Changeset 87d7f89 in mod_gnutls


Ignore:
Timestamp:
Apr 4, 2020, 1:07:28 PM (3 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
asyncio, main, master, proxy-ticket
Children:
ee35a9f
Parents:
e932ba5
Message:

Send OCSP nonce only if GnuTLSOCSPCheckNonce is enabled

Files:
2 edited

Legend:

Unmodified
Added
Removed

  • doc/mod_gnutls_manual.md

    re932ba5 r87d7f89  
    640640### GnuTLSOCSPCheckNonce
    641641
    642 Check the nonce in OCSP responses?
     642Send nonces in OCSP requests and verify them in responses.
    643643
    644644    GnuTLSOCSPCheckNonce [On|Off]
     
    647647Context: server config, virtual host
    648648
    649 Most CAs do not to send nonces in their OCSP responses, probably
    650 because that way they can cache responses, which is [explicitly
    651 allowed by RFC
    652 6960](https://tools.ietf.org/html/rfc6960#section-2.5). You can enable
    653 `GnuTLSOCSPCheckNonce` to enforce nonce validation if your CA is one
    654 that supports OCSP nonces. Note that `mod_gnutls` will _send_ a nonce
    655 either way.
     649If `GnuTLSOCSPCheckNonce` is enabled, `mod_gnutls` will send nonces in
     650OCSP requests and verify them in responses. Responses without a nonce
     651or with a mismatching one will be considered invalid and discarded.
     652
     653This option is disabled by default because many CAs do not support the
     654OCSP nonce extension. The likely reason for that is the use of
     655pre-produced responses, as described in [RFC 6960, Section
     6562.5](https://tools.ietf.org/html/rfc6960#section-2.5).
    656657
    657658### GnuTLSOCSPResponseFile

  • src/gnutls_ocsp.c

    re932ba5 r87d7f89  
    213213    }
    214214
    215     ret = gnutls_ocsp_req_randomize_nonce(r);
    216     if (ret != GNUTLS_E_SUCCESS)
    217     {
    218         ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
    219                      "OCSP nonce creation failed: %s (%d)",
    220                      gnutls_strerror(ret), ret);
    221         gnutls_ocsp_req_deinit(r);
    222         return ret;
    223     }
    224 
    225215    if (nonce != NULL)
    226216    {
     217        ret = gnutls_ocsp_req_randomize_nonce(r);
     218        if (ret != GNUTLS_E_SUCCESS)
     219        {
     220            ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
     221                         "OCSP nonce creation failed: %s (%d)",
     222                         gnutls_strerror(ret), ret);
     223            gnutls_ocsp_req_deinit(r);
     224            return ret;
     225        }
     226
    227227        ret = gnutls_ocsp_req_get_nonce(r, NULL, nonce);
    228228        if (ret != GNUTLS_E_SUCCESS)
     
    706706    {
    707707        gnutls_datum_t req;
    708         int ret = mgs_create_ocsp_request(s, req_data, &req, &nonce);
     708        int ret = mgs_create_ocsp_request(s, req_data, &req,
     709                                          sc->ocsp_check_nonce ? &nonce : NULL);
    709710        if (ret == GNUTLS_E_SUCCESS)
    710711        {
Note: See TracChangeset for help on using the changeset viewer.