Changeset 33fa7d5 in mod_gnutls


Ignore:
Timestamp:
Jan 12, 2020, 4:34:33 PM (8 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
9bc842e
Parents:
5c9ca6b
Message:

Ensure stapling is active for server certificates with "must-staple"

RFC 7633, 4.3.2:

A server SHOULD verify that its configuration is compatible with the
TLS feature extension expressed in a certificate it presents.

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r5c9ca6b r33fa7d5  
    3737#include <apr_want.h>
    3838
     39#include <gnutls/x509-ext.h>
     40
    3941#ifdef ENABLE_MSVA
    4042#include <msv/msv.h>
     
    5153#define IS_PROXY_STR(c) \
    5254    ((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "")
     55
     56/** Feature number for "must-staple" in the RFC 7633 X.509 TLS Feature
     57 * Extension (status_request, defined in RFC 6066) */
     58#define TLSFEATURE_MUST_STAPLE 5
    5359
    5460/** Key to encrypt session tickets. Must be kept secret. This key is
     
    527533
    528534/**
     535 * Pool cleanup hook to release a gnutls_x509_tlsfeatures_t structure.
     536 */
     537apr_status_t mgs_cleanup_tlsfeatures(void *data)
     538{
     539    gnutls_x509_tlsfeatures_t feat = *((gnutls_x509_tlsfeatures_t*) data);
     540    gnutls_x509_tlsfeatures_deinit(feat);
     541    return APR_SUCCESS;
     542}
     543
     544
     545
     546/**
    529547 * Post config hook.
    530548 *
     
    608626    sc_base->singleton_wd =
    609627        mgs_new_singleton_watchdog(base_server, MGS_SINGLETON_WATCHDOG, pconf);
     628
     629    gnutls_x509_tlsfeatures_t *must_staple =
     630        apr_palloc(ptemp, sizeof(gnutls_x509_tlsfeatures_t));
     631    gnutls_x509_tlsfeatures_init(must_staple);
     632    gnutls_x509_tlsfeatures_add(*must_staple, TLSFEATURE_MUST_STAPLE);
     633    apr_pool_cleanup_register(ptemp, must_staple,
     634                              mgs_cleanup_tlsfeatures,
     635                              apr_pool_cleanup_null);
    610636
    611637    for (s = base_server; s; s = s->next)
     
    728754        }
    729755
     756        if (sc->certs_x509_chain_num > 0
     757            && gnutls_x509_tlsfeatures_check_crt(*must_staple,
     758                                                 sc->certs_x509_crt_chain[0])
     759            && sc->ocsp_staple == GNUTLS_ENABLED_FALSE)
     760        {
     761            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
     762                         "Must-Staple is set in the host certificate "
     763                         "of '%s:%d', but stapling is disabled!",
     764                         s->server_hostname, s->addrs->host_port);
     765            return HTTP_UNAUTHORIZED;
     766        }
     767
    730768        if (sc->enabled == GNUTLS_ENABLED_TRUE
    731769            && sc->proxy_enabled == GNUTLS_ENABLED_TRUE
  • test/authority/subca/server/template.in

    r5c9ca6b r33fa7d5  
    55encryption_key
    66dns_name="__HOSTNAME__"
     7# must-staple
     8tls_feature = 5
    79__OCSP_URI__
    810__IP_ADDRESSES__
  • test/tests/00_basic/apache.conf

    r5c9ca6b r33fa7d5  
    66 ServerName ${TEST_HOST}
    77 GnuTLSEnable On
    8  GnuTLSCertificateFile  authority/subca/server/x509-chain.pem
    9  GnuTLSKeyFile          authority/subca/server/secret.key
     8 GnuTLSCertificateFile  authority/server/x509-chain.pem
     9 GnuTLSKeyFile          authority/server/secret.key
    1010</VirtualHost>
Note: See TracChangeset for help on using the changeset viewer.