Changeset 33fa7d5 in mod_gnutls
- Timestamp:
- Jan 12, 2020, 4:34:33 PM (15 months ago)
- Branches:
- asyncio, master, proxy-ticket
- Children:
- 9bc842e
- Parents:
- 5c9ca6b
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_hooks.c
r5c9ca6b r33fa7d5 37 37 #include <apr_want.h> 38 38 39 #include <gnutls/x509-ext.h> 40 39 41 #ifdef ENABLE_MSVA 40 42 #include <msv/msv.h> … … 51 53 #define IS_PROXY_STR(c) \ 52 54 ((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "") 55 56 /** Feature number for "must-staple" in the RFC 7633 X.509 TLS Feature 57 * Extension (status_request, defined in RFC 6066) */ 58 #define TLSFEATURE_MUST_STAPLE 5 53 59 54 60 /** Key to encrypt session tickets. Must be kept secret. This key is … … 527 533 528 534 /** 535 * Pool cleanup hook to release a gnutls_x509_tlsfeatures_t structure. 536 */ 537 apr_status_t mgs_cleanup_tlsfeatures(void *data) 538 { 539 gnutls_x509_tlsfeatures_t feat = *((gnutls_x509_tlsfeatures_t*) data); 540 gnutls_x509_tlsfeatures_deinit(feat); 541 return APR_SUCCESS; 542 } 543 544 545 546 /** 529 547 * Post config hook. 530 548 * … … 608 626 sc_base->singleton_wd = 609 627 mgs_new_singleton_watchdog(base_server, MGS_SINGLETON_WATCHDOG, pconf); 628 629 gnutls_x509_tlsfeatures_t *must_staple = 630 apr_palloc(ptemp, sizeof(gnutls_x509_tlsfeatures_t)); 631 gnutls_x509_tlsfeatures_init(must_staple); 632 gnutls_x509_tlsfeatures_add(*must_staple, TLSFEATURE_MUST_STAPLE); 633 apr_pool_cleanup_register(ptemp, must_staple, 634 mgs_cleanup_tlsfeatures, 635 apr_pool_cleanup_null); 610 636 611 637 for (s = base_server; s; s = s->next) … … 728 754 } 729 755 756 if (sc->certs_x509_chain_num > 0 757 && gnutls_x509_tlsfeatures_check_crt(*must_staple, 758 sc->certs_x509_crt_chain[0]) 759 && sc->ocsp_staple == GNUTLS_ENABLED_FALSE) 760 { 761 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, 762 "Must-Staple is set in the host certificate " 763 "of '%s:%d', but stapling is disabled!", 764 s->server_hostname, s->addrs->host_port); 765 return HTTP_UNAUTHORIZED; 766 } 767 730 768 if (sc->enabled == GNUTLS_ENABLED_TRUE 731 769 && sc->proxy_enabled == GNUTLS_ENABLED_TRUE -
test/authority/subca/server/template.in
r5c9ca6b r33fa7d5 5 5 encryption_key 6 6 dns_name="__HOSTNAME__" 7 # must-staple 8 tls_feature = 5 7 9 __OCSP_URI__ 8 10 __IP_ADDRESSES__ -
test/tests/00_basic/apache.conf
r5c9ca6b r33fa7d5 6 6 ServerName ${TEST_HOST} 7 7 GnuTLSEnable On 8 GnuTLSCertificateFile authority/s ubca/server/x509-chain.pem9 GnuTLSKeyFile authority/s ubca/server/secret.key8 GnuTLSCertificateFile authority/server/x509-chain.pem 9 GnuTLSKeyFile authority/server/secret.key 10 10 </VirtualHost>
Note: See TracChangeset
for help on using the changeset viewer.