Changeset 4d4a406 in mod_gnutls


Ignore:
Timestamp:
Jun 16, 2016, 6:47:09 PM (18 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
a784735
Parents:
70d014b
git-author:
Thomas Klute <thomas2.klute@…> (06/16/16 17:37:53)
git-committer:
Thomas Klute <thomas2.klute@…> (06/16/16 18:47:09)
Message:

New config option: GnuTLSOCSPStapling

This flag option enables/disables OCSP stapling, instead of enabling
stapling if a response file is set.

Files:
7 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    reee1432 r4d4a406  
    211211    apr_time_t last_cache_check;
    212212
     213    /* EXPERIMENTAL: Enable OCSP stapling */
     214    unsigned char ocsp_staple;
    213215    /* EXPERIMENTAL: OCSP response file for stapling, will go away
    214216     * once sending OCSP requests is implemented */
  • src/gnutls_config.c

    r70d014b r4d4a406  
    11181118    sc->proxy_x509_tl = NULL;
    11191119
     1120    sc->ocsp_staple = GNUTLS_ENABLED_UNSET;
    11201121    sc->ocsp_response_file = NULL;
    11211122    sc->ocsp_mutex = NULL;
     
    11781179    gnutls_srvconf_merge(proxy_priorities, NULL);
    11791180
     1181    gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET);
    11801182    gnutls_srvconf_assign(ocsp_response_file);
    11811183    gnutls_srvconf_merge(ocsp_grace_time, apr_time_from_sec(MGS_GRACE_TIME));
  • src/gnutls_hooks.c

    rb8700b0 r4d4a406  
    161161    gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
    162162
    163     if (ctxt->sc->ocsp_response_file != NULL)
     163    if (ctxt->sc->ocsp_staple)
    164164    {
    165165        gnutls_certificate_set_ocsp_status_request_function(ctxt->sc->certs,
     
    402402        }
    403403
     404        if (sc->ocsp_staple == GNUTLS_ENABLED_UNSET)
     405            sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
     406
    404407        sc->ocsp_mutex = sc_base->ocsp_mutex;
    405408        /* init OCSP configuration if OCSP is enabled for this host */
    406         if (sc->ocsp_response_file != NULL)
     409        if (sc->ocsp_staple)
    407410        {
    408411            rv = mgs_ocsp_post_config_server(pconf, ptemp, s);
  • src/gnutls_ocsp.c

    r894efd0 r4d4a406  
    6565    if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
    6666        _log_one_ocsp_fail("Signer cert expired", s);
     67}
     68
     69
     70
     71const char *mgs_ocsp_stapling_enable(cmd_parms *parms,
     72                                     void *dummy __attribute__((unused)),
     73                                     const int arg)
     74{
     75    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     76        ap_get_module_config(parms->server->module_config, &gnutls_module);
     77
     78    if (arg)
     79        sc->ocsp_staple = GNUTLS_ENABLED_TRUE;
     80    else
     81        sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
     82
     83    return NULL;
    6784}
    6885
     
    592609    }
    593610
    594     /* TODO: separate option to enable/disable OCSP stapling, same for
    595      * nonce, restore reading response from file for debugging/expert
    596      * use. */
     611    /* TODO: separate option to enable/disable nonce, restore reading
     612     * response from file for debugging/expert use. */
    597613
    598614    apr_time_t expiry;
     
    635651{
    636652    mgs_handle_t *ctxt = (mgs_handle_t *) ptr;
    637     if (ctxt->sc->cache == NULL)
    638     {
    639         /* OCSP caching requires a cache. */
     653    if (!ctxt->sc->ocsp_staple || ctxt->sc->cache == NULL)
     654    {
     655        /* OCSP must be enabled and caching requires a cache. */
    640656        return GNUTLS_E_NO_CERTIFICATE_STATUS;
    641657    }
  • src/gnutls_ocsp.h

    ra372379 r4d4a406  
    4040    gnutls_datum_t fingerprint;
    4141};
     42
     43const char *mgs_ocsp_stapling_enable(cmd_parms *parms,
     44                                     void *dummy __attribute__((unused)),
     45                                     const int arg);
    4246
    4347const char *mgs_store_ocsp_response_path(cmd_parms * parms,
  • src/mod_gnutls.c

    r15b22cb r4d4a406  
    272272    "The priorities to enable for proxy connections (ciphers, key exchange, "
    273273    "MACs, compression)."),
     274    AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
     275                 NULL,
     276                 RSRC_CONF,
     277                 "EXPERIMENTAL: Enable OCSP stapling"),
    274278    AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
    275279    NULL,
  • test/tests/27_OCSP_server/apache.conf

    r4cc1edc r4d4a406  
    88        ServerName              ${TEST_HOST}
    99        GnuTLSEnable            On
     10        GnuTLSOCSPStapling      On
    1011        GnuTLSCertificateFile   server/x509-chain.pem
    1112        GnuTLSKeyFile           server/secret.key
    1213        GnuTLSPriorities        NORMAL
    13         GnuTLSOCSPResponseFile  ${OCSP_RESPONSE_FILE}
    1414</VirtualHost>
Note: See TracChangeset for help on using the changeset viewer.