Changeset 1aad1d7 in mod_gnutls for src/gnutls_ocsp.c
- Timestamp:
- Jan 11, 2020, 4:41:42 PM (3 years ago)
- Branches:
- asyncio, main, master, proxy-ticket
- Children:
- ce987dc
- Parents:
- 1c3853a
- File:
-
- 1 edited
-
src/gnutls_ocsp.c (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_ocsp.c
r1c3853a r1aad1d7 1134 1134 1135 1135 1136 static const char* configure_cert_staple(mgs_ocsp_data_t ocsp, 1137 server_rec *server, 1138 mgs_srvconf_rec *sc, 1139 unsigned int idx, 1140 apr_pool_t *pconf) 1141 { 1142 ocsp->cert = sc->certs_x509_crt_chain[idx]; 1143 1144 ocsp->uri = mgs_cert_get_ocsp_uri(pconf, ocsp->cert); 1145 // TODO: ocsp_response_file is completely broken with >1 1146 // certificates. Allow a list? 1147 if (ocsp->uri == NULL && sc->ocsp_response_file == NULL) 1148 return "No OCSP URI in the certificate nor a " 1149 "GnuTLSOCSPResponseFile setting, cannot configure " 1150 "OCSP stapling."; 1151 1152 ocsp->fingerprint = 1153 mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[idx]); 1154 if (ocsp->fingerprint.data == NULL) 1155 return "Could not read fingerprint from certificate!"; 1156 1157 ocsp->trust = apr_palloc(pconf, 1158 sizeof(gnutls_x509_trust_list_t)); 1159 /* Only the direct issuer may sign the OCSP response or an 1160 * OCSP signer. */ 1161 int ret = mgs_create_ocsp_trust_list( 1162 ocsp->trust, &(sc->certs_x509_crt_chain[idx + 1]), 1); 1163 if (ret != GNUTLS_E_SUCCESS) 1164 { 1165 ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, server, 1166 "Could not create OCSP trust list: %s (%d)", 1167 gnutls_strerror(ret), ret); 1168 return "Could not build trust list for OCSP stapling!"; 1169 } 1170 /* deinit trust list when the config pool is destroyed */ 1171 apr_pool_cleanup_register(pconf, ocsp->trust, 1172 mgs_cleanup_trust_list, 1173 apr_pool_cleanup_null); 1174 return NULL; 1175 } 1176 1177 1178 1136 1179 const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, 1137 1180 apr_pool_t *ptemp __attribute__((unused)), … … 1156 1199 mgs_ocsp_data_t ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data)); 1157 1200 1158 ocsp->cert = sc->certs_x509_crt_chain[i]; 1159 1160 ocsp->uri = mgs_cert_get_ocsp_uri(pconf, ocsp->cert); 1161 if (ocsp->uri == NULL && sc->ocsp_response_file == NULL) 1162 return "No OCSP URI in the certificate nor a " 1163 "GnuTLSOCSPResponseFile setting, cannot configure " 1164 "OCSP stapling."; 1165 1166 ocsp->fingerprint = 1167 mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[i]); 1168 if (ocsp->fingerprint.data == NULL) 1169 return "Could not read fingerprint from certificate!"; 1170 1171 ocsp->trust = apr_palloc(pconf, 1172 sizeof(gnutls_x509_trust_list_t)); 1173 /* Only the direct issuer may sign the OCSP response or an 1174 * OCSP signer. */ 1175 int ret = mgs_create_ocsp_trust_list(ocsp->trust, 1176 &(sc->certs_x509_crt_chain[i+1]), 1177 1); 1178 if (ret != GNUTLS_E_SUCCESS) 1179 { 1180 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server, 1181 "Could not create OCSP trust list: %s (%d)", 1182 gnutls_strerror(ret), ret); 1183 return "Could not build trust list for OCSP stapling!"; 1184 } 1185 /* deinit trust list when the config pool is destroyed */ 1186 apr_pool_cleanup_register(pconf, ocsp->trust, 1187 mgs_cleanup_trust_list, 1188 apr_pool_cleanup_null); 1201 const char *err = configure_cert_staple(ocsp, server, sc, i, pconf); 1202 if (err != NULL) 1203 { 1204 gnutls_datum_t dn; 1205 gnutls_x509_crt_get_dn3(sc->certs_x509_crt_chain[i], &dn, 0); 1206 /* If stapling is enabled it MUST work for the server 1207 * certificate itself, errors for others are 1208 * ignored. Either way log a warning. */ 1209 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, server, 1210 "Could not create OCSP stapling configuration " 1211 "for certificate %u in chain (%s): %s", 1212 i, (char*) dn.data, err); 1213 gnutls_free(dn.data); 1214 if (i == 0) 1215 return err; 1216 else 1217 break; 1218 } 1189 1219 1190 1220 sc->ocsp[i] = ocsp;
Note: See TracChangeset
for help on using the changeset viewer.
