From 32fec69dcfe6a80322bb387cbe12b248d125f9af Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Tue, 1 Mar 2016 13:46:22 +0000 Subject: [PATCH] Merge r1726881, r1727111 from trunk: * Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy. Documentation to follow. * Change entry and documentation for SSLOCSPProxyURL Submitted by: rpluem Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1733066 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ docs/manual/mod/mod_ssl.xml | 14 ++++++++++ modules/ssl/mod_ssl.c | 2 ++ modules/ssl/ssl_engine_config.c | 14 ++++++++++ modules/ssl/ssl_private.h | 2 ++ modules/ssl/ssl_util_ocsp.c | 45 +++++++++++++++++++++++++-------- 6 files changed, 69 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index 43666035da..3b8cf1b543 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.4.19 + *) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries + to OCSP responders through a HTTP proxy. [Ruediger Pluem] + *) mod_cache_socache: Fix a possible cached entity body corruption when it is received from an origin server in multiple batches and forwarded by mod_proxy. [Yann Ylavic] diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 6a2da2f86f..06651b4c52 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -2349,6 +2349,20 @@ Responder), this option should be turned off.

+ +SSLOCSPProxyURL +Proxy URL to use for OCSP requests +SSLOCSPProxyURL url +server config +virtual host +Available in httpd 2.5 and later + + +

This option allows to set the URL of a HTTP proxy that should be used for +all queries to OCSP responders.

+ + + SSLInsecureRenegotiation Option to enable support for insecure renegotiation diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 717a694bbe..7506b9d218 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -243,6 +243,8 @@ static const command_rec ssl_config_cmds[] = { "OCSP responder query timeout") SSL_CMD_SRV(OCSPUseRequestNonce, FLAG, "Whether OCSP queries use a nonce or not ('on', 'off')") + SSL_CMD_SRV(OCSPProxyURL, TAKE1, + "Proxy URL to use for OCSP requests") #ifdef HAVE_OCSP_STAPLING /* diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 746f16698d..a3d5af5266 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -136,6 +136,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) mctx->ocsp_resp_maxage = UNSET; mctx->ocsp_responder_timeout = UNSET; mctx->ocsp_use_request_nonce = UNSET; + mctx->proxy_uri = NULL; #ifdef HAVE_OCSP_STAPLING mctx->stapling_enabled = UNSET; @@ -285,6 +286,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, cfgMergeInt(ocsp_resp_maxage); cfgMergeInt(ocsp_responder_timeout); cfgMergeBool(ocsp_use_request_nonce); + cfgMerge(proxy_uri, NULL); #ifdef HAVE_OCSP_STAPLING cfgMergeBool(stapling_enabled); cfgMergeInt(stapling_resptime_skew); @@ -1670,6 +1672,18 @@ const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag) return NULL; } +const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + sc->server->proxy_uri = apr_palloc(cmd->pool, sizeof(apr_uri_t)); + if (apr_uri_parse(cmd->pool, arg, sc->server->proxy_uri) != APR_SUCCESS) { + return apr_psprintf(cmd->pool, + "SSLOCSPProxyURL: Cannot parse URL %s", arg); + } + return NULL; +} + const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index ef12f1aaac..70b3ac22d0 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -638,6 +638,7 @@ typedef struct { long ocsp_resp_maxage; apr_interval_time_t ocsp_responder_timeout; BOOL ocsp_use_request_nonce; + apr_uri_t *proxy_uri; #ifdef HAVE_SSL_CONF_CMD SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */ @@ -764,6 +765,7 @@ const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); +const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg); #ifdef HAVE_SSL_CONF_CMD const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2); diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index 9016040528..a00c273d89 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -27,7 +27,8 @@ /* Serialize an OCSP request which will be sent to the responder at * given URI to a memory BIO object, which is returned. */ -static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri) +static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri, + const apr_uri_t *proxy_uri) { BIO *bio; int len; @@ -36,7 +37,13 @@ static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri) bio = BIO_new(BIO_s_mem()); - BIO_printf(bio, "POST %s%s%s HTTP/1.0\r\n" + BIO_printf(bio, "POST "); + /* Use full URL instead of URI in case of a request through a proxy */ + if (proxy_uri) { + BIO_printf(bio, "http://%s:%d", + uri->hostname, uri->port); + } + BIO_printf(bio, "%s%s%s HTTP/1.0\r\n" "Host: %s:%d\r\n" "Content-Type: application/ocsp-request\r\n" "Content-Length: %d\r\n" @@ -58,25 +65,38 @@ static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri) * NULL on error. */ static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri, apr_interval_time_t timeout, - conn_rec *c, apr_pool_t *p) + conn_rec *c, apr_pool_t *p, + const apr_uri_t *proxy_uri) { apr_status_t rv; apr_sockaddr_t *sa; apr_socket_t *sd; char buf[HUGE_STRING_LEN]; int len; + const apr_uri_t *next_hop_uri; + + if (proxy_uri) { + next_hop_uri = proxy_uri; + } + else { + next_hop_uri = uri; + } - rv = apr_sockaddr_info_get(&sa, uri->hostname, APR_UNSPEC, uri->port, 0, p); + rv = apr_sockaddr_info_get(&sa, next_hop_uri->hostname, APR_UNSPEC, + next_hop_uri->port, 0, p); if (rv) { ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01972) - "could not resolve address of OCSP responder %s", - uri->hostinfo); + "could not resolve address of %s %s", + proxy_uri ? "proxy" : "OCSP responder", + next_hop_uri->hostinfo); return NULL; } /* establish a connection to the OCSP responder */ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01973) - "connecting to OCSP responder '%s'", uri->hostinfo); + "connecting to %s '%s'", + proxy_uri ? "proxy" : "OCSP responder", + uri->hostinfo); /* Cycle through address until a connect() succeeds. */ for (; sa; sa = sa->next) { @@ -94,8 +114,9 @@ static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri, if (sa == NULL) { ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01974) - "could not connect to OCSP responder '%s'", - uri->hostinfo); + "could not connect to %s '%s'", + proxy_uri ? "proxy" : "OCSP responder", + next_hop_uri->hostinfo); return NULL; } @@ -289,8 +310,10 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri, OCSP_RESPONSE *response = NULL; apr_socket_t *sd; BIO *bio; + const apr_uri_t *proxy_uri; - bio = serialize_request(request, uri); + proxy_uri = (mySrvConfigFromConn(c))->server->proxy_uri; + bio = serialize_request(request, uri, proxy_uri); if (bio == NULL) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01989) "could not serialize OCSP request"); @@ -298,7 +321,7 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_request(const apr_uri_t *uri, return NULL; } - sd = send_request(bio, uri, timeout, c, p); + sd = send_request(bio, uri, timeout, c, p, proxy_uri); if (sd == NULL) { /* Errors already logged. */ BIO_free(bio); -- 2.40.0