Changeset a372379 in mod_gnutls


Ignore:
Timestamp:
Jun 10, 2016, 8:26:50 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, master, upstream
Children:
6c44ed2
Parents:
cc74801
Message:

Store server certificate fingerprint in OCSP config

It's not like it's going to change without a server reload, so just
calculate the fingerprint once instead of for every connection that
uses OCSP stapling.

Location:
src
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_ocsp.c

    rcc74801 ra372379  
    275275    }
    276276
    277     /* the fingerprint will be used as cache key */
    278     gnutls_datum_t fingerprint =
    279         mgs_get_cert_fingerprint(tmp, sc->certs_x509_crt_chain[0]);
    280     if (fingerprint.data == NULL)
    281         return APR_EINVAL;
    282 
    283277    ap_log_error(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, s,
    284278                 "Loading OCSP response from %s",
     
    334328        expiry -= sc->ocsp_grace_time;
    335329
    336     int r = sc->cache->store(s, fingerprint, resp, expiry);
     330    int r = sc->cache->store(s, sc->ocsp->fingerprint, resp, expiry);
    337331    /* destroy pool, and original copy of the OCSP response with it */
    338332    apr_pool_destroy(tmp);
     
    359353    }
    360354
    361     gnutls_datum_t fingerprint =
    362         mgs_get_cert_fingerprint(ctxt->c->pool,
    363                                  ctxt->sc->certs_x509_crt_chain[0]);
    364     if (fingerprint.data == NULL)
    365         return GNUTLS_E_NO_CERTIFICATE_STATUS;
    366 
    367     *ocsp_response = ctxt->sc->cache->fetch(ctxt, fingerprint);
     355    *ocsp_response = ctxt->sc->cache->fetch(ctxt,
     356                                            ctxt->sc->ocsp->fingerprint);
    368357    if (ocsp_response->size == 0)
    369358    {
     
    392381         * moment there's no good way to integrate that with the
    393382         * Apache Mutex directive. */
    394         *ocsp_response = ctxt->sc->cache->fetch(ctxt, fingerprint);
     383        *ocsp_response = ctxt->sc->cache->fetch(ctxt,
     384                                                ctxt->sc->ocsp->fingerprint);
    395385        if (ocsp_response->size > 0)
    396386        {
     
    417407
    418408    /* retry reading from cache */
    419     *ocsp_response = ctxt->sc->cache->fetch(ctxt, fingerprint);
     409    *ocsp_response = ctxt->sc->cache->fetch(ctxt,
     410                                            ctxt->sc->ocsp->fingerprint);
    420411    if (ocsp_response->size == 0)
    421412    {
     
    534525    sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
    535526
     527    sc->ocsp->fingerprint =
     528        mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[0]);
     529    if (sc->ocsp->fingerprint.data == NULL)
     530        return HTTP_INTERNAL_SERVER_ERROR;
     531
    536532    sc->ocsp->uri = mgs_cert_get_ocsp_uri(pconf,
    537533                                          sc->certs_x509_crt_chain[0]);

  • src/gnutls_ocsp.h

    rcc74801 ra372379  
    3636     * certificate. */
    3737    gnutls_x509_trust_list_t *trust;
     38    /* Server certificate fingerprint, used as cache key for the OCSP
     39     * response */
     40    gnutls_datum_t fingerprint;
    3841};
    3942
Note: See TracChangeset for help on using the changeset viewer.