ASF Bugzilla – Attachment 35733 Details for
Bug 62112
Make OCSP more configurable (like CRL)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
diff file for my differences
ocsp-configurations.diff (text/plain), 7.25 KB, created by
Ricardo Martin Camarero
on 2018-02-17 15:44:03 UTC
(
hide
)
Description:
diff file for my differences
Filename:
MIME Type:
Creator:
Ricardo Martin Camarero
Created:
2018-02-17 15:44:03 UTC
Size:
7.25 KB
patch
obsolete
>diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c >index a23f2f5..d7e71c4 100644 >--- a/modules/ssl/mod_ssl.c >+++ b/modules/ssl/mod_ssl.c >@@ -237,8 +237,8 @@ static const command_rec ssl_config_cmds[] = { > "request body if a per-location SSL renegotiation is required due to " > "changed access control requirements") > >- SSL_CMD_SRV(OCSPEnable, FLAG, >- "Enable use of OCSP to verify certificate revocation ('on', 'off')") >+ SSL_CMD_SRV(OCSPEnable, RAW_ARGS, >+ "Enable use of OCSP to verify certificate revocation mode") > SSL_CMD_SRV(OCSPDefaultResponder, TAKE1, > "URL of the default OCSP Responder") > SSL_CMD_SRV(OCSPOverrideResponder, FLAG, >diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c >index 6750b98..f379b52 100644 >--- a/modules/ssl/ssl_engine_config.c >+++ b/modules/ssl/ssl_engine_config.c >@@ -137,7 +137,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) > mctx->auth.verify_depth = UNSET; > mctx->auth.verify_mode = SSL_CVERIFY_UNSET; > >- mctx->ocsp_enabled = FALSE; >+ mctx->ocsp_mask = UNSET; > mctx->ocsp_force_default = FALSE; > mctx->ocsp_responder = NULL; > mctx->ocsp_resptime_skew = UNSET; >@@ -297,7 +297,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, > cfgMergeInt(auth.verify_depth); > cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); > >- cfgMergeBool(ocsp_enabled); >+ cfgMergeInt(ocsp_mask); > cfgMergeBool(ocsp_force_default); > cfgMerge(ocsp_responder, NULL); > cfgMergeInt(ocsp_resptime_skew); >@@ -1638,11 +1638,46 @@ const char *ssl_cmd_SSLUserName(cmd_parms *cmd, void *dcfg, > return NULL; > } > >-const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag) >+static const char *ssl_cmd_ocspcheck_parse(cmd_parms *parms, >+ const char *arg, >+ int *mask) > { >- SSLSrvConfigRec *sc = mySrvConfig(cmd->server); >+ const char *w; > >- sc->server->ocsp_enabled = flag ? TRUE : FALSE; >+ w = ap_getword_conf(parms->temp_pool, &arg); >+ if (strcEQ(w, "none") || strcEQ(w, "off")) { >+ *mask = SSL_OCSPCHECK_NONE; >+ } >+ else if (strcEQ(w, "leaf")) { >+ *mask = SSL_OCSPCHECK_LEAF; >+ } >+ else if (strcEQ(w, "chain") || strcEQ(w, "on")) { >+ *mask = SSL_OCSPCHECK_CHAIN; >+ } >+ else { >+ return apr_pstrcat(parms->temp_pool, parms->cmd->name, >+ ": Invalid argument '", w, "'", >+ NULL); >+ } >+ >+ while (*arg) { >+ w = ap_getword_conf(parms->temp_pool, &arg); >+ if (strcEQ(w, "no_ocsp_for_cert_ok")) { >+ *mask |= SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK; >+ } >+ else { >+ return apr_pstrcat(parms->temp_pool, parms->cmd->name, >+ ": Invalid argument '", w, "'", >+ NULL); >+ } >+ } >+ >+ return NULL; >+} >+ >+const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg) >+{ >+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); > > #ifdef OPENSSL_NO_OCSP > if (flag) { >@@ -1651,7 +1686,7 @@ const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag) > } > #endif > >- return NULL; >+ return ssl_cmd_ocspcheck_parse(cmd, arg, &sc->server->ocsp_mask); > } > > const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag) >diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c >index e5dee0f..baebd0e 100644 >--- a/modules/ssl/ssl_engine_init.c >+++ b/modules/ssl/ssl_engine_init.c >@@ -868,6 +868,10 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s, > char *cfgp = mctx->pkp ? "SSLProxy" : "SSL"; > int crl_check_mode; > >+ if (mctx->ocsp_mask == UNSET) { >+ mctx->ocsp_mask = SSL_OCSPCHECK_NONE; >+ } >+ > if (mctx->crl_check_mask == UNSET) { > mctx->crl_check_mask = SSL_CRLCHECK_NONE; > } >diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c >index 7c00123..58d1589 100644 >--- a/modules/ssl/ssl_engine_kernel.c >+++ b/modules/ssl/ssl_engine_kernel.c >@@ -1569,7 +1569,6 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) > int errdepth = X509_STORE_CTX_get_error_depth(ctx); > int depth, verify; > >- > /* > * Log verification information > */ >@@ -1643,7 +1642,9 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) > /* > * Perform OCSP-based revocation checks > */ >- if (ok && sc->server->ocsp_enabled) { >+ if (ok && >+ ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) || >+ (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) { > /* If there was an optional verification error, it's not > * possible to perform OCSP validation since the issuer may be > * missing/untrusted. Fail in that case. */ >diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c >index 0d6592f..3bec573 100644 >--- a/modules/ssl/ssl_engine_ocsp.c >+++ b/modules/ssl/ssl_engine_ocsp.c >@@ -139,7 +139,14 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, > > ruri = determine_responder_uri(sc, cert, c, pool); > if (!ruri) { >- return V_OCSP_CERTSTATUS_UNKNOWN; >+ if (sc->server->ocsp_mask & SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK) { >+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, >+ "Skipping OCSP check for certificate cos no OCSP URL" >+ " found and no_ocsp_for_cert_ok is set"); >+ return V_OCSP_CERTSTATUS_GOOD; >+ } else { >+ return V_OCSP_CERTSTATUS_UNKNOWN; >+ } > } > > request = create_request(ctx, cert, &certID, s, pool, sc); >diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h >index 0ab60a0..3d7b3a0 100644 >--- a/modules/ssl/ssl_private.h >+++ b/modules/ssl/ssl_private.h >@@ -413,6 +413,16 @@ typedef enum { > SSL_CRLCHECK_NO_CRL_FOR_CERT_OK = (1 << 2) > } ssl_crlcheck_t; > >+/** >+ * OCSP checking mask (mode | flags) >+ */ >+typedef enum { >+ SSL_OCSPCHECK_NONE = (0), >+ SSL_OCSPCHECK_LEAF = (1 << 0), >+ SSL_OCSPCHECK_CHAIN = (1 << 1), >+ SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK = (1 << 2) >+} ssl_ocspcheck_t; >+ > /** > * Define the SSL pass phrase dialog types > */ >@@ -691,7 +701,7 @@ typedef struct { > > modssl_auth_ctx_t auth; > >- BOOL ocsp_enabled; /* true if OCSP verification enabled */ >+ int ocsp_mask; > BOOL ocsp_force_default; /* true if the default responder URL is > * used regardless of per-cert URL */ > const char *ocsp_responder; /* default responder URL */ >@@ -831,7 +841,7 @@ const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const ch > const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg); > const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); > const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag); >-const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); >+const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg); > const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg); > > /* Declare OCSP Responder Certificate Verification Directive */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=35733">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 62112
: 35733