Changeset 78b75b3 in mod_gnutls


Ignore:
Timestamp:
Jun 16, 2016, 6:49:25 PM (18 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
master, debian, upstream
Children:
87d507b
Parents:
a784735
git-author:
Thomas Klute <thomas2.klute@…> (06/16/16 18:49:02)
git-committer:
Thomas Klute <thomas2.klute@…> (06/16/16 18:49:25)
Message:

Restore GnuTLSOCSPResponseFile option

Using an externally updated response file avoids the blocking issues
the OCSP client implementation currently has, so it is good to have
both options.

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    r4d4a406 r78b75b3  
    213213    /* EXPERIMENTAL: Enable OCSP stapling */
    214214    unsigned char ocsp_staple;
    215     /* EXPERIMENTAL: OCSP response file for stapling, will go away
    216      * once sending OCSP requests is implemented */
     215    /* EXPERIMENTAL: Read OCSP response for stapling from this file
     216     * instead of sending a request over HTTP */
    217217    char *ocsp_response_file;
    218218    /* Server specific OCSP data */
  • src/gnutls_ocsp.c

    r4d4a406 r78b75b3  
    580580    }
    581581
    582     gnutls_datum_t req;
    583     gnutls_datum_t nonce;
    584     int ret = mgs_create_ocsp_request(s, &req, &nonce);
    585     if (ret == GNUTLS_E_SUCCESS)
    586     {
    587         ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
    588                      "created OCSP request for %s:%d: %s",
    589                      s->server_hostname, s->addrs->host_port,
    590                      apr_pescape_hex(tmp, req.data, req.size, 0));
    591     }
    592     else
    593     {
     582    gnutls_datum_t resp;
     583    gnutls_datum_t nonce = { NULL, 0 };
     584
     585    if (sc->ocsp_response_file != NULL)
     586    {
     587        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
     588                     "Loading OCSP response from %s",
     589                     sc->ocsp_response_file);
     590        rv = datum_from_file(tmp, sc->ocsp_response_file, &resp);
     591        if (rv != APR_SUCCESS)
     592        {
     593            ap_log_error(APLOG_MARK, APLOG_ERR, rv, s,
     594                         "Loading OCSP response from %s failed!",
     595                         sc->ocsp_response_file);
     596            apr_pool_destroy(tmp);
     597            return rv;
     598        }
     599    }
     600    else
     601    {
     602        gnutls_datum_t req;
     603        int ret = mgs_create_ocsp_request(s, &req, &nonce);
     604        if (ret == GNUTLS_E_SUCCESS)
     605        {
     606            ap_log_error(APLOG_MARK, APLOG_TRACE2, APR_SUCCESS, s,
     607                         "created OCSP request for %s:%d: %s",
     608                         s->server_hostname, s->addrs->host_port,
     609                         apr_pescape_hex(tmp, req.data, req.size, 0));
     610        }
     611        else
     612        {
     613            gnutls_free(req.data);
     614            gnutls_free(nonce.data);
     615            apr_pool_destroy(tmp);
     616            return APR_EGENERAL;
     617        }
     618
     619        rv = do_ocsp_request(tmp, s, &req, &resp);
    594620        gnutls_free(req.data);
    595         gnutls_free(nonce.data);
    596         apr_pool_destroy(tmp);
    597         return APR_EGENERAL;
    598     }
    599 
    600     gnutls_datum_t resp;
    601     rv = do_ocsp_request(tmp, s, &req, &resp);
    602     gnutls_free(req.data);
    603     if (rv != APR_SUCCESS)
    604     {
    605         /* do_ocsp_request() does its own error logging. */
    606         gnutls_free(nonce.data);
    607         apr_pool_destroy(tmp);
    608         return rv;
    609     }
    610 
    611     /* TODO: separate option to enable/disable nonce, restore reading
    612      * response from file for debugging/expert use. */
     621        if (rv != APR_SUCCESS)
     622        {
     623            /* do_ocsp_request() does its own error logging. */
     624            gnutls_free(nonce.data);
     625            apr_pool_destroy(tmp);
     626            return rv;
     627        }
     628    }
     629
     630    /* TODO: separate option to enable/disable nonce */
    613631
    614632    apr_time_t expiry;
    615     if (check_ocsp_response(s, &resp, &expiry, &nonce) != GNUTLS_E_SUCCESS)
     633    if (check_ocsp_response(s, &resp, &expiry, nonce.size ? &nonce : NULL)
     634        != GNUTLS_E_SUCCESS)
    616635    {
    617636        ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_EGENERAL, s,
  • src/mod_gnutls.c

    r4d4a406 r78b75b3  
    273273    "MACs, compression)."),
    274274    AP_INIT_FLAG("GnuTLSOCSPStapling", mgs_ocsp_stapling_enable,
    275                  NULL,
    276                  RSRC_CONF,
     275                 NULL, RSRC_CONF,
    277276                 "EXPERIMENTAL: Enable OCSP stapling"),
    278277    AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
    279     NULL,
    280     RSRC_CONF,
    281     "EXPERIMENTAL: OCSP response for stapling (must be updated externally)"),
     278                  NULL, RSRC_CONF,
     279                  "EXPERIMENTAL: Read OCSP response for stapling from this "
     280                  "file instead of sending a request over HTTP (must be "
     281                  "updated externally)"),
    282282    AP_INIT_TAKE1("GnuTLSOCSPGraceTime", mgs_set_timeout,
    283     NULL,
    284     RSRC_CONF,
    285     "EXPERIMENTAL: Replace cached OCSP responses this many seconds before "
    286     "they expire"),
     283                  NULL, RSRC_CONF,
     284                  "EXPERIMENTAL: Replace cached OCSP responses this many "
     285                  "seconds before they expire"),
    287286#ifdef __clang__
    288287    /* Workaround for this clang bug:
Note: See TracChangeset for help on using the changeset viewer.