Changeset e932ba5 in mod_gnutls

Timestamp:

Apr 4, 2020, 11:55:25 AM (3 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, main, master, proxy-ticket

Children:

87d7f89

Parents:

ca0690b

Message:

Do not enforce OCSP nonces by default

The reason for this change is that in practice most public CAs do not
support OCSP nonces, which is permitted by both RFC 6960 and the
CA/Browser Forum baseline requirements. In this situation enforcing
correct nonces by default makes the automatic OCSP stapling support
mostly useless, so I'm changing the default.

Files:

• doc/mod_gnutls_manual.md (modified) (1 diff)
• src/gnutls_ocsp.c (modified) (1 diff)

doc/mod_gnutls_manual.md

@@ -644 +644 @@
     GnuTLSOCSPCheckNonce [On|Off]
 
-Default: *on*\
-Context: server config, virtual host
-
-Some CAs refuse to send nonces in their OCSP responses, probably
-because that way they can cache responses. If your CA is one of them
-you can use this flag to disable nonce verification. Note that
-`mod_gnutls` will _send_ a nonce either way.
+Default: *off*\
+Context: server config, virtual host
+
+Most CAs do not to send nonces in their OCSP responses, probably
+because that way they can cache responses, which is [explicitly
+allowed by RFC
+6960](https://tools.ietf.org/html/rfc6960#section-2.5). You can enable
+`GnuTLSOCSPCheckNonce` to enforce nonce validation if your CA is one
+that supports OCSP nonces. Note that `mod_gnutls` will _send_ a nonce
+either way.
 
 ### GnuTLSOCSPResponseFile

src/gnutls_ocsp.c

@@ -1270 +1270 @@
         sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE;
     if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
-        sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
+        sc->ocsp_check_nonce = GNUTLS_ENABLED_FALSE;
     if (sc->ocsp_cache_time == MGS_TIMEOUT_UNSET)
         sc->ocsp_cache_time = apr_time_from_sec(MGS_OCSP_CACHE_TIMEOUT);