Attachment #22981 for bug #43822

View | Details | Raw Unified | Return to bug 43822
Collapse All | Expand All




    const char  *crl_file;
    X509_STORE  *crl;

#ifdef HAVE_OCSP_STAPLING
    /** OCSP stapling options */
    BOOL        useStapling;
    long        StaplingResponseTimeSkew;
    long        StaplingResponseMaxAge;
    int         StaplingStandardCacheTimeout;
    BOOL        StaplingReturnResponderErrors;
    BOOL        StaplingFakeTryLater;
    int         StaplingErrorCacheTimeout;
    int         StaplingResponderTimeout;
    const char *StaplingForceURL;
#endif

    modssl_auth_ctx_t auth;

    BOOL ocsp_enabled; /* true if OCSP verification enabled */

void        *ssl_config_perdir_create(apr_pool_t *, char *);
void        *ssl_config_perdir_merge(apr_pool_t *, void *, void *);
const char  *ssl_cmd_SSLMutex(cmd_parms *, void *, const char *);
const char  *ssl_cmd_SSLStaplingMutex(cmd_parms *, void *, const char *);
const char  *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, void *, const char *);
const char  *ssl_cmd_SSLCryptoDevice(cmd_parms *, void *, const char *);
const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);

int ssl_proxy_enable(conn_rec *c);
int ssl_engine_disable(conn_rec *c);

/** OCSP Stapling Support */
#ifdef HAVE_OCSP_STAPLING
const char  *ssl_cmd_SSLUseStapling(cmd_parms *, void *, int);
const char *ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int);
const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int);
const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *);
const char  *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *);
void         ssl_cmd_stapling_setup(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *);
void         ssl_stapling_ex_init(void);
int          ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x);
#endif

/**  I/O  */
void         ssl_io_filter_init(conn_rec *, request_rec *r, SSL *);
void         ssl_io_filter_register(apr_pool_t *);

int          ssl_mutex_on(server_rec *);
int          ssl_mutex_off(server_rec *);

int          ssl_stapling_mutex_init(server_rec *, apr_pool_t *);
int          ssl_stapling_mutex_reinit(server_rec *, apr_pool_t *);
int          ssl_stapling_mutex_on(server_rec *);
int          ssl_stapling_mutex_off(server_rec *);

/**  Logfile Support  */
void         ssl_die(void);
void         ssl_log_ssl_error(const char *, int, int, server_rec *);

Lines 249-254 Link Here

(-)modules/ssl/ssl_engine_init.c (+30 lines)
249	if (!ssl_mutex_init(base_server, p)) {	249	if (!ssl_mutex_init(base_server, p)) {
250	return HTTP_INTERNAL_SERVER_ERROR;	250	return HTTP_INTERNAL_SERVER_ERROR;
251	}	251	}
		252	#ifdef HAVE_OCSP_STAPLING
		253	if (!ssl_stapling_mutex_init(base_server, p)) {
		254	return HTTP_INTERNAL_SERVER_ERROR;
		255	}
		256	#endif
252		257
253	/*	258	/*
254	* initialize session caching	259	* initialize session caching
Lines 288-293 Link Here
288		293
289	SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */	294	SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */
290		295
		296	#ifdef HAVE_OCSP_STAPLING
		297	ssl_stapling_ex_init();
		298	#endif
		299
291	return OK;	300	return OK;
292	}	301	}
293		302
Lines 382-387 Link Here
382	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);	391	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
383	ssl_die();	392	ssl_die();
384	}	393	}
		394
		395	#ifdef HAVE_OCSP_STAPLING
		396	/*
		397	* OCSP Stapling support, status_request extension
		398	*/
		399	if ((mctx->pkp == FALSE) && (mctx->useStapling == TRUE)) {
		400	ssl_cmd_stapling_setup(s, p, ptemp, mctx);
		401	}
		402	#endif
385	}	403	}
386	#endif	404	#endif
387		405
Lines 773-778 Link Here
773	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);	791	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
774	ssl_die();	792	ssl_die();
775	}	793	}
		794
		795	#ifdef HAVE_OCSP_STAPLING
		796	if ((mctx->pkp == FALSE) && (mctx->useStapling == TRUE)) {
		797	if (!ssl_stapling_init_cert(s, mctx, cert)) {
		798	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
		799	"Unable to configure server certificate for stapling");
		800	}
		801	}
		802	#endif
776		803
777	mctx->pks->certs[idx] = cert;	804	mctx->pks->certs[idx] = cert;
778		805
Lines 1245-1250 Link Here
1245		1272
1246	/* open the mutex lockfile */	1273	/* open the mutex lockfile */
1247	ssl_mutex_reinit(s, p);	1274	ssl_mutex_reinit(s, p);
		1275	#ifdef HAVE_OCSP_STAPLING
		1276	ssl_stapling_mutex_reinit(s, p);
		1277	#endif
1248	}	1278	}
1249		1279
1250	#define MODSSL_CFG_ITEM_FREE(func, item) \	1280	#define MODSSL_CFG_ITEM_FREE(func, item) \

Lines 129-134 Link Here

(-)modules/ssl/ssl_engine_config.c (+114 lines)
129	mctx->ocsp_enabled = FALSE;	129	mctx->ocsp_enabled = FALSE;
130	mctx->ocsp_force_default = FALSE;	130	mctx->ocsp_force_default = FALSE;
131	mctx->ocsp_responder = NULL;	131	mctx->ocsp_responder = NULL;
		132
		133	#ifdef HAVE_OCSP_STAPLING
		134	mctx->useStapling = FALSE;
		135	mctx->StaplingResponseTimeSkew = 60 * 5;
		136	mctx->StaplingResponseMaxAge = -1;
		137	mctx->StaplingStandardCacheTimeout = 3600;
		138	mctx->StaplingReturnResponderErrors = TRUE;
		139	mctx->StaplingFakeTryLater = TRUE;
		140	mctx->StaplingErrorCacheTimeout = 600;
		141	mctx->StaplingResponderTimeout = 10;
		142	mctx->StaplingForceURL = NULL;
		143	#endif
132	}	144	}
133		145
134	static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,	146	static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
Lines 222-227 Link Here
222	cfgMergeBool(ocsp_enabled);	234	cfgMergeBool(ocsp_enabled);
223	cfgMergeBool(ocsp_force_default);	235	cfgMergeBool(ocsp_force_default);
224	cfgMerge(ocsp_responder, NULL);	236	cfgMerge(ocsp_responder, NULL);
		237	#ifdef HAVE_OCSP_STAPLING
		238	cfgMerge(useStapling, FALSE);
		239	cfgMergeInt(StaplingResponseTimeSkew);
		240	cfgMergeInt(StaplingResponseMaxAge);
		241	cfgMergeInt(StaplingStandardCacheTimeout);
		242	cfgMergeBool(StaplingReturnResponderErrors);
		243	cfgMergeBool(StaplingFakeTryLater);
		244	cfgMergeInt(StaplingErrorCacheTimeout);
		245	cfgMergeInt(StaplingResponderTimeout);
		246	cfgMerge(StaplingForceURL, NULL);
		247	#endif
225	}	248	}
226		249
227	static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,	250	static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,
Lines 1408-1413 Link Here
1408	return NULL;	1431	return NULL;
1409	}	1432	}
1410		1433
		1434	#ifdef HAVE_OCSP_STAPLING
		1435	const char ssl_cmd_SSLUseStapling(cmd_parms cmd, void *dcfg, int flag)
		1436	{
		1437	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
		1438	sc->server->useStapling = flag ? TRUE : FALSE;
		1439	return NULL;
		1440	}
		1441
		1442	const char ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms cmd, void *dcfg,
		1443	const char *arg)
		1444	{
		1445	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
		1446	sc->server->StaplingResponseTimeSkew = atoi(arg);
		1447	if (sc->server->StaplingResponseTimeSkew < 0) {
		1448	return "SSLStaplingResponseTimeSkew: invalid argument";
		1449	}
		1450	return NULL;
		1451	}
		1452
		1453	const char ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms cmd, void *dcfg,
		1454	const char *arg)
		1455	{
		1456	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
		1457	sc->server->StaplingResponseMaxAge = atoi(arg);
		1458	if (sc->server->StaplingResponseMaxAge < 0) {
		1459	return "SSLStaplingResponseMaxAge: invalid argument";
		1460	}
		1461	return NULL;
		1462	}
		1463
		1464	const char ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms cmd, void *dcfg,
		1465	const char *arg)
		1466	{
		1467	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
		1468	sc->server->StaplingStandardCacheTimeout = atoi(arg);
		1469	if (sc->server->StaplingStandardCacheTimeout < 0) {
		1470	return "SSLStaplingStandardCacheTimeout: invalid argument";
		1471	}
		1472	return NULL;
		1473	}
		1474
		1475	const char ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms cmd, void *dcfg,
		1476	const char *arg)
		1477	{
		1478	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
		1479	sc->server->StaplingErrorCacheTimeout = atoi(arg);
		1480	if (sc->server->StaplingErrorCacheTimeout < 0) {
		1481	return "SSLStaplingErrorCacheTimeout: invalid argument";
		1482	}
		1483	return NULL;
		1484	}
		1485
		1486	const char ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms cmd,
		1487	void *dcfg, int flag)
		1488	{
		1489	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
		1490	sc->server->StaplingReturnResponderErrors = flag ? TRUE : FALSE;
		1491	return NULL;
		1492	}
		1493
		1494	const char ssl_cmd_SSLStaplingFakeTryLater(cmd_parms cmd,
		1495	void *dcfg, int flag)
		1496	{
		1497	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1498	sc->server->StaplingFakeTryLater = flag ? TRUE : FALSE;
1499	return NULL;
1500	}
1501
1502	const char ssl_cmd_SSLStaplingResponderTimeout(cmd_parms cmd, void *dcfg,
1503	const char *arg)
1504	{
1505	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1506	sc->server->StaplingResponderTimeout = atoi(arg);
1507	if (sc->server->StaplingResponderTimeout < 0) {
1508	return "SSLStaplingResponderTimeout: invalid argument";
1509	}
1510	return NULL;
1511	}
1512
1513	const char ssl_cmd_SSLStaplingForceURL(cmd_parms cmd, void *dcfg,
1514	const char *arg)
1515	{
1516	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1517	sc->server->StaplingForceURL = arg;
1518	return NULL;
1519	}
1520
1521	#endif
1522
1523
1524
1411	void ssl_hook_ConfigTest(apr_pool_t pconf, server_rec s)	1525	void ssl_hook_ConfigTest(apr_pool_t pconf, server_rec s)
1412	{	1526	{
1413	if (!ap_exists_config_define("DUMP_CERTS")) {	1527	if (!ap_exists_config_define("DUMP_CERTS")) {




    SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
               "Force use of the default responder URL (`on', `off')")

#ifdef HAVE_OCSP_STAPLING
    /*
     * OCSP Stapling options
     */

    SSL_CMD_SRV(UseStapling, FLAG,
                "SSL switch for the OCSP Stapling protocol " "(`on', `off')")
    SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
                "SSL stapling option for maximum time difference in OCSP responses")
    SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
                "SSL stapling option for OCSP responder timeout")
    SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
                "SSL stapling option for maximum age of OCSP responses")
    SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
                "SSL stapling option for normal OCSP Response Cache Lifetime")
    SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
                "SSL stapling switch to return Status Errors Back to Client"
		"(`on', `off')")
    SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
                "SSL stapling switch to send tryLater response to client on error "
		"(`on', `off')")
    SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
                "SSL stapling option for OCSP Response Error Cache Lifetime")
    SSL_CMD_SRV(StaplingForceURL, TAKE1,
                "SSL stapling option to Force the OCSP Stapling URL")
#if 0
    SSL_CMD_SRV(StaplingMutex, TAKE1, AP_ALL_AVAILABLE_MUTEXES_STRING)
#endif
#endif

    /* Deprecated directives. */
    AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
      "SSLLog directive is no longer supported - use ErrorLog."),

Lines 40-45 Link Here

(-)modules/ssl/config.m4 (+1 lines)
40	ssl_expr_parse.lo dnl	40	ssl_expr_parse.lo dnl
41	ssl_expr_scan.lo dnl	41	ssl_expr_scan.lo dnl
42	ssl_scache.lo dnl	42	ssl_scache.lo dnl
		43	ssl_stapling.lo dnl
43	ssl_util.lo dnl	44	ssl_util.lo dnl
44	ssl_util_ssl.lo dnl	45	ssl_util_ssl.lo dnl
45	ssl_engine_ocsp.lo dnl	46	ssl_engine_ocsp.lo dnl

Lines 210-215 Link Here

(-)modules/ssl/mod_ssl.dsp (+4 lines)
210	# End Source File	210	# End Source File
211	# Begin Source File	211	# Begin Source File
212		212
		213	SOURCE=.\ssl_stapling.c
		214	# End Source File
		215	# Begin Source File
		216
213	SOURCE=.\ssl_util.c	217	SOURCE=.\ssl_util.c
214	# End Source File	218	# End Source File
215	# Begin Source File	219	# Begin Source File

Lines 145-150 Link Here

(-)modules/ssl/ssl_toolkit_compat.h (+7 lines)
145		145
146	#define HAVE_SSL_X509V3_EXT_d2i	146	#define HAVE_SSL_X509V3_EXT_d2i
147		147
		148	#if (OPENSSL_VERSION_NUMBER >= 0x00908080)
		149	#define HAVE_GET1_OCSP
		150	#ifndef OPENSSL_NO_TLSEXT
		151	#define HAVE_OCSP_STAPLING
		152	#endif
		153	#endif
		154
148	#ifndef PEM_F_DEF_CALLBACK	155	#ifndef PEM_F_DEF_CALLBACK
149	#ifdef PEM_F_PEM_DEF_CALLBACK	156	#ifdef PEM_F_PEM_DEF_CALLBACK
150	/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */	157	/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */

Return to bug 43822

Lines 421-426 Link Here

(-)modules/ssl/ssl_private.h (+35 lines)
421	const char *crl_file;	421	const char *crl_file;
422	X509_STORE *crl;	422	X509_STORE *crl;
423		423
		424	#ifdef HAVE_OCSP_STAPLING
		425	/** OCSP stapling options */
		426	BOOL useStapling;
		427	long StaplingResponseTimeSkew;
		428	long StaplingResponseMaxAge;
		429	int StaplingStandardCacheTimeout;
		430	BOOL StaplingReturnResponderErrors;
		431	BOOL StaplingFakeTryLater;
		432	int StaplingErrorCacheTimeout;
		433	int StaplingResponderTimeout;
		434	const char *StaplingForceURL;
		435	#endif
		436
424	modssl_auth_ctx_t auth;	437	modssl_auth_ctx_t auth;
425		438
426	BOOL ocsp_enabled; /* true if OCSP verification enabled */	439	BOOL ocsp_enabled; /* true if OCSP verification enabled */
Lines 478-483 Link Here
478	void ssl_config_perdir_create(apr_pool_t , char *);	491	void ssl_config_perdir_create(apr_pool_t , char *);
479	void ssl_config_perdir_merge(apr_pool_t , void , void );	492	void ssl_config_perdir_merge(apr_pool_t , void , void );
480	const char ssl_cmd_SSLMutex(cmd_parms , void , const char );	493	const char ssl_cmd_SSLMutex(cmd_parms , void , const char );
		494	const char ssl_cmd_SSLStaplingMutex(cmd_parms , void , const char );
481	const char ssl_cmd_SSLPassPhraseDialog(cmd_parms , void , const char );	495	const char ssl_cmd_SSLPassPhraseDialog(cmd_parms , void , const char );
482	const char ssl_cmd_SSLCryptoDevice(cmd_parms , void , const char );	496	const char ssl_cmd_SSLCryptoDevice(cmd_parms , void , const char );
483	const char ssl_cmd_SSLRandomSeed(cmd_parms , void , const char , const char , const char );	497	const char ssl_cmd_SSLRandomSeed(cmd_parms , void , const char , const char , const char );
Lines 568-573 Link Here
568	int ssl_proxy_enable(conn_rec *c);	582	int ssl_proxy_enable(conn_rec *c);
569	int ssl_engine_disable(conn_rec *c);	583	int ssl_engine_disable(conn_rec *c);
570		584
		585	/** OCSP Stapling Support */
		586	#ifdef HAVE_OCSP_STAPLING
		587	const char ssl_cmd_SSLUseStapling(cmd_parms , void *, int);
		588	const char ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms , void , const char );
		589	const char ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms , void , const char );
		590	const char ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms , void , const char );
		591	const char ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms , void , const char );
		592	const char ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms , void *, int);
		593	const char ssl_cmd_SSLStaplingFakeTryLater(cmd_parms , void *, int);
		594	const char ssl_cmd_SSLStaplingResponderTimeout(cmd_parms , void , const char );
		595	const char ssl_cmd_SSLStaplingForceURL(cmd_parms , void , const char );
		596	void ssl_cmd_stapling_setup(server_rec , apr_pool_t , apr_pool_t , modssl_ctx_t );
		597	void ssl_stapling_ex_init(void);
		598	int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x);
		599	#endif
		600
571	/** I/O */	601	/** I/O */
572	void ssl_io_filter_init(conn_rec , request_rec r, SSL *);	602	void ssl_io_filter_init(conn_rec , request_rec r, SSL *);
573	void ssl_io_filter_register(apr_pool_t *);	603	void ssl_io_filter_register(apr_pool_t *);
Lines 624-629 Link Here
624	int ssl_mutex_on(server_rec *);	654	int ssl_mutex_on(server_rec *);
625	int ssl_mutex_off(server_rec *);	655	int ssl_mutex_off(server_rec *);
626		656
		657	int ssl_stapling_mutex_init(server_rec , apr_pool_t );
		658	int ssl_stapling_mutex_reinit(server_rec , apr_pool_t );
		659	int ssl_stapling_mutex_on(server_rec *);
		660	int ssl_stapling_mutex_off(server_rec *);
		661
627	/** Logfile Support */	662	/** Logfile Support */
628	void ssl_die(void);	663	void ssl_die(void);
629	void ssl_log_ssl_error(const char , int, int, server_rec );	664	void ssl_log_ssl_error(const char , int, int, server_rec );

Lines 187-192 Link Here

(-)modules/ssl/mod_ssl.c (+30 lines)
187	SSL_CMD_SRV(OCSPOverrideResponder, FLAG,	187	SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
188	"Force use of the default responder URL (`on', `off')")	188	"Force use of the default responder URL (`on', `off')")
189		189
		190	#ifdef HAVE_OCSP_STAPLING
		191	/*
		192	* OCSP Stapling options
		193	*/
		194
		195	SSL_CMD_SRV(UseStapling, FLAG,
		196	"SSL switch for the OCSP Stapling protocol " "(`on', `off')")
		197	SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
		198	"SSL stapling option for maximum time difference in OCSP responses")
		199	SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
		200	"SSL stapling option for OCSP responder timeout")
		201	SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
		202	"SSL stapling option for maximum age of OCSP responses")
		203	SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
		204	"SSL stapling option for normal OCSP Response Cache Lifetime")
		205	SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
		206	"SSL stapling switch to return Status Errors Back to Client"
		207	"(`on', `off')")
		208	SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
		209	"SSL stapling switch to send tryLater response to client on error "
		210	"(`on', `off')")
		211	SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
		212	"SSL stapling option for OCSP Response Error Cache Lifetime")
		213	SSL_CMD_SRV(StaplingForceURL, TAKE1,
		214	"SSL stapling option to Force the OCSP Stapling URL")
		215	#if 0
		216	SSL_CMD_SRV(StaplingMutex, TAKE1, AP_ALL_AVAILABLE_MUTEXES_STRING)
		217	#endif
		218	#endif
		219
190	/* Deprecated directives. */	220	/* Deprecated directives. */
191	AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,	221	AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
192	"SSLLog directive is no longer supported - use ErrorLog."),	222	"SSLLog directive is no longer supported - use ErrorLog."),