 * Chain is supposed to be static (the trust chain of the server
72 * certificate), so when gnutls_x509_trust_list_deinit() is called on
73 * tl later, the "all" parameter should be zero.
74 *
75 * Returns GNUTLS_E_SUCCESS or a GnuTLS error code. In case of error
76 * tl will be uninitialized.
77 */
78int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
79                               const gnutls_x509_crt_t *chain,
80                               const int num);
81
82/**
83 * Pool cleanup function that deinits the trust list without
84 * deinitializing certificates.
85 */
86apr_status_t mgs_cleanup_trust_list(void *data);
87
88/**
89 * Initialize server config for OCSP, supposed to be called in the
90 * post_config hook for each server where OCSP stapling is enabled,
91 * after certificates have been loaded.
92 *
93 * @return OK or DECLINED on success, any other value on error (like
94 * the post_config hook itself)
95 */
96int mgs_ocsp_post_config_server(apr_pool_t *pconf, apr_pool_t *ptemp,
97                                server_rec *server);
98
99int mgs_get_ocsp_response(gnutls_session_t session, void *ptr,
100                          gnutls_datum_t *ocsp_response);
101
102#endif /* __MOD_GNUTLS_OCSP_H__ */
Note: See TracBrowser for help on using the repository browser.