PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) mod_ssl: backport fix for PR 46037
- trunk patch: http://svn.apache.org/r1781575
- http://svn.apache.org/r1781577
- http://svn.apache.org/r1781580
- http://svn.apache.org/r1781687
- http://svn.apache.org/r1783305
- 2.4.x patch: http://people.apache.org/~jfclere/patches/patch.46037.txt
- +1: jfclere, jim
- wrowe asks: Can we capitalize Verify in SSLOCSPNoverify to keep
- with conventions?
- ylavic: +1 with http://svn.apache.org/r1788430, fixing the merge of
- SSLOCSPNoverify and capitalizing as suggested above.
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>SSLOCSPNoverify</name>
+<description>skip the OCSP responder certificates verification</description>
+<syntax>SSLOCSPNoverify <em>On/Off</em></syntax>
+<default>SSLOCSPNoverify Off</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.5 and later, if using OpenSSL 0.9.7 or later</compatibility>
+<usage>
+<p>Skip the OCSP responder certificates verification, mostly useful when
+testing an OCSP server.</p>
+</usage>
+</directivesynopsis>
+
+
+<directivesynopsis>
+<name>SSLOCSPResponderCertificateFile</name>
+<description>Set of trusted PEM encoded OCSP responder certificates</description>
+<syntax>SSLOCSPResponderCertificateFile <em>file</em></syntax>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.5 and later, if using OpenSSL 0.9.7 or later</compatibility>
+<usage>
+<p>This supplies a list of trusted OCSP responder certificates to be used
+during OCSP responder certificate validation. The supplied certificates are
+implicitly trusted without any further validation. This is typically used
+where the OCSP responder certificate is self signed or omitted from the OCSP
+response.</p>
+</usage>
+</directivesynopsis>
+
<directivesynopsis>
<name>SSLOCSPProxyURL</name>
<description>Proxy URL to use for OCSP requests</description>
SSL_CMD_SRV(OCSPProxyURL, TAKE1,
"Proxy URL to use for OCSP requests")
+/* Define OCSP Responder Certificate Verification Directive */
+ SSL_CMD_SRV(OCSPNoVerify, FLAG,
+ "Do not verify OCSP Responder certificate ('on', 'off')")
+/* Define OCSP Responder File Configuration Directive */
+ SSL_CMD_SRV(OCSPResponderCertificateFile, TAKE1,
+ "Trusted OCSP responder certificates"
+ "(`/path/to/file' - PEM encoded certificates)")
+
#ifdef HAVE_OCSP_STAPLING
/*
* OCSP Stapling options
mctx->ocsp_use_request_nonce = UNSET;
mctx->proxy_uri = NULL;
+/* Set OCSP Responder Certificate Verification variable */
+ mctx->ocsp_noverify = UNSET;
+/* Set OCSP Responder File variables */
+ mctx->ocsp_verify_flags = 0;
+ mctx->ocsp_certs_file = NULL;
+ mctx->ocsp_certs = NULL;
+
#ifdef HAVE_OCSP_STAPLING
mctx->stapling_enabled = UNSET;
mctx->stapling_resptime_skew = UNSET;
cfgMergeInt(ocsp_responder_timeout);
cfgMergeBool(ocsp_use_request_nonce);
cfgMerge(proxy_uri, NULL);
+
+/* Set OCSP Responder Certificate Verification directive */
+ cfgMergeBool(ocsp_noverify);
+/* Set OCSP Responder File directive for importing */
+ cfgMerge(ocsp_certs_file, NULL);
+
#ifdef HAVE_OCSP_STAPLING
cfgMergeBool(stapling_enabled);
cfgMergeInt(stapling_resptime_skew);
return NULL;
}
+/* Set OCSP responder certificate verification directive */
+const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->ocsp_noverify = flag ? TRUE : FALSE;
+
+ return NULL;
+}
+
const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
#endif /* HAVE_SRP */
+/* OCSP Responder File Function to read in value */
+const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->ocsp_certs_file = arg;
+ return NULL;
+}
+
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
{
apr_file_t *out = NULL;
!= APR_SUCCESS) {
return rv;
}
+
+ /* Initialize OCSP Responder certificate if OCSP enabled */
+ #ifndef OPENSSL_NO_OCSP
+ ssl_init_ocsp_certificates(s, sc->server);
+ #endif
+
}
if (sc->proxy_enabled) {
ssl_init_ctx_cleanup_proxy(sc->proxy);
ssl_init_ctx_cleanup(sc->server);
+
+ /* Not Sure but possibly clear X509 trusted cert file */
+ #ifndef OPENSSL_NO_OCSP
+ sk_X509_pop_free(sc->server->ocsp_certs, X509_free);
+ #endif
+
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
- /* TODO: allow flags configuration. */
- if (OCSP_basic_verify(basicResponse, NULL, X509_STORE_CTX_get0_store(ctx), 0) != 1) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
- "failed to verify the OCSP response");
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
- rc = V_OCSP_CERTSTATUS_UNKNOWN;
+ /* Check if OCSP certificate verification required */
+ if (sc->server->ocsp_noverify != TRUE) {
+ /* Modify OCSP response verification to include OCSP Responder cert */
+ if (OCSP_basic_verify(basicResponse, sc->server->ocsp_certs, X509_STORE_CTX_get0_store(ctx),
+ sc->server->ocsp_verify_flags) != 1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
+ "failed to verify the OCSP response");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+ rc = V_OCSP_CERTSTATUS_UNKNOWN;
+ }
}
}
BOOL ocsp_use_request_nonce;
apr_uri_t *proxy_uri;
+ BOOL ocsp_noverify; /* true if skipping OCSP certification verification like openssl -noverify */
+ /* Declare variables for using OCSP Responder Certs for OCSP verification */
+ int ocsp_verify_flags; /* Flags to use when verifying OCSP response */
+ const char *ocsp_certs_file; /* OCSP other certificates filename */
+ STACK_OF(X509) *ocsp_certs; /* OCSP other certificates */
+
#ifdef HAVE_SSL_CONF_CMD
SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
+/* Declare OCSP Responder Certificate Verification Directive */
+const char *ssl_cmd_SSLOCSPNoVerify(cmd_parms *cmd, void *dcfg, int flag);
+/* Declare OCSP Responder Certificate File Directive */
+const char *ssl_cmd_SSLOCSPResponderCertificateFile(cmd_parms *cmd, void *dcfg, const char *arg);
+
#ifdef HAVE_SSL_CONF_CMD
const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2);
#endif
apr_interval_time_t timeout,
OCSP_REQUEST *request,
conn_rec *c, apr_pool_t *p);
+
+/* Initialize OCSP trusted certificate list */
+void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx);
+
#endif
/* Retrieve DH parameters for given key length. Return value should
return response;
}
+/* _________________________________________________________________
+**
+** OCSP other certificate support
+** _________________________________________________________________
+*/
+
+/*
+ * Read a file that contains certificates in PEM format and
+ * return as a STACK.
+ */
+
+static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file)
+{
+ BIO *bio;
+ X509 *x509;
+ unsigned long err;
+ STACK_OF(X509) *other_certs = NULL;
+
+ if ((bio = BIO_new(BIO_s_file())) == NULL)
+ return NULL;
+ if (BIO_read_filename(bio, file) <= 0) {
+ BIO_free(bio);
+ return NULL;
+ }
+ /* create new extra chain by loading the certs */
+ while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) {
+ if (!other_certs) {
+ other_certs = sk_X509_new_null();
+ if (!other_certs)
+ return NULL;
+ }
+
+ if (!sk_X509_push(other_certs, x509)) {
+ X509_free(x509);
+ sk_X509_pop_free(other_certs, X509_free);
+ BIO_free(bio);
+ return NULL;
+ }
+ }
+ /* Make sure that only the error is just an EOF */
+ if ((err = ERR_peek_error()) > 0) {
+ if (!( ERR_GET_LIB(err) == ERR_LIB_PEM
+ && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+ BIO_free(bio);
+ sk_X509_pop_free(other_certs, X509_free);
+ return NULL;
+ }
+ while (ERR_get_error() > 0) ;
+ }
+ BIO_free(bio);
+ return other_certs;
+}
+
+void ssl_init_ocsp_certificates(server_rec *s, modssl_ctx_t *mctx)
+{
+ /*
+ * Configure Trusted OCSP certificates.
+ */
+
+ if (!mctx->ocsp_certs_file) {
+ return;
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Configuring Trusted OCSP certificates");
+
+ mctx->ocsp_certs = modssl_read_ocsp_certificates(mctx->ocsp_certs_file);
+
+ if (!mctx->ocsp_certs) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+ "Unable to configure OCSP Trusted Certificates");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+ ssl_die(s);
+ }
+ mctx->ocsp_verify_flags |= OCSP_TRUSTOTHER;
+}
+
#endif /* HAVE_OCSP */
projects / apache / commitdiff