mctx->ocsp_resp_maxage = UNSET;
mctx->ocsp_responder_timeout = UNSET;
mctx->ocsp_use_request_nonce = UNSET;
+ mctx->proxy_uri = NULL;
#ifdef HAVE_OCSP_STAPLING
mctx->stapling_enabled = UNSET;
cfgMergeInt(ocsp_resp_maxage);
cfgMergeInt(ocsp_responder_timeout);
cfgMergeBool(ocsp_use_request_nonce);
+ cfgMerge(proxy_uri, NULL);
#ifdef HAVE_OCSP_STAPLING
cfgMergeBool(stapling_enabled);
cfgMergeInt(stapling_resptime_skew);
return NULL;
}
+const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ sc->server->proxy_uri = apr_palloc(cmd->pool, sizeof(apr_uri_t));
+ if (apr_uri_parse(cmd->pool, arg, sc->server->proxy_uri) != APR_SUCCESS) {
+ return apr_psprintf(cmd->pool,
+ "SSLOCSPProxyURL: Cannot parse URL %s", arg);
+ }
+ return NULL;
+}
+
const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
/* Serialize an OCSP request which will be sent to the responder at
* given URI to a memory BIO object, which is returned. */
-static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri)
+static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri,
+ const apr_uri_t *proxy_uri)
{
BIO *bio;
int len;
bio = BIO_new(BIO_s_mem());
- BIO_printf(bio, "POST %s%s%s HTTP/1.0\r\n"
+ BIO_printf(bio, "POST ");
+ /* Use full URL instead of URI in case of a request through a proxy */
+ if (proxy_uri) {
+ BIO_printf(bio, "http://%s:%d",
+ uri->hostname, uri->port);
+ }
+ BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
"Host: %s:%d\r\n"
"Content-Type: application/ocsp-request\r\n"
"Content-Length: %d\r\n"
* NULL on error. */
static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri,
apr_interval_time_t timeout,
- conn_rec *c, apr_pool_t *p)
+ conn_rec *c, apr_pool_t *p,
+ const apr_uri_t *proxy_uri)
{
apr_status_t rv;
apr_sockaddr_t *sa;
apr_socket_t *sd;
char buf[HUGE_STRING_LEN];
int len;
+ const apr_uri_t *next_hop_uri;
+
+ if (proxy_uri) {
+ next_hop_uri = proxy_uri;
+ }
+ else {
+ next_hop_uri = uri;
+ }
- rv = apr_sockaddr_info_get(&sa, uri->hostname, APR_UNSPEC, uri->port, 0, p);
+ rv = apr_sockaddr_info_get(&sa, next_hop_uri->hostname, APR_UNSPEC,
+ next_hop_uri->port, 0, p);
if (rv) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01972)
- "could not resolve address of OCSP responder %s",
- uri->hostinfo);
+ "could not resolve address of %s %s",
+ proxy_uri ? "proxy" : "OCSP responder",
+ next_hop_uri->hostinfo);
return NULL;
}
/* establish a connection to the OCSP responder */
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01973)
- "connecting to OCSP responder '%s'", uri->hostinfo);
+ "connecting to %s '%s'",
+ proxy_uri ? "proxy" : "OCSP responder",
+ uri->hostinfo);
/* Cycle through address until a connect() succeeds. */
for (; sa; sa = sa->next) {
if (sa == NULL) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01974)
- "could not connect to OCSP responder '%s'",
- uri->hostinfo);
+ "could not connect to %s '%s'",
+ proxy_uri ? "proxy" : "OCSP responder",
+ next_hop_uri->hostinfo);
return NULL;
}
OCSP_RESPONSE *response = NULL;
apr_socket_t *sd;
BIO *bio;
+ const apr_uri_t *proxy_uri;
- bio = serialize_request(request, uri);
+ proxy_uri = (mySrvConfigFromConn(c))->server->proxy_uri;
+ bio = serialize_request(request, uri, proxy_uri);
if (bio == NULL) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01989)
"could not serialize OCSP request");
return NULL;
}
- sd = send_request(bio, uri, timeout, c, p);
+ sd = send_request(bio, uri, timeout, c, p, proxy_uri);
if (sd == NULL) {
/* Errors already logged. */
BIO_free(bio);
projects / apache / commitdiff