-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck directive
+ to opt-in previous behaviour (2.2) with CRLs verification when checking
+ certificate(s) with no corresponding CRL. [Yann Ylavic]
+
*) mod_proxy_http2: rescheduling of requests that have not been processed
by the backend when receiving a GOAWAY frame before done.
[Stefan Eissing]
<directivesynopsis>
<name>SSLCARevocationCheck</name>
<description>Enable CRL-based revocation checking</description>
-<syntax>SSLCARevocationCheck chain|leaf|none</syntax>
+<syntax>SSLCARevocationCheck chain|leaf|none <em>flag</em>s</syntax>
<default>SSLCARevocationCheck none</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
+<compatibility>Optional <em>flag</em>s available in httpd 2.5-dev or
+later</compatibility>
<usage>
<p>
CRL checks are applied to all certificates in the chain, while setting it to
<code>leaf</code> limits the checks to the end-entity cert.
</p>
-<note>
-<title>When set to <code>chain</code> or <code>leaf</code>,
-CRLs <em>must</em> be available for successful validation</title>
-<p>
-Prior to version 2.3.15, CRL checking in mod_ssl also succeeded when
-no CRL(s) were found in any of the locations configured with
-<directive module="mod_ssl">SSLCARevocationFile</directive>
-or <directive module="mod_ssl">SSLCARevocationPath</directive>.
-With the introduction of this directive, the behavior has been changed:
-when checking is enabled, CRLs <em>must</em> be present for the validation
-to succeed - otherwise it will fail with an
-<code>"unable to get certificate CRL"</code> error.
-</p>
-</note>
+The available <em>flag</em>s are:</p>
+<ul>
+<li><code>no_crl_for_cert_ok</code>
+ <p>
+ Prior to version 2.3.15, CRL checking in mod_ssl also succeeded when
+ no CRL(s) for the checked certificate(s) were found in any of the locations
+ configured with <directive module="mod_ssl">SSLCARevocationFile</directive>
+ or <directive module="mod_ssl">SSLCARevocationPath</directive>.
+ </p>
+ <p>
+ With the introduction of <directive>SSLCARevocationFile</directive>,
+ the behavior has been changed: by default with <code>chain</code> or
+ <code>leaf</code>, CRLs <strong>must</strong> be present for the
+ validation to succeed - otherwise it will fail with an
+ <code>"unable to get certificate CRL"</code> error.
+ </p>
+ <p>
+ The <em>flag</em> <code>no_crl_for_cert_ok</code> allows to restore
+ previous behaviour.
+ </p>
+</li>
+</ul>
<example><title>Example</title>
<highlight language="config">
SSLCARevocationCheck chain
</highlight>
</example>
+<example><title>Compatibility with versions 2.2</title>
+<highlight language="config">
+SSLCARevocationCheck chain no_crl_for_cert_ok
+</highlight>
+</example>
</usage>
</directivesynopsis>
SSL_CMD_SRV(CARevocationFile, TAKE1,
"SSL CA Certificate Revocation List (CRL) file "
"('/path/to/file' - PEM encoded)")
- SSL_CMD_SRV(CARevocationCheck, TAKE1,
+ SSL_CMD_SRV(CARevocationCheck, RAW_ARGS,
"SSL CA Certificate Revocation List (CRL) checking mode")
SSL_CMD_ALL(VerifyClient, TAKE1,
"SSL Client verify type "
SSL_CMD_SRV(ProxyCARevocationFile, TAKE1,
"SSL Proxy: CA Certificate Revocation List (CRL) file "
"('/path/to/file' - PEM encoded)")
- SSL_CMD_SRV(ProxyCARevocationCheck, TAKE1,
+ SSL_CMD_SRV(ProxyCARevocationCheck, RAW_ARGS,
"SSL Proxy: CA Certificate Revocation List (CRL) checking mode")
SSL_CMD_SRV(ProxyMachineCertificateFile, TAKE1,
"SSL Proxy: file containing client certificates "
mctx->crl_path = NULL;
mctx->crl_file = NULL;
mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
+ mctx->crl_check_flags = UNSET;
mctx->auth.ca_cert_path = NULL;
mctx->auth.ca_cert_file = NULL;
cfgMerge(crl_path, NULL);
cfgMerge(crl_file, NULL);
cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
+ cfgMergeInt(crl_check_flags);
cfgMergeString(auth.ca_cert_path);
cfgMergeString(auth.ca_cert_file);
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err, *w;
- return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mode);
+ w = ap_getword_conf(cmd->temp_pool, &arg);
+ err = ssl_cmd_crlcheck_parse(cmd, w, &sc->server->crl_check_mode);
+ if (err || sc->server->crl_check_mode == SSL_CRLCHECK_NONE) {
+ return err;
+ }
+
+ if (sc->server->crl_check_flags == UNSET) {
+ sc->server->crl_check_flags = 0;
+ }
+ while (*arg) {
+ w = ap_getword_conf(cmd->temp_pool, &arg);
+ if (strcEQ(w, "no_crl_for_cert_ok")) {
+ sc->server->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
+ }
+ else {
+ return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
+ ": Invalid flag '", w, "'",
+ NULL);
+ }
+ }
+ return NULL;
}
static const char *ssl_cmd_verify_parse(cmd_parms *parms,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err, *w;
- return ssl_cmd_crlcheck_parse(cmd, arg, &sc->proxy->crl_check_mode);
+ w = ap_getword_conf(cmd->temp_pool, &arg);
+ err = ssl_cmd_crlcheck_parse(cmd, w, &sc->proxy->crl_check_mode);
+ if (err || sc->proxy->crl_check_mode == SSL_CRLCHECK_NONE) {
+ return err;
+ }
+
+ if (sc->proxy->crl_check_flags == UNSET) {
+ sc->proxy->crl_check_flags = 0;
+ }
+ while (*arg) {
+ w = ap_getword_conf(cmd->temp_pool, &arg);
+ if (strcEQ(w, "no_crl_for_cert_ok")) {
+ sc->proxy->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
+ }
+ else {
+ return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
+ ": Invalid flag '", w, "'",
+ NULL);
+ }
+ }
+ return NULL;
}
const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd,
sc->fips = FALSE;
}
#endif
+
+ if (sc->server && sc->server->crl_check_flags == UNSET) {
+ sc->server->crl_check_flags = 0;
+ }
+ if (sc->proxy && sc->proxy->crl_check_flags == UNSET) {
+ sc->proxy->crl_check_flags = 0;
+ }
}
#if APR_HAS_THREADS
ssl_log_cxerror(SSLLOG_MARK, APLOG_DEBUG, 0, conn,
X509_STORE_CTX_get_current_cert(ctx), APLOGNO(02275)
"Certificate Verification, depth %d, "
- "CRL checking mode: %s", errdepth,
+ "CRL checking mode: %s (%x)", errdepth,
mctx->crl_check_mode == SSL_CRLCHECK_CHAIN ?
"chain" : (mctx->crl_check_mode == SSL_CRLCHECK_LEAF ?
- "leaf" : "none"));
+ "leaf" : "none"),
+ mctx->crl_check_flags);
/*
* Check for optionally acceptable non-verifiable issuer situation
X509_STORE_CTX_set_error(ctx, -1);
}
+ if (!ok && errnum == X509_V_ERR_UNABLE_TO_GET_CRL
+ && (sc->server->crl_check_flags & MODSSL_CCF_NO_CRL_FOR_CERT_OK)) {
+ errnum = X509_V_OK;
+ ok = TRUE;
+ }
+
#ifndef OPENSSL_NO_OCSP
/*
* Perform OCSP-based revocation checks
/**
* CRL checking modes
*/
+#define MODSSL_CCF_NO_CRL_FOR_CERT_OK (1 << 0)
typedef enum {
SSL_CRLCHECK_UNSET = UNSET,
SSL_CRLCHECK_NONE = 0,
const char *crl_path;
const char *crl_file;
ssl_crlcheck_t crl_check_mode;
+ int crl_check_flags;
#ifdef HAVE_OCSP_STAPLING
/** OCSP stapling options */
projects / apache / commitdiff