Changeset b888e8b in mod_gnutls
- Timestamp:
- Nov 1, 2016, 7:20:42 AM (6 years ago)
- Branches:
- asyncio, debian/master, debian/stretch-backports, master, proxy-ticket, upstream
- Children:
- b26a792
- Parents:
- b34a67e
- git-author:
- Thomas Klute <thomas2.klute@…> (10/31/16 19:42:11)
- git-committer:
- Thomas Klute <thomas2.klute@…> (11/01/16 07:20:42)
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
doc/mod_gnutls_manual.mdwn
rb34a67e rb888e8b 553 553 554 554 OCSP cache updates are serialized using the `gnutls-ocsp` mutex. 555 556 ### GnuTLSOCSPCheckNonce 557 558 Check the nonce in OCSP responses? 559 560 GnuTLSOCSPCheckNonce [On|Off] 561 562 Default: *on*\ 563 Context: server config, virtual host 564 565 Some CAs refuse to send nonces in their OCSP responses, probably 566 because that way they can cache responses. If your CA is one of them 567 you can use this flag to disable nonce verification. Note that 568 `mod_gnutls` will _send_ a nonce either way. 555 569 556 570 ### GnuTLSOCSPResponseFile -
include/mod_gnutls.h.in
rb34a67e rb888e8b 213 213 /* Enable OCSP stapling */ 214 214 unsigned char ocsp_staple; 215 /* Check nonce in OCSP responses? */ 216 unsigned char ocsp_check_nonce; 215 217 /* Read OCSP response for stapling from this file instead of 216 218 * sending a request over HTTP */ -
src/gnutls_config.c
rb34a67e rb888e8b 1127 1127 1128 1128 sc->ocsp_staple = GNUTLS_ENABLED_UNSET; 1129 sc->ocsp_check_nonce = GNUTLS_ENABLED_UNSET; 1129 1130 sc->ocsp_response_file = NULL; 1130 1131 sc->ocsp_mutex = NULL; … … 1190 1191 1191 1192 gnutls_srvconf_merge(ocsp_staple, GNUTLS_ENABLED_UNSET); 1193 gnutls_srvconf_merge(ocsp_check_nonce, GNUTLS_ENABLED_UNSET); 1192 1194 gnutls_srvconf_assign(ocsp_response_file); 1193 1195 gnutls_srvconf_merge(ocsp_grace_time, MGS_TIMEOUT_UNSET); -
src/gnutls_ocsp.c
rb34a67e rb888e8b 83 83 else 84 84 sc->ocsp_staple = GNUTLS_ENABLED_FALSE; 85 86 return NULL; 87 } 88 89 90 91 const char *mgs_set_ocsp_check_nonce(cmd_parms *parms, 92 void *dummy __attribute__((unused)), 93 const int arg) 94 { 95 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 96 ap_get_module_config(parms->server->module_config, &gnutls_module); 97 98 if (arg) 99 sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE; 100 else 101 sc->ocsp_check_nonce = GNUTLS_ENABLED_FALSE; 85 102 86 103 return NULL; … … 276 293 } 277 294 278 if (nonce != NULL) 295 /* Even some large CAs do not support nonces, probably because 296 * that way they can cache responses. :-/ */ 297 if (nonce != NULL && sc->ocsp_check_nonce) 279 298 { 280 299 gnutls_datum_t resp_nonce; … … 617 636 { 618 637 gnutls_datum_t req; 619 /* mod_ssl offers an option to enable/disable nonces for620 * broken responders. If needed at some point, we could do the621 * same by passing NULL instead of &nonce. */622 638 int ret = mgs_create_ocsp_request(s, &req, &nonce); 623 639 if (ret == GNUTLS_E_SUCCESS) … … 905 921 } 906 922 907 /* set default values for unset timeouts */ 923 /* set default values for unset parameters */ 924 if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET) 925 sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE; 908 926 if (sc->ocsp_grace_time == MGS_TIMEOUT_UNSET) 909 927 sc->ocsp_grace_time = apr_time_from_sec(MGS_OCSP_GRACE_TIME); -
src/gnutls_ocsp.h
rb34a67e rb888e8b 54 54 const int arg); 55 55 56 const char *mgs_set_ocsp_check_nonce(cmd_parms *parms, 57 void *dummy __attribute__((unused)), 58 const int arg); 59 56 60 const char *mgs_store_ocsp_response_path(cmd_parms * parms, 57 61 void *dummy __attribute__((unused)), -
src/mod_gnutls.c
rb34a67e rb888e8b 275 275 NULL, RSRC_CONF, 276 276 "Enable OCSP stapling"), 277 AP_INIT_FLAG("GnuTLSOCSPCheckNonce", mgs_set_ocsp_check_nonce, 278 NULL, RSRC_CONF, 279 "Check nonce in OCSP responses?"), 277 280 AP_INIT_TAKE1("GnuTLSOCSPResponseFile", mgs_store_ocsp_response_path, 278 281 NULL, RSRC_CONF,
Note: See TracChangeset
for help on using the changeset viewer.