Changeset efc43b4 in mod_gnutls for src/gnutls_ocsp.c


Ignore:
Timestamp:
Sep 25, 2018, 3:46:26 PM (23 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
cb6476c
Parents:
994200a
Message:

Split per-vhost post config for OCSP stapling into configuring and enabling

This is preparation for enabling stapling by default: Configuration
failure may be ignored if stapling is not explicitly enabled by the
user (at the cost of not stapling).

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    r994200a refc43b4  
    10871087
    10881088
     1089const char* mgs_ocsp_configure_stapling(apr_pool_t *pconf,
     1090                                        apr_pool_t *ptemp __attribute__((unused)),
     1091                                        server_rec *server)
     1092{
     1093    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
     1094        ap_get_module_config(server->module_config, &gnutls_module);
     1095
     1096    if (sc->certs_x509_chain_num < 2)
     1097        return "No issuer (CA) certificate available, cannot enable "
     1098            "stapling. Please add it to the GnuTLSCertificateFile.";
     1099
     1100    mgs_ocsp_data_t ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
     1101
     1102    ocsp->uri = mgs_cert_get_ocsp_uri(pconf,
     1103                                      sc->certs_x509_crt_chain[0]);
     1104    if (ocsp->uri == NULL && sc->ocsp_response_file == NULL)
     1105        return "No OCSP URI in the certificate nor a GnuTLSOCSPResponseFile "
     1106            "setting, cannot configure OCSP stapling.";
     1107
     1108    if (sc->ocsp_cache == NULL)
     1109        return "No OCSP response cache available, please check "
     1110            "the GnuTLSOCSPCache setting.";
     1111
     1112    sc->ocsp = ocsp;
     1113    return NULL;
     1114}
     1115
     1116
     1117
    10891118/*
    10901119 * Like in the general post_config hook the HTTP status codes for
     
    10921121 * to denote an error.
    10931122 */
    1094 int mgs_ocsp_post_config_server(apr_pool_t *pconf,
    1095                                 apr_pool_t *ptemp __attribute__((unused)),
    1096                                 server_rec *server)
     1123int mgs_ocsp_enable_stapling(apr_pool_t *pconf,
     1124                             apr_pool_t *ptemp __attribute__((unused)),
     1125                             server_rec *server)
    10971126{
    10981127    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    10991128        ap_get_module_config(server->module_config, &gnutls_module);
    1100 
    1101     if (sc->certs_x509_chain_num < 2)
    1102     {
    1103         ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, server,
    1104                      "OCSP stapling is enabled but no CA certificate "
    1105                      "available for %s:%d, make sure it is included in "
    1106                      "GnuTLSCertificateFile!",
    1107                      server->server_hostname, server->addrs->host_port);
    1108         return HTTP_NOT_FOUND;
    1109     }
    1110 
    1111     if (sc->ocsp_cache == NULL)
    1112     {
    1113         ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EINVAL, server,
    1114                      "OCSP stapling is enabled but no cache configured!");
    1115         return HTTP_NOT_FOUND;
     1129    if (sc->ocsp == NULL)
     1130    {
     1131        ap_log_error(APLOG_MARK, APLOG_STARTUP, APR_EGENERAL, server,
     1132                     "CRITICAL ERROR: %s called with uninitialized OCSP "
     1133                     "data structure. This indicates a bug in mod_gnutls.",
     1134                     __func__);
     1135        return HTTP_INTERNAL_SERVER_ERROR;
    11161136    }
    11171137
     
    11521172    }
    11531173
    1154     sc->ocsp = apr_palloc(pconf, sizeof(struct mgs_ocsp_data));
    1155 
    11561174    sc->ocsp->fingerprint =
    11571175        mgs_get_cert_fingerprint(pconf, sc->certs_x509_crt_chain[0]);
    11581176    if (sc->ocsp->fingerprint.data == NULL)
    11591177        return HTTP_INTERNAL_SERVER_ERROR;
    1160 
    1161     sc->ocsp->uri = mgs_cert_get_ocsp_uri(pconf,
    1162                                           sc->certs_x509_crt_chain[0]);
    1163     if (sc->ocsp->uri == NULL && sc->ocsp_response_file == NULL)
    1164     {
    1165         ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, server,
    1166                      "OCSP stapling is enabled for for %s:%d, but there is "
    1167                      "neither an OCSP URI in the certificate nor a "
    1168                      "GnuTLSOCSPResponseFile setting for this host!",
    1169                      server->server_hostname, server->addrs->host_port);
    1170         return HTTP_NOT_FOUND;
    1171     }
    11721178
    11731179    sc->ocsp->trust = apr_palloc(pconf,
Note: See TracChangeset for help on using the changeset viewer.