View | Details | Raw Unified | Return to bug 62112
Collapse All | Expand All

(-)a/modules/ssl/mod_ssl.c (-2 / +2 lines)
Lines 237-244 static const command_rec ssl_config_cmds[] = { Link Here
237
                "request body if a per-location SSL renegotiation is required due to "
237
                "request body if a per-location SSL renegotiation is required due to "
238
                "changed access control requirements")
238
                "changed access control requirements")
239
239
240
    SSL_CMD_SRV(OCSPEnable, FLAG,
240
    SSL_CMD_SRV(OCSPEnable, RAW_ARGS,
241
               "Enable use of OCSP to verify certificate revocation ('on', 'off')")
241
               "Enable use of OCSP to verify certificate revocation mode")
242
    SSL_CMD_SRV(OCSPDefaultResponder, TAKE1,
242
    SSL_CMD_SRV(OCSPDefaultResponder, TAKE1,
243
               "URL of the default OCSP Responder")
243
               "URL of the default OCSP Responder")
244
    SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
244
    SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
(-)a/modules/ssl/ssl_engine_config.c (-6 / +41 lines)
Lines 137-143 static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) Link Here
137
    mctx->auth.verify_depth   = UNSET;
137
    mctx->auth.verify_depth   = UNSET;
138
    mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
138
    mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
139
139
140
    mctx->ocsp_enabled        = FALSE;
140
    mctx->ocsp_mask           = UNSET;
141
    mctx->ocsp_force_default  = FALSE;
141
    mctx->ocsp_force_default  = FALSE;
142
    mctx->ocsp_responder      = NULL;
142
    mctx->ocsp_responder      = NULL;
143
    mctx->ocsp_resptime_skew  = UNSET;
143
    mctx->ocsp_resptime_skew  = UNSET;
Lines 297-303 static void modssl_ctx_cfg_merge(apr_pool_t *p, Link Here
297
    cfgMergeInt(auth.verify_depth);
297
    cfgMergeInt(auth.verify_depth);
298
    cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
298
    cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
299
299
300
    cfgMergeBool(ocsp_enabled);
300
    cfgMergeInt(ocsp_mask);
301
    cfgMergeBool(ocsp_force_default);
301
    cfgMergeBool(ocsp_force_default);
302
    cfgMerge(ocsp_responder, NULL);
302
    cfgMerge(ocsp_responder, NULL);
303
    cfgMergeInt(ocsp_resptime_skew);
303
    cfgMergeInt(ocsp_resptime_skew);
Lines 1638-1648 const char *ssl_cmd_SSLUserName(cmd_parms *cmd, void *dcfg, Link Here
1638
    return NULL;
1638
    return NULL;
1639
}
1639
}
1640
1640
1641
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag)
1641
static const char *ssl_cmd_ocspcheck_parse(cmd_parms *parms,
1642
                                           const char *arg,
1643
                                           int *mask)
1642
{
1644
{
1643
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1645
    const char *w;
1644
1646
1645
    sc->server->ocsp_enabled = flag ? TRUE : FALSE;
1647
    w = ap_getword_conf(parms->temp_pool, &arg);
1648
    if (strcEQ(w, "none") || strcEQ(w, "off")) {
1649
        *mask = SSL_OCSPCHECK_NONE;
1650
    }
1651
    else if (strcEQ(w, "leaf")) {
1652
        *mask = SSL_OCSPCHECK_LEAF;
1653
    }
1654
    else if (strcEQ(w, "chain") || strcEQ(w, "on")) {
1655
        *mask = SSL_OCSPCHECK_CHAIN;
1656
    }
1657
    else {
1658
        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
1659
                           ": Invalid argument '", w, "'",
1660
                           NULL);
1661
    }
1662
1663
    while (*arg) {
1664
        w = ap_getword_conf(parms->temp_pool, &arg);
1665
        if (strcEQ(w, "no_ocsp_for_cert_ok")) {
1666
            *mask |= SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK;
1667
        }
1668
        else {
1669
            return apr_pstrcat(parms->temp_pool, parms->cmd->name,
1670
                               ": Invalid argument '", w, "'",
1671
                               NULL);
1672
        }
1673
    }
1674
1675
    return NULL;
1676
}
1677
1678
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)
1679
{
1680
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
1646
1681
1647
#ifdef OPENSSL_NO_OCSP
1682
#ifdef OPENSSL_NO_OCSP
1648
    if (flag) {
1683
    if (flag) {
Lines 1651-1657 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag) Link Here
1651
    }
1686
    }
1652
#endif
1687
#endif
1653
1688
1654
    return NULL;
1689
    return ssl_cmd_ocspcheck_parse(cmd, arg, &sc->server->ocsp_mask);
1655
}
1690
}
1656
1691
1657
const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
1692
const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
(-)a/modules/ssl/ssl_engine_init.c (+4 lines)
Lines 868-873 static apr_status_t ssl_init_ctx_crl(server_rec *s, Link Here
868
    char *cfgp = mctx->pkp ? "SSLProxy" : "SSL";
868
    char *cfgp = mctx->pkp ? "SSLProxy" : "SSL";
869
    int crl_check_mode;
869
    int crl_check_mode;
870
870
871
    if (mctx->ocsp_mask == UNSET) {
872
        mctx->ocsp_mask = SSL_OCSPCHECK_NONE;
873
    }
874
871
    if (mctx->crl_check_mask == UNSET) {
875
    if (mctx->crl_check_mask == UNSET) {
872
        mctx->crl_check_mask = SSL_CRLCHECK_NONE;
876
        mctx->crl_check_mask = SSL_CRLCHECK_NONE;
873
    }
877
    }
(-)a/modules/ssl/ssl_engine_kernel.c (-2 / +3 lines)
Lines 1569-1575 int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) Link Here
1569
    int errdepth = X509_STORE_CTX_get_error_depth(ctx);
1569
    int errdepth = X509_STORE_CTX_get_error_depth(ctx);
1570
    int depth, verify;
1570
    int depth, verify;
1571
1571
1572
1573
    /*
1572
    /*
1574
     * Log verification information
1573
     * Log verification information
1575
     */
1574
     */
Lines 1643-1649 int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) Link Here
1643
    /*
1642
    /*
1644
     * Perform OCSP-based revocation checks
1643
     * Perform OCSP-based revocation checks
1645
     */
1644
     */
1646
    if (ok && sc->server->ocsp_enabled) {
1645
    if (ok && 
1646
            ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) ||
1647
             (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) {
1647
        /* If there was an optional verification error, it's not
1648
        /* If there was an optional verification error, it's not
1648
         * possible to perform OCSP validation since the issuer may be
1649
         * possible to perform OCSP validation since the issuer may be
1649
         * missing/untrusted.  Fail in that case. */
1650
         * missing/untrusted.  Fail in that case. */
(-)a/modules/ssl/ssl_engine_ocsp.c (-1 / +8 lines)
Lines 139-145 static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, Link Here
139
139
140
    ruri = determine_responder_uri(sc, cert, c, pool);
140
    ruri = determine_responder_uri(sc, cert, c, pool);
141
    if (!ruri) {
141
    if (!ruri) {
142
        return V_OCSP_CERTSTATUS_UNKNOWN;
142
        if (sc->server->ocsp_mask & SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK) {
143
            ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, 
144
                          "Skipping OCSP check for certificate cos no OCSP URL"
145
                          " found and no_ocsp_for_cert_ok is set");
146
            return V_OCSP_CERTSTATUS_GOOD;
147
        } else {
148
            return V_OCSP_CERTSTATUS_UNKNOWN;
149
        }
143
    }
150
    }
144
151
145
    request = create_request(ctx, cert, &certID, s, pool, sc);
152
    request = create_request(ctx, cert, &certID, s, pool, sc);
(-)a/modules/ssl/ssl_private.h (-2 / +12 lines)
Lines 413-418 typedef enum { Link Here
413
    SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2)
413
    SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2)
414
} ssl_crlcheck_t;
414
} ssl_crlcheck_t;
415
415
416
/**
417
  * OCSP checking mask (mode | flags)
418
  */
419
typedef enum {
420
    SSL_OCSPCHECK_NONE  = (0),
421
    SSL_OCSPCHECK_LEAF  = (1 << 0),
422
    SSL_OCSPCHECK_CHAIN = (1 << 1),
423
    SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK = (1 << 2)
424
} ssl_ocspcheck_t;
425
416
/**
426
/**
417
 * Define the SSL pass phrase dialog types
427
 * Define the SSL pass phrase dialog types
418
 */
428
 */
Lines 691-697 typedef struct { Link Here
691
701
692
    modssl_auth_ctx_t auth;
702
    modssl_auth_ctx_t auth;
693
703
694
    BOOL ocsp_enabled; /* true if OCSP verification enabled */
704
    int ocsp_mask;
695
    BOOL ocsp_force_default; /* true if the default responder URL is
705
    BOOL ocsp_force_default; /* true if the default responder URL is
696
                              * used regardless of per-cert URL */
706
                              * used regardless of per-cert URL */
697
    const char *ocsp_responder; /* default responder URL */
707
    const char *ocsp_responder; /* default responder URL */
Lines 831-837 const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const ch Link Here
831
const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
841
const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
832
const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
842
const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
833
const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
843
const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
834
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
844
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg);
835
const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
845
const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
836
846
837
/* Declare OCSP Responder Certificate Verification Directive */
847
/* Declare OCSP Responder Certificate Verification Directive */

Return to bug 62112