Changeset b888e8b in mod_gnutls


Ignore:
Timestamp:
Nov 1, 2016, 7:20:42 AM (6 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
Children:
b26a792
Parents:
b34a67e
git-author:
Thomas Klute <thomas2.klute@…> (10/31/16 19:42:11)
git-committer:
Thomas Klute <thomas2.klute@…> (11/01/16 07:20:42)
Message:

New directive GnuTLSOCSPCheckNonce

Some CAs refuse to send nonces in their OCSP responses, probably
because that way they can cache responses. This makes nonce
verification fail, so give the user an option disable it.

Files:
6 edited

Legend:

Unmodified
Added
Removed

  • doc/mod_gnutls_manual.mdwn

    rb34a67e rb888e8b  
    553553
    554554OCSP cache updates are serialized using the `gnutls-ocsp` mutex.
     555
     556### GnuTLSOCSPCheckNonce
     557
     558Check the nonce in OCSP responses?
     559
     560    GnuTLSOCSPCheckNonce [On|Off]
     561
     562Default: *on*\
     563Context: server config, virtual host
     564
     565Some CAs refuse to send nonces in their OCSP responses, probably
     566because that way they can cache responses. If your CA is one of them
     567you can use this flag to disable nonce verification. Note that
     568`mod_gnutls` will _send_ a nonce either way.
    555569
    556570### GnuTLSOCSPResponseFile

  • include/mod_gnutls.h.in

    rb34a67e rb888e8b  
    213213    /* Enable OCSP stapling */
    214214    unsigned char ocsp_staple;
     215    /* Check nonce in OCSP responses? */
     216    unsigned char ocsp_check_nonce;
    215217    /* Read OCSP response for stapling from this file instead of
    216218     * sending a request over HTTP */

  • src/gnutls_config.c

    rb34a67e rb888e8b  
    11271127
    11281128    sc->ocsp_staple = GNUTLS_ENABLED_UNSET;
     1129    sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET;
    11291130    sc->ocsp_response_file = NULL;
    11301131    sc->ocsp_mutex = NULL;
     
    11901191
    11911192    gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET);
     1193    gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET);
    11921194    gnutls_srvconf_assign(ocsp_response_file);
    11931195    gnutls_srvconf_merge(ocsp_grace_time, MGS_TIMEOUT_UNSET);

  • src/gnutls_ocsp.c

    rb34a67e rb888e8b  
    8383    else
    8484        sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
     85
     86    return NULL;
     87}
     88
     89
     90
     91const char *mgs_set_ocsp_check_nonce(cmd_parms *parms,
     92                                     void *dummy __attribute__((unused)),
     93                                     const int arg)
     94{
     95    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     96        ap_get_module_config(parms->server->module_config, &gnutls_module);
     97
     98    if (arg)
     99        sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
     100    else
     101        sc->ocsp_check_nonce = GNUTLS_ENABLED_FALSE;
    85102
    86103    return NULL;
     
    276293    }
    277294
    278     if (nonce != NULL)
     295    /* Even some large CAs do not support nonces, probably because
     296     * that way they can cache responses. :-/ */
     297    if (nonce != NULL && sc->ocsp_check_nonce)
    279298    {
    280299        gnutls_datum_t resp_nonce;
     
    617636    {
    618637        gnutls_datum_t req;
    619         /* mod_ssl offers an option to enable/disable nonces for
    620          * broken responders. If needed at some point, we could do the
    621          * same by passing NULL instead of &nonce. */
    622638        int ret = mgs_create_ocsp_request(s, &req, &nonce);
    623639        if (ret == GNUTLS_E_SUCCESS)
     
    905921    }
    906922
    907     /* set default values for unset timeouts */
     923    /* set default values for unset parameters */
     924    if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
     925        sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
    908926    if (sc->ocsp_grace_time == MGS_TIMEOUT_UNSET)
    909927        sc->ocsp_grace_time = apr_time_from_sec(MGS_OCSP_GRACE_TIME);

  • src/gnutls_ocsp.h

    rb34a67e rb888e8b  
    5454                                     const int arg);
    5555
     56const char *mgs_set_ocsp_check_nonce(cmd_parms *parms,
     57                                     void *dummy __attribute__((unused)),
     58                                     const int arg);
     59
    5660const char *mgs_store_ocsp_response_path(cmd_parms * parms,
    5761                                         void *dummy __attribute__((unused)),

  • src/mod_gnutls.c

    rb34a67e rb888e8b  
    275275                 NULL, RSRC_CONF,
    276276                 "Enable OCSP stapling"),
     277    AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce,
     278                 NULL, RSRC_CONF,
     279                 "Check nonce in OCSP responses?"),
    277280    AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path,
    278281                  NULL, RSRC_CONF,
Note: See TracChangeset for help on using the changeset viewer.