From: Yann Ylavic Date: Wed, 2 Apr 2014 17:21:28 +0000 (+0000) Subject: mod_ssl: follow up to r1583191. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=217ca7e044f0a7e683891ecc9befd3e12ee78dc8;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl: follow up to r1583191. New SSLOCSPUseRequestNonce directive's manual and CHANGES. Non functional code changes (modssl_ctx_t's field ocsp_use_request_nonce grouped with other OCSP ones, nested if turned to a single AND condition). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1584098 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index fdce3eb3668..6c6e5ef6a6f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not + OCSP requests should use a nonce to be checked against the responder's + one. PR 56233. [ Yann Ylavic ] + *) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests under the Event MPM. PR56216. [Frank Meier ] diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index dd3c0d40ba2..004a208213d 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -2277,6 +2277,23 @@ which means that OCSP responses are considered valid as long as their + +SSLOCSPUseRequestNonce +Use a nonce within OCSP queries +SSLOCSPUseRequestNonce on|off +SSLOCSPUseRequestNonce on +server config +virtual host +Available in httpd 2.4.10 and later, if using OpenSSL 0.9.7 or later + + +

This option determines whether queries to OCSP responders should contain +a nonce or not. By default, a query nonce is always used and checked against +the response's one. When the responder does not use nonces (eg. Microsoft OCSP +Responder), this option ought to be turned off.

+ + + SSLInsecureRenegotiation Option to enable support for insecure renegotiation diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c index 3992dff4b0a..27061f6cded 100644 --- a/modules/ssl/ssl_engine_ocsp.c +++ b/modules/ssl/ssl_engine_ocsp.c @@ -175,12 +175,11 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c, } if (rc == V_OCSP_CERTSTATUS_GOOD && - sc->server->ocsp_use_request_nonce != FALSE) { - if (OCSP_check_nonce(request, basicResponse) != 1) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924) - "Bad OCSP responder answer (bad nonce)"); - rc = V_OCSP_CERTSTATUS_UNKNOWN; - } + sc->server->ocsp_use_request_nonce != FALSE && + OCSP_check_nonce(request, basicResponse) != 1) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924) + "Bad OCSP responder answer (bad nonce)"); + rc = V_OCSP_CERTSTATUS_UNKNOWN; } if (rc == V_OCSP_CERTSTATUS_GOOD) { diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 318a159a4f0..e19ec1ca3b4 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -610,11 +610,12 @@ typedef struct { long ocsp_resptime_skew; long ocsp_resp_maxage; apr_interval_time_t ocsp_responder_timeout; + int ocsp_use_request_nonce; + #ifdef HAVE_SSL_CONF_CMD SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */ apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */ #endif - int ocsp_use_request_nonce; } modssl_ctx_t; struct SSLSrvConfigRec {