Changeset e932ba5 in mod_gnutls


Ignore:
Timestamp:
Apr 4, 2020, 11:55:25 AM (6 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master, proxy-ticket
Children:
87d7f89
Parents:
ca0690b
Message:

Do not enforce OCSP nonces by default

The reason for this change is that in practice most public CAs do not
support OCSP nonces, which is permitted by both RFC 6960 and the
CA/Browser Forum baseline requirements. In this situation enforcing
correct nonces by default makes the automatic OCSP stapling support
mostly useless, so I'm changing the default.

Files:
2 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.md

    rca0690b re932ba5  
    644644    GnuTLSOCSPCheckNonce [On|Off]
    645645
    646 Default: *on*\
    647 Context: server config, virtual host
    648 
    649 Some CAs refuse to send nonces in their OCSP responses, probably
    650 because that way they can cache responses. If your CA is one of them
    651 you can use this flag to disable nonce verification. Note that
    652 `mod_gnutls` will _send_ a nonce either way.
     646Default: *off*\
     647Context: server config, virtual host
     648
     649Most CAs do not to send nonces in their OCSP responses, probably
     650because that way they can cache responses, which is [explicitly
     651allowed by RFC
     6526960](https://tools.ietf.org/html/rfc6960#section-2.5). You can enable
     653`GnuTLSOCSPCheckNonce` to enforce nonce validation if your CA is one
     654that supports OCSP nonces. Note that `mod_gnutls` will _send_ a nonce
     655either way.
    653656
    654657### GnuTLSOCSPResponseFile
  • src/gnutls_ocsp.c

    rca0690b re932ba5  
    12701270        sc->ocsp_auto_refresh = GNUTLS_ENABLED_TRUE;
    12711271    if (sc->ocsp_check_nonce == GNUTLS_ENABLED_UNSET)
    1272         sc->ocsp_check_nonce = GNUTLS_ENABLED_TRUE;
     1272        sc->ocsp_check_nonce = GNUTLS_ENABLED_FALSE;
    12731273    if (sc->ocsp_cache_time == MGS_TIMEOUT_UNSET)
    12741274        sc->ocsp_cache_time = apr_time_from_sec(MGS_OCSP_CACHE_TIMEOUT);
Note: See TracChangeset for help on using the changeset viewer.