From: Joe Orton <jorton@apache.org>
Date: Mon, 17 Jan 2011 13:27:03 +0000 (+0000)
Subject: * modules/ssl/ssl_engine_config.c, modules/ssl/ssl_private.h: Add
X-Git-Tag: 2.3.11~176
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=271de81e7cf874c743aa066bab129d18d14401bb;p=apache
* modules/ssl/ssl_engine_config.c, modules/ssl/ssl_private.h: Add
config hooks for OCSP response time skew, maximum age, timeout.
* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Respect
config settings for above.
* docs/: Update accordingly.
Submitted by: Kaspar Brand <httpd-dev.2011 velox.ch>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1059917 13f79535-47bb-0310-9956-ffa450edef68
---
diff --git a/CHANGES b/CHANGES
index 5a92c69cb9..05563c8cca 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
Changes with Apache 2.3.11
+ *) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout,
+ SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew.
+ [Kaspar Brand <httpd-dev.2011 velox.ch>]
+
*) mod_ssl: Revamp output buffering to reduce network overhead for
output fragmented into many buckets, such as chunked HTTP responses.
[Joe Orton]
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 4cbb1ba266..f4ebecaaab 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -1855,6 +1855,53 @@ certificate being validated references an OCSP responder.</p>
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>SSLOCSPResponseTimeSkew</name>
+<description>Maximum allowable time skew for OCSP response validation</description>
+<syntax>SSLOCSPResponseTimeSkew <em>seconds</em></syntax>
+<default>SSLOCSPResponseTimeSkew 300</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option sets the maximum allowable time skew for OCSP responses
+(when checking their <code>thisUpdate</code> and <code>nextUpdate</code> fields).</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLOCSPResponseMaxAge</name>
+<description>Maximum allowable age for OCSP responses</description>
+<syntax>SSLOCSPResponseMaxAge <em>seconds</em></syntax>
+<default>SSLOCSPResponseMaxAge -1</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option sets the maximum allowable age ("freshness") for OCSP responses.
+The default value (<code>-1</code>) does not enforce a maximum age,
+which means that OCSP responses are considered valid as long as their
+<code>nextUpdate</code> field is in the future.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLOCSPResponderTimeout</name>
+<description>Timeout for OCSP queries</description>
+<syntax>SSLOCSPResponderTimeout <em>seconds</em></syntax>
+<default>SSLOCSPResponderTimeout 10</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option sets the timeout for queries to OCSP responders, when
+<directive module="mod_ssl">SSLOCSPEnable</directive> is turned on.</p>
+</usage>
+</directivesynopsis>
+
<directivesynopsis>
<name>SSLInsecureRenegotiation</name>
<description>Option to enable support for insecure renegotiation</description>
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 3d090cb15b..d908e61d44 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -197,6 +197,12 @@ static const command_rec ssl_config_cmds[] = {
"URL of the default OCSP Responder")
SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
"Force use of the default responder URL ('on', 'off')")
+ SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1,
+ "Maximum time difference in OCSP responses")
+ SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1,
+ "Maximum age of OCSP responses")
+ SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
+ "OCSP responder query timeout")
#ifdef HAVE_OCSP_STAPLING
/*
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 029d3d77c5..89270bf4ec 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -130,6 +130,9 @@ static void modssl_ctx_init(modssl_ctx_t *mctx)
mctx->ocsp_enabled = FALSE;
mctx->ocsp_force_default = FALSE;
mctx->ocsp_responder = NULL;
+ mctx->ocsp_resptime_skew = UNSET;
+ mctx->ocsp_resp_maxage = UNSET;
+ mctx->ocsp_responder_timeout = UNSET;
#ifdef HAVE_OCSP_STAPLING
mctx->stapling_enabled = UNSET;
@@ -243,6 +246,9 @@ static void modssl_ctx_cfg_merge(modssl_ctx_t *base,
cfgMergeBool(ocsp_enabled);
cfgMergeBool(ocsp_force_default);
cfgMerge(ocsp_responder, NULL);
+ cfgMergeInt(ocsp_resptime_skew);
+ cfgMergeInt(ocsp_resp_maxage);
+ cfgMergeInt(ocsp_responder_timeout);
#ifdef HAVE_OCSP_STAPLING
cfgMergeBool(stapling_enabled);
cfgMergeInt(stapling_resptime_skew);
@@ -1445,6 +1451,36 @@ const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const ch
return NULL;
}
+const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ sc->server->ocsp_resptime_skew = atoi(arg);
+ if (sc->server->ocsp_resptime_skew < 0) {
+ return "SSLOCSPResponseTimeSkew: invalid argument";
+ }
+ return NULL;
+}
+
+const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ sc->server->ocsp_resp_maxage = atoi(arg);
+ if (sc->server->ocsp_resp_maxage < 0) {
+ return "SSLOCSPResponseMaxAge: invalid argument";
+ }
+ return NULL;
+}
+
+const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ sc->server->ocsp_responder_timeout = apr_time_from_sec(atoi(arg));
+ if (sc->server->ocsp_responder_timeout < 0) {
+ return "SSLOCSPResponderTimeout: invalid argument";
+ }
+ return NULL;
+}
+
const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index b0a16b4251..d52bc5e1a3 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -141,10 +141,10 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
request = create_request(ctx, cert, &certID, s, pool);
if (request) {
- /* Use default I/O timeout for the server. */
- response = modssl_dispatch_ocsp_request(ruri,
- mySrvFromConn(c)->timeout,
- request, c, pool);
+ apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ?
+ DEFAULT_OCSP_TIMEOUT :
+ sc->server->ocsp_responder_timeout;
+ response = modssl_dispatch_ocsp_request(ruri, to, request, c, pool);
}
if (!request || !response) {
@@ -205,15 +205,16 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
rc = status;
}
- /* TODO: make these configurable. */
-#define MAX_SKEW (60)
-#define MAX_AGE (360)
-
/* Check whether the response is inside the defined validity
* period; otherwise fail. */
if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
- int vrc = OCSP_check_validity(thisup, nextup, MAX_SKEW, MAX_AGE);
-
+ long resptime_skew = sc->server->ocsp_resptime_skew == UNSET ?
+ DEFAULT_OCSP_MAX_SKEW : sc->server->ocsp_resptime_skew;
+ /* oscp_resp_maxage can be passed verbatim - UNSET (-1) means
+ * that responses can be of any age as long as nextup is in the
+ * future. */
+ int vrc = OCSP_check_validity(thisup, nextup, resptime_skew,
+ sc->server->ocsp_resp_maxage);
if (vrc != 1) {
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
ssl_log_cxerror(SSLLOG_MARK, APLOG_ERR, 0, c, cert,
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index d8d0cd27b7..7c7cda84b4 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -179,6 +179,16 @@ ap_set_module_config(c->conn_config, &ssl_module, val)
#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
#endif
+/* Default for OCSP response validity */
+#ifndef DEFAULT_OCSP_MAX_SKEW
+#define DEFAULT_OCSP_MAX_SKEW (60 * 5)
+#endif
+
+/* Default timeout for OCSP queries */
+#ifndef DEFAULT_OCSP_TIMEOUT
+#define DEFAULT_OCSP_TIMEOUT 10
+#endif
+
/**
* Support for MM library
*/
@@ -516,6 +526,9 @@ typedef struct {
BOOL ocsp_force_default; /* true if the default responder URL is
* used regardless of per-cert URL */
const char *ocsp_responder; /* default responder URL */
+ long ocsp_resptime_skew;
+ long ocsp_resp_maxage;
+ apr_interval_time_t ocsp_responder_timeout;
} modssl_ctx_t;
@@ -620,6 +633,9 @@ const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);