- Timestamp:
- Sep 25, 2018, 3:46:26 PM (2 years ago)
- Branches:
- asyncio, debian/master, master, proxy-ticket
- Children:
- cb6476c
- Parents:
- 994200a
- Location:
- src
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
src/gnutls_hooks.c
r994200a refc43b4 659 659 sc->client_verify_method = mgs_cvm_cartel; 660 660 if (sc->ocsp_staple == GNUTLS_ENABLED_UNSET) 661 // TODO: Check result of mgs_ocsp_configure_stapling() 662 // below instead, staple if possible. 661 663 sc->ocsp_staple = GNUTLS_ENABLED_FALSE; 662 664 … … 665 667 if (sc->enabled && sc->ocsp_staple) 666 668 { 667 rv = mgs_ocsp_post_config_server(pconf, ptemp, s); 669 const char *err = mgs_ocsp_configure_stapling(pconf, ptemp, s); 670 if (err != NULL) 671 { 672 ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, s, 673 "OCSP stapling configuration failed for " 674 "host '%s:%d': %s", 675 s->server_hostname, s->addrs->host_port, err); 676 return HTTP_INTERNAL_SERVER_ERROR; 677 } 678 rv = mgs_ocsp_enable_stapling(pconf, ptemp, s); 668 679 if (rv != OK && rv != DECLINED) 669 680 return rv; -
src/gnutls_ocsp.c
r994200a refc43b4 1087 1087 1088 1088 1089 const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, 1090 apr_pool_t *ptemp __attribute__((unused)), 1091 server_rec *server) 1092 { 1093 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 1094 ap_get_module_config(server->module_config, &gnutls_module); 1095 1096 if (sc->certs_x509_chain_num < 2) 1097 return "No issuer (CA) certificate available, cannot enable " 1098 "stapling. Please add it to the GnuTLSCertificateFile."; 1099 1100 mgs_ocsp_data_t ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data)); 1101 1102 ocsp->uri = mgs_cert_get_ocsp_uri(pconf, 1103 sc->certs_x509_crt_chain[0]); 1104 if (ocsp->uri == NULL && sc->ocsp_response_file == NULL) 1105 return "No OCSP URI in the certificate nor a GnuTLSOCSPResponseFile " 1106 "setting, cannot configure OCSP stapling."; 1107 1108 if (sc->ocsp_cache == NULL) 1109 return "No OCSP response cache available, please check " 1110 "the GnuTLSOCSPCache setting."; 1111 1112 sc->ocsp = ocsp; 1113 return NULL; 1114 } 1115 1116 1117 1089 1118 /* 1090 1119 * Like in the general post_config hook the HTTP status codes for … … 1092 1121 * to denote an error. 1093 1122 */ 1094 int mgs_ocsp_ post_config_server(apr_pool_t *pconf,1095 1096 1123 int mgs_ocsp_enable_stapling(apr_pool_t *pconf, 1124 apr_pool_t *ptemp __attribute__((unused)), 1125 server_rec *server) 1097 1126 { 1098 1127 mgs_srvconf_rec *sc = (mgs_srvconf_rec *) 1099 1128 ap_get_module_config(server->module_config, &gnutls_module); 1100 1101 if (sc->certs_x509_chain_num < 2) 1102 { 1103 ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, server, 1104 "OCSP stapling is enabled but no CA certificate " 1105 "available for %s:%d, make sure it is included in " 1106 "GnuTLSCertificateFile!", 1107 server->server_hostname, server->addrs->host_port); 1108 return HTTP_NOT_FOUND; 1109 } 1110 1111 if (sc->ocsp_cache == NULL) 1112 { 1113 ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, server, 1114 "OCSP stapling is enabled but no cache configured!"); 1115 return HTTP_NOT_FOUND; 1129 if (sc->ocsp == NULL) 1130 { 1131 ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EGENERAL, server, 1132 "CRITICAL ERROR: %s called with uninitialized OCSP " 1133 "data structure. This indicates a bug in mod_gnutls.", 1134 __func__); 1135 return HTTP_INTERNAL_SERVER_ERROR; 1116 1136 } 1117 1137 … … 1152 1172 } 1153 1173 1154 sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));1155 1156 1174 sc->ocsp->fingerprint = 1157 1175 mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[0]); 1158 1176 if (sc->ocsp->fingerprint.data == NULL) 1159 1177 return HTTP_INTERNAL_SERVER_ERROR; 1160 1161 sc->ocsp->uri = mgs_cert_get_ocsp_uri(pconf,1162 sc->certs_x509_crt_chain[0]);1163 if (sc->ocsp->uri == NULL && sc->ocsp_response_file == NULL)1164 {1165 ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,1166 "OCSP stapling is enabled for for %s:%d, but there is "1167 "neither an OCSP URI in the certificate nor a "1168 "GnuTLSOCSPResponseFile setting for this host!",1169 server->server_hostname, server->addrs->host_port);1170 return HTTP_NOT_FOUND;1171 }1172 1178 1173 1179 sc->ocsp->trust = apr_palloc(pconf, -
src/gnutls_ocsp.h
r994200a refc43b4 98 98 99 99 /** 100 * Initialize server config for OCSP, supposed to be called in the 101 * post_config hook for each server where OCSP stapling is enabled, 102 * after certificates have been loaded. 100 * Try to generate the OCSP stapling configuration for a (virtual) 101 * host. This function must be called in the post_config hook after 102 * certificates have been loaded. This method does not actually enable 103 * stapling, it only prepares the configuration. The reason for 104 * splitting these tasks is that configuration failure may be ignored 105 * if stapling is not explicitly enabled but only opportunistically. 106 * 107 * @return `NULL` on success, a string describing why configuration 108 * failed otherwise (static or allocated from ptemp) 109 */ 110 const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf, apr_pool_t *ptemp, 111 server_rec *server); 112 113 /** 114 * Enable OCSP stapling for a (virtual) host. Must be called in the 115 * post_config hook after mgs_ocsp_configure_stapling has returned 116 * successfully for that host. 103 117 * 104 118 * @return OK or DECLINED on success, any other value on error (like 105 * the post_config hook itself)119 * the post_config hook) 106 120 */ 107 int mgs_ocsp_ post_config_server(apr_pool_t *pconf, apr_pool_t *ptemp,108 121 int mgs_ocsp_enable_stapling(apr_pool_t *pconf, apr_pool_t *ptemp, 122 server_rec *server); 109 123 110 124 int mgs_get_ocsp_response(gnutls_session_t session, void *ptr,
Note: See TracChangeset
for help on using the changeset viewer.