mod_ssl: send OCSP request's nonce according to SSLOCSPUseRequestNonce on/off. PR 56233.
mod_ssl: follow up to r1583191.
New SSLOCSPUseRequestNonce directive's manual and CHANGES.
Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce
grouped with other OCSP ones, nested if turned to a single AND condition).
Remove SSLOCSPUseRequestNonce OpenSSL-0.9.7 requirement (0.9.8 already required by httpd-2.4) and set availability to 2.5-dev until further notice.
mod_ssl: follow up to r1583191.
Use type BOOL for modssl_ctx_t's field ocsp_use_request_nonce.
Suggested by: kbrand.
Submitted by: ylavic
Reviewed/backported by: jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@
1608758 13f79535-47bb-0310-9956-
ffa450edef68
programs to the form used in releases up to 2.4.7, and emulate
a backwards-compatible behavior for existing setups. [Kaspar Brand]
+ *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
+ OCSP requests should use a nonce to be checked against the responder's
+ one. PR 56233. [Yann Ylavic, Kaspar Brand]
+
*) mod_lua: Enforce the max post size allowed via r:parsebody()
[Daniel Gruno]
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>SSLOCSPUseRequestNonce</name>
+<description>Use a nonce within OCSP queries</description>
+<syntax>SSLOCSPUseRequestNonce on|off</syntax>
+<default>SSLOCSPUseRequestNonce on</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.4.10 and later</compatibility>
+
+<usage>
+<p>This option determines whether queries to OCSP responders should contain
+a nonce or not. By default, a query nonce is always used and checked against
+the response's one. When the responder does not use nonces (eg. Microsoft OCSP
+Responder), this option ought to be turned <code>off</code>.</p>
+</usage>
+</directivesynopsis>
+
<directivesynopsis>
<name>SSLInsecureRenegotiation</name>
<description>Option to enable support for insecure renegotiation</description>
"Maximum age of OCSP responses")
SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
"OCSP responder query timeout")
+ SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
+ "Whether OCSP queries use a nonce or not ('on', 'off')")
#ifdef HAVE_OCSP_STAPLING
/*
mctx->ocsp_resptime_skew = UNSET;
mctx->ocsp_resp_maxage = UNSET;
mctx->ocsp_responder_timeout = UNSET;
+ mctx->ocsp_use_request_nonce = UNSET;
#ifdef HAVE_OCSP_STAPLING
mctx->stapling_enabled = UNSET;
cfgMergeInt(ocsp_resptime_skew);
cfgMergeInt(ocsp_resp_maxage);
cfgMergeInt(ocsp_responder_timeout);
+ cfgMergeBool(ocsp_use_request_nonce);
#ifdef HAVE_OCSP_STAPLING
cfgMergeBool(stapling_enabled);
cfgMergeInt(stapling_resptime_skew);
return NULL;
}
+const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->server->ocsp_use_request_nonce = flag ? TRUE : FALSE;
+
+ return NULL;
+}
+
const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
* request object on success, or NULL on error. */
static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
OCSP_CERTID **certid,
- server_rec *s, apr_pool_t *p)
+ server_rec *s, apr_pool_t *p,
+ SSLSrvConfigRec *sc)
{
OCSP_REQUEST *req = OCSP_REQUEST_new();
return NULL;
}
- OCSP_request_add1_nonce(req, 0, -1);
+ if (sc->server->ocsp_use_request_nonce != FALSE) {
+ OCSP_request_add1_nonce(req, 0, -1);
+ }
return req;
}
return V_OCSP_CERTSTATUS_UNKNOWN;
}
- request = create_request(ctx, cert, &certID, s, pool);
+ request = create_request(ctx, cert, &certID, s, pool, sc);
if (request) {
apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ?
apr_time_from_sec(DEFAULT_OCSP_TIMEOUT) :
}
}
- if (rc == V_OCSP_CERTSTATUS_GOOD) {
- if (OCSP_check_nonce(request, basicResponse) != 1) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
- "Bad OCSP responder answer (bad nonce)");
- rc = V_OCSP_CERTSTATUS_UNKNOWN;
- }
+ if (rc == V_OCSP_CERTSTATUS_GOOD &&
+ sc->server->ocsp_use_request_nonce != FALSE &&
+ OCSP_check_nonce(request, basicResponse) != 1) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
+ "Bad OCSP responder answer (bad nonce)");
+ rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
long ocsp_resptime_skew;
long ocsp_resp_maxage;
apr_interval_time_t ocsp_responder_timeout;
+ BOOL ocsp_use_request_nonce;
+
#ifdef HAVE_SSL_CONF_CMD
SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
#ifdef HAVE_SSL_CONF_CMD
projects / apache / commitdiff