Changeset cb6476c in mod_gnutls

Timestamp:

Sep 26, 2018, 2:29:35 AM (5 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, debian/master, main, master, proxy-ticket

Children:

adceac0

Parents:

efc43b4

Message:

Enable OCSP stapling by default if possible

If the user hasn't explicitly disabled OCSP stapling try to enable it,
and disable if that fails.

Files:

• src/gnutls_hooks.c (modified) (1 diff)
• test/tests/27_OCSP_server/apache.conf (modified) (1 diff)

src/gnutls_hooks.c

@@ -658 +658 @@
         if (sc->client_verify_method == mgs_cvm_unset)
             sc->client_verify_method = mgs_cvm_cartel;
-        if (sc->ocsp_staple == GNUTLS_ENABLED_UNSET)
-            // TODO: Check result of mgs_ocsp_configure_stapling()
-            // below instead, staple if possible.
-            sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
+
+        // TODO: None of the stuff below (and neither some above)
+        // makes sense if sc->enabled == GNUTLS_ENABLED_FALSE, we
+        // should just continue to the next host. All code below could
+        // then safely assume sc->enabled == GNUTLS_ENABLED_TRUE.
 
         sc->ocsp_mutex = sc_base->ocsp_mutex;
-        /* init OCSP configuration if OCSP is enabled for this host */
-        if (sc->enabled && sc->ocsp_staple)
+        /* init OCSP configuration unless explicitly disabled */
+        if (sc->enabled && sc->ocsp_staple != GNUTLS_ENABLED_FALSE)
         {
             const char *err = mgs_ocsp_configure_stapling(pconf, ptemp, s);
             if (err != NULL)
             {
-                ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, s,
-                             "OCSP stapling configuration failed for "
-                             "host '%s:%d': %s",
-                             s->server_hostname, s->addrs->host_port, err);
-                return HTTP_INTERNAL_SERVER_ERROR;
+                /* If OCSP stapling is enabled only by default ignore
+                 * error and disable stapling */
+                if (sc->ocsp_staple == GNUTLS_ENABLED_UNSET)
+                {
+                    ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, s,
+                                 "Cannnot enable OCSP stapling for "
+                                 "host '%s:%d': %s",
+                                 s->server_hostname, s->addrs->host_port, err);
+                    sc->ocsp_staple = GNUTLS_ENABLED_FALSE;
+                }
+                /* If OCSP stapling is explicitly enabled this is a
+                 * critical error. */
+                else
+                {
+                    ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, s,
+                                 "OCSP stapling configuration failed for "
+                                 "host '%s:%d': %s",
+                                 s->server_hostname, s->addrs->host_port, err);
+                    return HTTP_INTERNAL_SERVER_ERROR;
+                }
             }
-            rv = mgs_ocsp_enable_stapling(pconf, ptemp, s);
-            if (rv != OK && rv != DECLINED)
-                return rv;
+            else
+            {
+                /* Might already be set */
+                sc->ocsp_staple = GNUTLS_ENABLED_TRUE;
+                /* Set up stapling */
+                rv = mgs_ocsp_enable_stapling(pconf, ptemp, s);
+                if (rv != OK && rv != DECLINED)
+                    return rv;
+            }
         }
 

test/tests/27_OCSP_server/apache.conf

@@ -9 +9 @@
         ServerName              ${TEST_HOST}
         GnuTLSEnable            On
-        GnuTLSOCSPStapling      On
+        # Enabled by default
+        #GnuTLSOCSPStapling     On
         GnuTLSOCSPCacheTimeout  60
         GnuTLSCertificateFile   server/x509-chain.pem