Changeset 94cb972 in mod_gnutls


Ignore:
Timestamp:
May 29, 2016, 6:06:59 PM (23 months ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, master, upstream
Children:
20f8e99
Parents:
b674e95
Message:

Minimal OCSP stapling implementation using externally provided response

Works if the configured file contains a valid and current OCSP
response. Note that the module does not yet check those conditions,
the file is just read and forwarded to GnuTLS.

Files:
2 added
8 edited

Legend:

Unmodified
Added
Removed
  • include/mod_gnutls.h.in

    rb674e95 r94cb972  
    216216        /* Last Cache timestamp */
    217217    apr_time_t last_cache_check;
     218
     219    /* EXPERIMENTAL: OCSP response file for stapling, will go away
     220     * once sending OCSP requests is implemented */
     221    char *ocsp_response_file;
    218222} mgs_srvconf_rec;
    219223
  • src/Makefile.am

    rb674e95 r94cb972  
    66endif
    77
    8 mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c gnutls_config.c gnutls_hooks.c
     8mod_gnutls_la_SOURCES = mod_gnutls.c gnutls_io.c gnutls_cache.c \
     9        gnutls_config.c gnutls_hooks.c gnutls_ocsp.c
    910mod_gnutls_la_CFLAGS = -Wall ${MODULE_CFLAGS}
    1011mod_gnutls_la_LDFLAGS = -module -avoid-version ${MODULE_LIBS}
     12noinst_HEADERS = gnutls_ocsp.h
    1113
    1214apmodpkglib_LTLIBRARIES = mod_gnutls.la
  • src/gnutls_config.c

    rb674e95 r94cb972  
    972972    sc->proxy_priorities = NULL;
    973973
     974    sc->ocsp_response_file = NULL;
     975
    974976/* this relies on GnuTLS never changing the gnutls_certificate_request_t enum to define -1 */
    975977    sc->client_verify_mode = -1;
     
    10271029    gnutls_srvconf_merge(proxy_priorities_str, NULL);
    10281030    gnutls_srvconf_merge(proxy_priorities, NULL);
     1031
     1032    gnutls_srvconf_merge(ocsp_response_file, NULL);
    10291033
    10301034    /* FIXME: the following items are pre-allocated, and should be
  • src/gnutls_hooks.c

    rb674e95 r94cb972  
    2121
    2222#include "mod_gnutls.h"
     23#include "gnutls_ocsp.h"
    2324#include "http_vhost.h"
    2425#include "ap_mpm.h"
     
    156157    /* Set Anon credentials */
    157158    gnutls_credentials_set(session, GNUTLS_CRD_ANON, ctxt->sc->anon_creds);
     159
     160    if (ctxt->sc->ocsp_response_file != NULL)
     161    {
     162        gnutls_certificate_set_ocsp_status_request_function(ctxt->sc->certs,
     163                                                            mgs_get_ocsp_response,
     164                                                            ctxt);
     165    }
    158166
    159167#ifdef ENABLE_SRP
  • src/mod_gnutls.c

    rb674e95 r94cb972  
    2020
    2121#include "mod_gnutls.h"
     22#include "gnutls_ocsp.h"
    2223
    2324#ifdef APLOG_USE_MODULE
     
    275276    "The priorities to enable for proxy connections (ciphers, key exchange, "
    276277    "MACs, compression)."),
     278    AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
     279    NULL,
     280    RSRC_CONF,
     281    "EXPERIMENTAL: OCSP response for stapling (must be updated externally)"),
    277282    { NULL },
    278283};
  • test/runtests

    rb674e95 r94cb972  
    191191# check OCSP server
    192192if [ -n "${CHECK_OCSP_SERVER}" ]; then
     193    if [ -n "${OCSP_RESPONSE_FILE}" ]; then
     194        store_ocsp="--outfile ${OCSP_RESPONSE_FILE}"
     195    fi
    193196    echo "---- Testing OCSP server ----"
    194     ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem
     197    ocsptool --ask --nonce --load-issuer authority/x509.pem --load-cert server/x509.pem ${store_ocsp}
    195198    echo "---- OCSP test done ----"
    196199fi
  • test/test-27_OCSP_server.bash

    rb674e95 r94cb972  
    77# trigger OCSP server test in the runtests script
    88export CHECK_OCSP_SERVER="true"
     9export OCSP_RESPONSE_FILE="$(mktemp mod_gnutls_test-XXXXXX.der)"
    910
    1011${srcdir}/runtests t-27
     12
     13ocsptool -e --load-signer authority/x509.pem --load-response ${OCSP_RESPONSE_FILE} || ret=1
     14rm "${OCSP_RESPONSE_FILE}"
     15exit ${ret}
  • test/tests/27_OCSP_server/apache.conf

    rb674e95 r94cb972  
    1414        GnuTLSKeyFile           server/secret.key
    1515        GnuTLSPriorities        NORMAL
     16        GnuTLSOCSPResponseFile  ${OCSP_RESPONSE_FILE}
    1617</VirtualHost>
Note: See TracChangeset for help on using the changeset viewer.