Changeset 4d4a406 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Jun 16, 2016, 6:47:09 PM (4 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, proxy-ticket, upstream
Children:
a784735
Parents:
70d014b
git-author:
Thomas Klute <thomas2.klute@…> (06/16/16 17:37:53)
git-committer:
Thomas Klute <thomas2.klute@…> (06/16/16 18:47:09)
Message:

New config option: GnuTLSOCSPStapling

This flag option enables/disables OCSP stapling, instead of enabling
stapling if a response file is set.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r70d014b r4d4a406  
    6565    if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
    6666        _log_one_ocsp_fail("Signer cert expired", s);
     67}
     68
     69
     70
     71const char *mgs_ocsp_stapling_enable(cmd_parms *parms,
     72                                     void *dummy __attribute__((unused)),
     73                                     const int arg)
     74{
     75    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     76        ap_get_module_config(parms->server->module_config, &gnutls_module);
     77
     78    if (arg)
     79        sc->ocsp_staple = GNUTLS_ENABLED_TRUE;
     80    else
     81        sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
     82
     83    return NULL;
    6784}
    6885
     
    592609    }
    593610
    594     /* TODO: separate option to enable/disable OCSP stapling, same for
    595      * nonce, restore reading response from file for debugging/expert
    596      * use. */
     611    /* TODO: separate option to enable/disable nonce, restore reading
     612     * response from file for debugging/expert use. */
    597613
    598614    apr_time_t expiry;
     
    635651{
    636652    mgs_handle_t *ctxt = (mgs_handle_t *) ptr;
    637     if (ctxt->sc->cache == NULL)
    638     {
    639         /* OCSP caching requires a cache. */
     653    if (!ctxt->sc->ocsp_staple || ctxt->sc->cache == NULL)
     654    {
     655        /* OCSP must be enabled and caching requires a cache. */
    640656        return GNUTLS_E_NO_CERTIFICATE_STATUS;
    641657    }
Note: See TracChangeset for help on using the changeset viewer.