Attachment #23168 for bug #43822

View | Details | Raw Unified | Return to bug 43822
Collapse All | Expand All

Lines 388-393 Link Here

(-)modules/ssl/ssl_private.h (-1 / +46 lines)
388	#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)	388	#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
389	const char *szCryptoDevice;	389	const char *szCryptoDevice;
390	#endif	390	#endif
		391
		392	#ifdef HAVE_OCSP_STAPLING
		393	const ap_socache_provider_t *Staplingcache;
		394	ap_socache_instance_t *Staplingcache_context;
		395	ssl_mutexmode_t nStaplingMutexMode;
		396	apr_lockmech_e nStaplingMutexMech;
		397	const char *szStaplingMutexFile;
		398	apr_global_mutex_t *pStaplingMutex;
		399	#endif
		400
391	struct {	401	struct {
392	void pV1, pV2, pV3, pV4, pV5, pV6, pV7, pV8, pV9, pV10;	402	void pV1, pV2, pV3, pV4, pV5, pV6, pV7, pV8, pV9, pV10;
393	} rCtx;	403	} rCtx;
Lines 454-459 Link Here
454	const char *crl_file;	464	const char *crl_file;
455	X509_STORE *crl;	465	X509_STORE *crl;
456		466
		467	#ifdef HAVE_OCSP_STAPLING
		468	/** OCSP stapling options */
		469	BOOL useStapling;
		470	long StaplingResponseTimeSkew;
		471	long StaplingResponseMaxAge;
		472	int StaplingStandardCacheTimeout;
		473	BOOL StaplingReturnResponderErrors;
		474	BOOL StaplingFakeTryLater;
		475	int StaplingErrorCacheTimeout;
		476	apr_interval_time_t StaplingResponderTimeout;
		477	const char *StaplingForceURL;
		478	#endif
		479
457	modssl_auth_ctx_t auth;	480	modssl_auth_ctx_t auth;
458		481
459	BOOL ocsp_enabled; /* true if OCSP verification enabled */	482	BOOL ocsp_enabled; /* true if OCSP verification enabled */
Lines 603-608 Link Here
603	int ssl_proxy_enable(conn_rec *c);	626	int ssl_proxy_enable(conn_rec *c);
604	int ssl_engine_disable(conn_rec *c);	627	int ssl_engine_disable(conn_rec *c);
605		628
		629	/** OCSP Stapling Support */
		630	#ifdef HAVE_OCSP_STAPLING
		631	const char ssl_cmd_SSLStaplingMutex(cmd_parms , void , const char );
		632	const char ssl_cmd_SSLStaplingCache(cmd_parms , void , const char );
		633	const char ssl_cmd_SSLUseStapling(cmd_parms , void *, int);
		634	const char ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms , void , const char );
		635	const char ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms , void , const char );
		636	const char ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms , void , const char );
		637	const char ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms , void , const char );
		638	const char ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms , void *, int);
		639	const char ssl_cmd_SSLStaplingFakeTryLater(cmd_parms , void *, int);
		640	const char ssl_cmd_SSLStaplingResponderTimeout(cmd_parms , void , const char );
		641	const char ssl_cmd_SSLStaplingForceURL(cmd_parms , void , const char );
		642	void ssl_cmd_stapling_setup(server_rec , apr_pool_t , apr_pool_t , modssl_ctx_t );
		643	void ssl_stapling_ex_init(void);
		644	int ssl_stapling_init_cert(server_rec s, modssl_ctx_t mctx, X509 *x);
		645	#endif
		646
606	/** I/O */	647	/** I/O */
607	void ssl_io_filter_init(conn_rec , request_rec r, SSL *);	648	void ssl_io_filter_init(conn_rec , request_rec r, SSL *);
608	void ssl_io_filter_register(apr_pool_t *);	649	void ssl_io_filter_register(apr_pool_t *);
Lines 659-664 Link Here
659	int ssl_mutex_on(server_rec *);	700	int ssl_mutex_on(server_rec *);
660	int ssl_mutex_off(server_rec *);	701	int ssl_mutex_off(server_rec *);
661		702
		703	int ssl_stapling_mutex_init(server_rec , apr_pool_t );
		704	int ssl_stapling_mutex_reinit(server_rec , apr_pool_t );
		705
662	/** Logfile Support */	706	/** Logfile Support */
663	void ssl_die(void);	707	void ssl_die(void);
664	void ssl_log_ssl_error(const char , int, int, server_rec );	708	void ssl_log_ssl_error(const char , int, int, server_rec );
Lines 697-703 Link Here
697	* responder at the given URI. Returns the decoded OCSP response	741	* responder at the given URI. Returns the decoded OCSP response
698	* object, or NULL on error (in which case, errors will have been	742	* object, or NULL on error (in which case, errors will have been
699	* logged). Pool 'p' is used for temporary allocations. */	743	* logged). Pool 'p' is used for temporary allocations. */
700	OCSP_RESPONSE modssl_dispatch_ocsp_request(const apr_uri_t uri,	744	OCSP_RESPONSE modssl_dispatch_ocsp_request(const apr_uri_t uri,
		745	apr_interval_time_t timeout,
701	OCSP_REQUEST *request,	746	OCSP_REQUEST *request,
702	conn_rec c, apr_pool_t p);	747	conn_rec c, apr_pool_t p);
703	#endif	748	#endif




        return;
    }

#ifdef HAVE_OCSP_STAPLING
    if (mc->Staplingcache) {
        memset(&hints, 0, sizeof hints);
        hints.avg_obj_size = 1500;
        hints.avg_id_len = 20;
        hints.expiry_interval = 300;
    
        rv = mc->Staplingcache->init(mc->Staplingcache_context,
                                     "mod_ssl_stapling", &hints, s, p);
        if (rv) {
            /* ABORT ABORT etc. */
            ssl_die();
        }
    }
#endif

    /*
     * Warn the user that he should use the session cache.
     * But we can operate without it, of course.

        /* ABORT ABORT etc. */
        ssl_die();
    }

}

void ssl_scache_kill(server_rec *s)

    if (mc->sesscache) {
        mc->sesscache->destroy(mc->sesscache_context, s);
    }

#ifdef HAVE_OCSP_STAPLING
    if (mc->Staplingcache) {
        mc->Staplingcache->destroy(mc->Staplingcache_context, s);
    }
#endif

}

BOOL ssl_scache_store(server_rec *s, UCHAR *id, int idlen,

Lines 249-254 Link Here

(-)modules/ssl/ssl_engine_init.c (+30 lines)
249	if (!ssl_mutex_init(base_server, p)) {	249	if (!ssl_mutex_init(base_server, p)) {
250	return HTTP_INTERNAL_SERVER_ERROR;	250	return HTTP_INTERNAL_SERVER_ERROR;
251	}	251	}
		252	#ifdef HAVE_OCSP_STAPLING
		253	if (!ssl_stapling_mutex_init(base_server, p)) {
		254	return HTTP_INTERNAL_SERVER_ERROR;
		255	}
		256	#endif
252		257
253	/*	258	/*
254	* initialize session caching	259	* initialize session caching
Lines 288-293 Link Here
288		293
289	SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */	294	SSL_init_app_data2_idx(); /* for SSL_get_app_data2() at request time */
290		295
		296	#ifdef HAVE_OCSP_STAPLING
		297	ssl_stapling_ex_init();
		298	#endif
		299
291	return OK;	300	return OK;
292	}	301	}
293		302
Lines 382-387 Link Here
382	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);	391	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
383	ssl_die();	392	ssl_die();
384	}	393	}
		394
		395	#ifdef HAVE_OCSP_STAPLING
		396	/*
		397	* OCSP Stapling support, status_request extension
		398	*/
		399	if ((mctx->pkp == FALSE) && (mctx->useStapling == TRUE)) {
		400	ssl_cmd_stapling_setup(s, p, ptemp, mctx);
		401	}
		402	#endif
385	}	403	}
386	#endif	404	#endif
387		405
Lines 773-778 Link Here
773	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);	791	ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
774	ssl_die();	792	ssl_die();
775	}	793	}
		794
		795	#ifdef HAVE_OCSP_STAPLING
		796	if ((mctx->pkp == FALSE) && (mctx->useStapling == TRUE)) {
		797	if (!ssl_stapling_init_cert(s, mctx, cert)) {
		798	ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
		799	"Unable to configure server certificate for stapling");
		800	}
		801	}
		802	#endif
776		803
777	mctx->pks->certs[idx] = cert;	804	mctx->pks->certs[idx] = cert;
778		805
Lines 1245-1250 Link Here
1245		1272
1246	/* open the mutex lockfile */	1273	/* open the mutex lockfile */
1247	ssl_mutex_reinit(s, p);	1274	ssl_mutex_reinit(s, p);
		1275	#ifdef HAVE_OCSP_STAPLING
		1276	ssl_stapling_mutex_reinit(s, p);
		1277	#endif
1248	}	1278	}
1249		1279
1250	#define MODSSL_CFG_ITEM_FREE(func, item) \	1280	#define MODSSL_CFG_ITEM_FREE(func, item) \

Lines 141-147 Link Here

(-)modules/ssl/ssl_engine_ocsp.c (-1 / +2 lines)
141		141
142	request = create_request(ctx, cert, &certID, s, pool);	142	request = create_request(ctx, cert, &certID, s, pool);
143	if (request) {	143	if (request) {
144	response = modssl_dispatch_ocsp_request(ruri, request, c, pool);	144	response = modssl_dispatch_ocsp_request(ruri, c->base_server->timeout,
		145	request, c, pool);
145	}	146	}
146		147
147	if (!request \|\| !response) {	148	if (!request \|\| !response) {

Lines 73-78 Link Here

(-)modules/ssl/ssl_engine_config.c (+209 lines)
73	#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)	73	#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
74	mc->szCryptoDevice = NULL;	74	mc->szCryptoDevice = NULL;
75	#endif	75	#endif
		76	#ifdef HAVE_OCSP_STAPLING
		77	mc->Staplingcache = NULL;
		78	mc->nStaplingMutexMode = SSL_MUTEXMODE_UNSET;
		79	mc->nStaplingMutexMech = APR_LOCK_DEFAULT;
		80	mc->szStaplingMutexFile = NULL;
		81	mc->pStaplingMutex = NULL;
		82	#endif
76		83
77	memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));	84	memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
78		85
Lines 129-134 Link Here
129	mctx->ocsp_enabled = FALSE;	136	mctx->ocsp_enabled = FALSE;
130	mctx->ocsp_force_default = FALSE;	137	mctx->ocsp_force_default = FALSE;
131	mctx->ocsp_responder = NULL;	138	mctx->ocsp_responder = NULL;
		139
		140	#ifdef HAVE_OCSP_STAPLING
		141	mctx->useStapling = UNSET;
		142	mctx->StaplingResponseTimeSkew = UNSET;
		143	mctx->StaplingResponseMaxAge = UNSET;
		144	mctx->StaplingStandardCacheTimeout = UNSET;
		145	mctx->StaplingReturnResponderErrors = UNSET;
		146	mctx->StaplingFakeTryLater = UNSET;
		147	mctx->StaplingErrorCacheTimeout = UNSET;
		148	mctx->StaplingResponderTimeout = UNSET;
		149	mctx->StaplingForceURL = NULL;
		150	#endif
132	}	151	}
133		152
134	static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,	153	static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
Lines 222-227 Link Here
222	cfgMergeBool(ocsp_enabled);	241	cfgMergeBool(ocsp_enabled);
223	cfgMergeBool(ocsp_force_default);	242	cfgMergeBool(ocsp_force_default);
224	cfgMerge(ocsp_responder, NULL);	243	cfgMerge(ocsp_responder, NULL);
		244	#ifdef HAVE_OCSP_STAPLING
		245	cfgMergeBool(useStapling);
		246	cfgMergeInt(StaplingResponseTimeSkew);
		247	cfgMergeInt(StaplingResponseMaxAge);
		248	cfgMergeInt(StaplingStandardCacheTimeout);
		249	cfgMergeBool(StaplingReturnResponderErrors);
		250	cfgMergeBool(StaplingFakeTryLater);
		251	cfgMergeInt(StaplingErrorCacheTimeout);
		252	cfgMergeInt(StaplingResponderTimeout);
		253	cfgMerge(StaplingForceURL, NULL);
		254	#endif
225	}	255	}
226		256
227	static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,	257	static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base,
Lines 1425-1430 Link Here
1425	return NULL;	1455	return NULL;
1426	}	1456	}
1427		1457
		1458	#ifdef HAVE_OCSP_STAPLING
		1459
		1460	const char ssl_cmd_SSLStaplingCache(cmd_parms cmd,
		1461	void *dcfg,
		1462	const char *arg)
		1463	{
		1464	SSLModConfigRec *mc = myModConfig(cmd->server);
		1465	const char err, sep;
		1466
		1467	if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
		1468	return err;
		1469	}
		1470
		1471	if ((sep = ap_strchr_c(arg, ':')) != NULL) {
		1472	char *name = apr_pstrmemdup(cmd->pool, arg, sep - arg);
		1473
		1474	/* Find the provider of given name. */
		1475	mc->Staplingcache = ap_lookup_provider(AP_SOCACHE_PROVIDER_GROUP,
		1476	name,
		1477	AP_SOCACHE_PROVIDER_VERSION);
		1478	if (mc->Staplingcache) {
		1479	/* Cache found; create it, passing anything beyond the colon. */
		1480	err = mc->Staplingcache->create(&mc->Staplingcache_context,
		1481	sep + 1, cmd->temp_pool, cmd->pool);
		1482	}
		1483	else {
		1484	apr_array_header_t *name_list;
		1485	const char *all_names;
		1486
		1487	/* Build a comma-separated list of all registered provider
		1488	* names: */
		1489	name_list = ap_list_provider_names(cmd->pool,
		1490	AP_SOCACHE_PROVIDER_GROUP,
		1491	AP_SOCACHE_PROVIDER_VERSION);
		1492	all_names = apr_array_pstrcat(cmd->pool, name_list, ',');
		1493
		1494	err = apr_psprintf(cmd->pool, "'%s' stapling cache not supported "
		1495	"(known names: %s)", name, all_names);
		1496	}
		1497	}
		1498	else {
		1499	err = apr_psprintf(cmd->pool, "'%s' stapling cache not supported or missing argument",
		1500	arg);
		1501	}
		1502
		1503	if (err) {
		1504	return apr_psprintf(cmd->pool, "SSLStaplingCache: %s", err);
		1505	}
		1506
		1507	return NULL;
		1508	}
		1509
		1510	const char ssl_cmd_SSLStaplingMutex(cmd_parms cmd,
		1511	void *dcfg,
		1512	const char *arg_)
		1513	{
		1514	apr_status_t rv;
		1515	const char *err;
		1516	SSLModConfigRec *mc = myModConfig(cmd->server);
		1517
		1518	if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
		1519	return err;
		1520	}
		1521
1522	if (ssl_config_global_isfixed(mc)) {
1523	return NULL;
1524	}
1525
1526	rv = ap_parse_mutex(arg_, cmd->server->process->pool,
1527	&mc->nStaplingMutexMech, &mc->szStaplingMutexFile);
1528
1529	if (rv == APR_ENOLOCK) {
1530	mc->nStaplingMutexMode = SSL_MUTEXMODE_NONE;
1531	return NULL;
1532	} else if (rv == APR_ENOTIMPL) {
1533	return apr_pstrcat(cmd->pool, "Invalid SSLStaplingMutex argument ",
1534	arg_,
1535	" (" AP_ALL_AVAILABLE_MUTEXES_STRING ")", NULL);
1536	} else if (rv == APR_BADARG) {
1537	return apr_pstrcat(cmd->pool, "Invalid SSLStaplingMutex filepath ",
1538	arg_, NULL);
1539	}
1540
1541	mc->nStaplingMutexMode = SSL_MUTEXMODE_USED;
1542
1543	return NULL;
1544	}
1545
1546	const char ssl_cmd_SSLUseStapling(cmd_parms cmd, void *dcfg, int flag)
1547	{
1548	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1549	sc->server->useStapling = flag ? TRUE : FALSE;
1550	return NULL;
1551	}
1552
1553	const char ssl_cmd_SSLStaplingResponseTimeSkew(cmd_parms cmd, void *dcfg,
1554	const char *arg)
1555	{
1556	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1557	sc->server->StaplingResponseTimeSkew = atoi(arg);
1558	if (sc->server->StaplingResponseTimeSkew < 0) {
1559	return "SSLStaplingResponseTimeSkew: invalid argument";
1560	}
1561	return NULL;
1562	}
1563
1564	const char ssl_cmd_SSLStaplingResponseMaxAge(cmd_parms cmd, void *dcfg,
1565	const char *arg)
1566	{
1567	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1568	sc->server->StaplingResponseMaxAge = atoi(arg);
1569	if (sc->server->StaplingResponseMaxAge < 0) {
1570	return "SSLStaplingResponseMaxAge: invalid argument";
1571	}
1572	return NULL;
1573	}
1574
1575	const char ssl_cmd_SSLStaplingStandardCacheTimeout(cmd_parms cmd, void *dcfg,
1576	const char *arg)
1577	{
1578	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1579	sc->server->StaplingStandardCacheTimeout = atoi(arg);
1580	if (sc->server->StaplingStandardCacheTimeout < 0) {
1581	return "SSLStaplingStandardCacheTimeout: invalid argument";
1582	}
1583	return NULL;
1584	}
1585
1586	const char ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms cmd, void *dcfg,
1587	const char *arg)
1588	{
1589	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1590	sc->server->StaplingErrorCacheTimeout = atoi(arg);
1591	if (sc->server->StaplingErrorCacheTimeout < 0) {
1592	return "SSLStaplingErrorCacheTimeout: invalid argument";
1593	}
1594	return NULL;
1595	}
1596
1597	const char ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms cmd,
1598	void *dcfg, int flag)
1599	{
1600	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1601	sc->server->StaplingReturnResponderErrors = flag ? TRUE : FALSE;
1602	return NULL;
1603	}
1604
1605	const char ssl_cmd_SSLStaplingFakeTryLater(cmd_parms cmd,
1606	void *dcfg, int flag)
1607	{
1608	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1609	sc->server->StaplingFakeTryLater = flag ? TRUE : FALSE;
1610	return NULL;
1611	}
1612
1613	const char ssl_cmd_SSLStaplingResponderTimeout(cmd_parms cmd, void *dcfg,
1614	const char *arg)
1615	{
1616	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1617	sc->server->StaplingResponderTimeout = atoi(arg);
1618	sc->server->StaplingResponderTimeout *= APR_USEC_PER_SEC;
1619	if (sc->server->StaplingResponderTimeout < 0) {
1620	return "SSLStaplingResponderTimeout: invalid argument";
1621	}
1622	return NULL;
1623	}
1624
1625	const char ssl_cmd_SSLStaplingForceURL(cmd_parms cmd, void *dcfg,
1626	const char *arg)
1627	{
1628	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1629	sc->server->StaplingForceURL = arg;
1630	return NULL;
1631	}
1632
1633	#endif
1634
1635
1636
1428	void ssl_hook_ConfigTest(apr_pool_t pconf, server_rec s)	1637	void ssl_hook_ConfigTest(apr_pool_t pconf, server_rec s)
1429	{	1638	{
1430	if (!ap_exists_config_define("DUMP_CERTS")) {	1639	if (!ap_exists_config_define("DUMP_CERTS")) {




 * responder at given server given by URI.  Returns socket object or
 * NULL on error. */
static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri, 
                                  apr_interval_time_t timeout,
                                  conn_rec *c, apr_pool_t *p)
{
    apr_status_t rv;

    for (; sa; sa = sa->next) {
        rv = apr_socket_create(&sd, sa->family, SOCK_STREAM, APR_PROTO_TCP, p);
        if (rv == APR_SUCCESS) {
            apr_socket_timeout_set(sd, timeout);
            apr_socket_timeout_set(sd, c->base_server->timeout);

            rv = apr_socket_connect(sd, sa);
            if (rv == APR_SUCCESS) {

    return response;
}

OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri,
                                            apr_interval_time_t timeout,
                                            OCSP_REQUEST *request,
                                            conn_rec *c, apr_pool_t *p) 
{

                      "could not serialize OCSP request");
        return NULL;
    }

    sd = send_request(bio, uri, timeout, c, p);
    if (sd == NULL) {
        /* Errors already logged. */
        BIO_free(bio);




#define SSL_SESSION_ID_STRING_LEN \
    ((SSL_MAX_SSL_SESSION_ID_LENGTH + 1) * 2)


/**
 * Maxiumum OCSP stapling response size. This should be the response for a
 * single certificate and will typically include the responder certificate chain
 * so 10K should be more than enough.
 *
 */

#define MAX_STAPLING_DER 10240

/**  
 *  Additional Functions
 */




    SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
               "Force use of the default responder URL (`on', `off')")

#ifdef HAVE_OCSP_STAPLING
    /*
     * OCSP Stapling options
     */
    SSL_CMD_SRV(StaplingMutex, TAKE1, AP_ALL_AVAILABLE_MUTEXES_STRING)
    SSL_CMD_SRV(StaplingCache, TAKE1,
                "SSL Stapling Response Cache storage "
                "(`dbm:/path/to/file')")
    SSL_CMD_SRV(UseStapling, FLAG,
                "SSL switch for the OCSP Stapling protocol " "(`on', `off')")
    SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
                "SSL stapling option for maximum time difference in OCSP responses")
    SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
                "SSL stapling option for OCSP responder timeout")
    SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
                "SSL stapling option for maximum age of OCSP responses")
    SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
                "SSL stapling option for normal OCSP Response Cache Lifetime")
    SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
                "SSL stapling switch to return Status Errors Back to Client"
		"(`on', `off')")
    SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
                "SSL stapling switch to send tryLater response to client on error "
		"(`on', `off')")
    SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
                "SSL stapling option for OCSP Response Error Cache Lifetime")
    SSL_CMD_SRV(StaplingForceURL, TAKE1,
                "SSL stapling option to Force the OCSP Stapling URL")
#endif

    /* Deprecated directives. */
    AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
      "SSLLog directive is no longer supported - use ErrorLog."),

Lines 40-45 Link Here

(-)modules/ssl/config.m4 (+1 lines)
40	ssl_expr_parse.lo dnl	40	ssl_expr_parse.lo dnl
41	ssl_expr_scan.lo dnl	41	ssl_expr_scan.lo dnl
42	ssl_scache.lo dnl	42	ssl_scache.lo dnl
		43	ssl_stapling.lo dnl
43	ssl_util.lo dnl	44	ssl_util.lo dnl
44	ssl_util_ssl.lo dnl	45	ssl_util_ssl.lo dnl
45	ssl_engine_ocsp.lo dnl	46	ssl_engine_ocsp.lo dnl

Lines 210-215 Link Here

(-)modules/ssl/mod_ssl.dsp (+4 lines)
210	# End Source File	210	# End Source File
211	# Begin Source File	211	# Begin Source File
212		212
		213	SOURCE=.\ssl_stapling.c
		214	# End Source File
		215	# Begin Source File
		216
213	SOURCE=.\ssl_util.c	217	SOURCE=.\ssl_util.c
214	# End Source File	218	# End Source File
215	# Begin Source File	219	# Begin Source File

Lines 145-150 Link Here

(-)modules/ssl/ssl_toolkit_compat.h (+6 lines)
145		145
146	#define HAVE_SSL_X509V3_EXT_d2i	146	#define HAVE_SSL_X509V3_EXT_d2i
147		147
		148	#if (OPENSSL_VERSION_NUMBER >= 0x00908080)
		149	#ifndef OPENSSL_NO_TLSEXT
		150	#define HAVE_OCSP_STAPLING
		151	#endif
		152	#endif
		153
148	#ifndef PEM_F_DEF_CALLBACK	154	#ifndef PEM_F_DEF_CALLBACK
149	#ifdef PEM_F_PEM_DEF_CALLBACK	155	#ifdef PEM_F_PEM_DEF_CALLBACK
150	/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */	156	/** In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */

Return to bug 43822

Lines 57-62 Link Here

(-)modules/ssl/ssl_scache.c (+24 lines)
57	return;	57	return;
58	}	58	}
59		59
		60	#ifdef HAVE_OCSP_STAPLING
		61	if (mc->Staplingcache) {
		62	memset(&hints, 0, sizeof hints);
		63	hints.avg_obj_size = 1500;
		64	hints.avg_id_len = 20;
		65	hints.expiry_interval = 300;
		66
		67	rv = mc->Staplingcache->init(mc->Staplingcache_context,
		68	"mod_ssl_stapling", &hints, s, p);
		69	if (rv) {
		70	/* ABORT ABORT etc. */
		71	ssl_die();
		72	}
		73	}
		74	#endif
		75
60	/*	76	/*
61	* Warn the user that he should use the session cache.	77	* Warn the user that he should use the session cache.
62	* But we can operate without it, of course.	78	* But we can operate without it, of course.
Lines 78-83 Link Here
78	/* ABORT ABORT etc. */	94	/* ABORT ABORT etc. */
79	ssl_die();	95	ssl_die();
80	}	96	}
		97
81	}	98	}
82		99
83	void ssl_scache_kill(server_rec *s)	100	void ssl_scache_kill(server_rec *s)
Lines 87-92 Link Here
87	if (mc->sesscache) {	104	if (mc->sesscache) {
88	mc->sesscache->destroy(mc->sesscache_context, s);	105	mc->sesscache->destroy(mc->sesscache_context, s);
89	}	106	}
		107
		108	#ifdef HAVE_OCSP_STAPLING
		109	if (mc->Staplingcache) {
		110	mc->Staplingcache->destroy(mc->Staplingcache_context, s);
		111	}
		112	#endif
		113
90	}	114	}
91		115
92	BOOL ssl_scache_store(server_rec s, UCHAR id, int idlen,	116	BOOL ssl_scache_store(server_rec s, UCHAR id, int idlen,

Lines 57-62 Link Here

(-)modules/ssl/ssl_util_ocsp.c (-5 / +6 lines)
57	* responder at given server given by URI. Returns socket object or	57	* responder at given server given by URI. Returns socket object or
58	* NULL on error. */	58	* NULL on error. */
59	static apr_socket_t send_request(BIO request, const apr_uri_t *uri,	59	static apr_socket_t send_request(BIO request, const apr_uri_t *uri,
		60	apr_interval_time_t timeout,
60	conn_rec c, apr_pool_t p)	61	conn_rec c, apr_pool_t p)
61	{	62	{
62	apr_status_t rv;	63	apr_status_t rv;
Lines 81-88 Link Here
81	for (; sa; sa = sa->next) {	82	for (; sa; sa = sa->next) {
82	rv = apr_socket_create(&sd, sa->family, SOCK_STREAM, APR_PROTO_TCP, p);	83	rv = apr_socket_create(&sd, sa->family, SOCK_STREAM, APR_PROTO_TCP, p);
83	if (rv == APR_SUCCESS) {	84	if (rv == APR_SUCCESS) {
84	/* Inherit the default I/O timeout. */	85	apr_socket_timeout_set(sd, timeout);
85	apr_socket_timeout_set(sd, c->base_server->timeout);
86		86
87	rv = apr_socket_connect(sd, sa);	87	rv = apr_socket_connect(sd, sa);
88	if (rv == APR_SUCCESS) {	88	if (rv == APR_SUCCESS) {
Lines 270-276 Link Here
270	return response;	270	return response;
271	}	271	}
272		272
273	OCSP_RESPONSE modssl_dispatch_ocsp_request(const apr_uri_t uri,	273	OCSP_RESPONSE modssl_dispatch_ocsp_request(const apr_uri_t uri,
		274	apr_interval_time_t timeout,
274	OCSP_REQUEST *request,	275	OCSP_REQUEST *request,
275	conn_rec c, apr_pool_t p)	276	conn_rec c, apr_pool_t p)
276	{	277	{
Lines 285-292 Link Here
285	"could not serialize OCSP request");	286	"could not serialize OCSP request");
286	return NULL;	287	return NULL;
287	}	288	}
288		289
289	sd = send_request(bio, uri, c, p);	290	sd = send_request(bio, uri, timeout, c, p);
290	if (sd == NULL) {	291	if (sd == NULL) {
291	/* Errors already logged. */	292	/* Errors already logged. */
292	BIO_free(bio);	293	BIO_free(bio);

Lines 71-76 Link Here

(-)modules/ssl/ssl_util_ssl.h (+10 lines)
71	#define SSL_SESSION_ID_STRING_LEN \	71	#define SSL_SESSION_ID_STRING_LEN \
72	((SSL_MAX_SSL_SESSION_ID_LENGTH + 1) * 2)	72	((SSL_MAX_SSL_SESSION_ID_LENGTH + 1) * 2)
73		73
		74
		75	/**
		76	* Maxiumum OCSP stapling response size. This should be the response for a
		77	* single certificate and will typically include the responder certificate chain
		78	* so 10K should be more than enough.
		79	*
		80	*/
		81
		82	#define MAX_STAPLING_DER 10240
		83
74	/**	84	/**
75	* Additional Functions	85	* Additional Functions
76	*/	86	*/

Lines 191-196 Link Here

(-)modules/ssl/mod_ssl.c (+30 lines)
191	SSL_CMD_SRV(OCSPOverrideResponder, FLAG,	191	SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
192	"Force use of the default responder URL (`on', `off')")	192	"Force use of the default responder URL (`on', `off')")
193		193
		194	#ifdef HAVE_OCSP_STAPLING
		195	/*
		196	* OCSP Stapling options
		197	*/
		198	SSL_CMD_SRV(StaplingMutex, TAKE1, AP_ALL_AVAILABLE_MUTEXES_STRING)
		199	SSL_CMD_SRV(StaplingCache, TAKE1,
		200	"SSL Stapling Response Cache storage "
		201	"(`dbm:/path/to/file')")
		202	SSL_CMD_SRV(UseStapling, FLAG,
		203	"SSL switch for the OCSP Stapling protocol " "(`on', `off')")
		204	SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
		205	"SSL stapling option for maximum time difference in OCSP responses")
		206	SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
		207	"SSL stapling option for OCSP responder timeout")
		208	SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
		209	"SSL stapling option for maximum age of OCSP responses")
		210	SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
		211	"SSL stapling option for normal OCSP Response Cache Lifetime")
		212	SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
		213	"SSL stapling switch to return Status Errors Back to Client"
		214	"(`on', `off')")
		215	SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
		216	"SSL stapling switch to send tryLater response to client on error "
		217	"(`on', `off')")
		218	SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
		219	"SSL stapling option for OCSP Response Error Cache Lifetime")
		220	SSL_CMD_SRV(StaplingForceURL, TAKE1,
		221	"SSL stapling option to Force the OCSP Stapling URL")
		222	#endif
		223
194	/* Deprecated directives. */	224	/* Deprecated directives. */
195	AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,	225	AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
196	"SSLLog directive is no longer supported - use ErrorLog."),	226	"SSLLog directive is no longer supported - use ErrorLog."),