mod_ssl: follow up to r1583191.

New SSLOCSPUseRequestNonce directive's manual and CHANGES.

Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce
grouped with other OCSP ones, nested if turned to a single AND condition).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1584098 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index fdce3eb36688d5235f069b970b0f6e86fb47cf6e..6c6e5ef6a6f70e96870db60221815e80163961bc 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
+     OCSP requests should use a nonce to be checked against the responder's
+     one. PR 56233. [ Yann Ylavic ]
+
   *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests 
      under the Event MPM. PR56216.  [Frank Meier <frank meier ergon ch>]
 

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index dd3c0d40ba29178e7d3a68ef9882e63848be7325..004a208213d31fc5d2e23bc7ad03cac77b3fcaf9 100644 (file)
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -2277,6 +2277,23 @@ which means that OCSP responses are considered valid as long as their
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLOCSPUseRequestNonce</name>
+<description>Use a nonce within OCSP queries</description>
+<syntax>SSLOCSPUseRequestNonce on|off</syntax>
+<default>SSLOCSPUseRequestNonce on</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.4.10 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option determines whether queries to OCSP responders should contain
+a nonce or not. By default, a query nonce is always used and checked against
+the response's one. When the responder does not use nonces (eg. Microsoft OCSP
+Responder), this option ought to be turned <code>off</code>.</p>
+</usage>
+</directivesynopsis>
+
 <directivesynopsis>
 <name>SSLInsecureRenegotiation</name>
 <description>Option to enable support for insecure renegotiation</description>

diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index 3992dff4b0a43fa304298a12f38eb3b0158c1f39..27061f6cded67b61316e1a3bdbb54e5429183bdc 100644 (file)
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -175,12 +175,11 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
     }
 
     if (rc == V_OCSP_CERTSTATUS_GOOD &&
-            sc->server->ocsp_use_request_nonce != FALSE) {
-        if (OCSP_check_nonce(request, basicResponse) != 1) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
-                        "Bad OCSP responder answer (bad nonce)");
-            rc = V_OCSP_CERTSTATUS_UNKNOWN;
-        }
+            sc->server->ocsp_use_request_nonce != FALSE &&
+            OCSP_check_nonce(request, basicResponse) != 1) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
+                    "Bad OCSP responder answer (bad nonce)");
+        rc = V_OCSP_CERTSTATUS_UNKNOWN;
     }
 
     if (rc == V_OCSP_CERTSTATUS_GOOD) {

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 318a159a4f0e883bef7dd324012786fc00d60986..e19ec1ca3b4e4bcc05377228fc3269dd33d848ef 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -610,11 +610,12 @@ typedef struct {
     long ocsp_resptime_skew;
     long ocsp_resp_maxage;
     apr_interval_time_t ocsp_responder_timeout;
+    int ocsp_use_request_nonce;
+
 #ifdef HAVE_SSL_CONF_CMD
     SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
 #endif
-    int ocsp_use_request_nonce;
 } modssl_ctx_t;
 
 struct SSLSrvConfigRec {