# ====
#
}
-
- #
- # ### OCSP Configuration
- #
- # Certificates can be verified against an OCSP Responder.
- # This makes it possible to immediately revoke certificates without
- # the distribution of new Certificate Revocation Lists (CRLs).
- #
- # In addition to the configuration items below, the behaviour of
- # OCSP can be altered by runtime attributes.
- #
- # If OCSP is enabled, the `&reply.TLS-OCSP-Cert-Valid` attribute will
- # be added after OCSP completes. One of the following values will
- # be set:
- #
- # [options="header,autowidth"]
- # |===
- # | Value | Description
- # | no | OCSP responder indicated the certificate is not valid.
- # | yes | OCSP responder indicated the certificate is valid.
- # | skipped | OCSP checks were skipped.
- # |===
- #
- # If an OCSP check is performed, the `&reply.TLS-OCSP-Next-Update`
- # attribute will also be added. The value of this will attribute
- # be the number of seconds until the certificate state need be refreshed.
- # This can be used as a `Cache-TTL` value if you wish to use the cache
- # module to store OCSP certificate validation status.
- #
- # If when the OCSP check is performed, a `&control.TLS-OCSP-Cert-Valid`
- # attribute is present, its value will force the outcome of the OCSP
- # check, and the OCSP responder will not be contacted.
- # Values map to the following OCSP responses:
- #
- # [options="header,autowidth"]
- # |===
- # | Value | Description
- # | no | Invalid.
- # | yes | Valid.
- # | skipped | If `softfail = yes` value else invalid.
- # |===
- #
- ocsp {
- #
- # enable::
- #
- # Deleting the entire `ocsp` subsection also disables ocsp checking.
- #
- # Default is `no`.
- #
-# enable = no
-
- #
- # virtual_server::
- #
- # OCSP checks are performed immediately after the
- # complete certificate is received from the supplicant,
- # and directly after the attributes from that
- # certificate are inserted into the request.
- #
- # In order to retrieve cached OCSP states, a virtual
- # server must be defined here.
- #
- # See `raddb/sites-available/tls-cache` for details.
- #
-# virtual_server = 'tls-cache'
-
- #
- # override_cert_url::
- #
- # The OCSP Responder URL can be automatically extracted
- # from the certificate in question. To override the
- # OCSP Responder URL set `override_cert_url = yes`.
- #
- override_cert_url = yes
-
- #
- # url::
- #
- # If the OCSP Responder address is not extracted from
- # the certificate, the URL can be defined here.
- #
- url = "http://127.0.0.1/ocsp/"
-
- #
- # use_nonce::
- #
- # If the OCSP Responder can not cope with nonce in the
- # request, then it can be disabled here.
- #
- # [WARNING]
- # ====
- # * For security reasons, disabling this option is not
- # recommended as nonce protects against replay attacks.
- #
- # * Microsoft AD Certificate Services OCSP
- # Responder does not enable nonce by default. It is more
- # secure to enable nonce on the responder than to
- # disable it in the query here.
- #
- # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
- # ====
- #
-# use_nonce = yes
-
- #
- # timeout::
- #
- # Number of seconds before giving up waiting for OCSP
- # response.
- #
- # Default is `0`.
- #
-# timeout = 0
-
- #
- # softfail::
- #
- # Normally an error in querying the OCSP responder (no
- # response from server, server did not understand the
- # request, etc) will result in a validation failure.
- #
- # To treat these errors as `soft` failures and still
- # accept the certificate, enable this option.
- #
- # WARNING: this may enable clients with revoked
- # certificates to connect if the OCSP responder is not
- # available. *Use with caution*.
- #
-# softfail = no
- }
-
- #
- # ### OCSP stapling for server certificates
- #
- # If requested, we query either the server listed below (as url),
- # or the one specified in our server certificate, to retrieve an
- # OCSP response to pass back to the TLS client.
- #
- # staple { ... }::
- #
- # This allows TLS clients to check for certificate revocation before
- # divulging credentials to a (possibly rogue) server, that may be
- # presenting a compromised certificate.
- #
- staple {
- #
- # enable::
- #
- # Enable it. Deleting the entire `ocsp` subsection also disables ocsp checking.
- #
- # Default is `no`.
- #
-# enable = no
-
- #
- # virtual_server::
- #
- # OCSP checks are performed whenever a TLS client includes
- # an OCSP stapling extension.
- #
- # In order to retrieve cached OCSP staples, a virtual
- # server must be defined here.
- #
- # The same virtual server can be used for caching
- # client OCSP response states, and stapling information.
- #
- # See `raddb/sites-available/tls-cache` for details.
- #
-# virtual_server = 'tls-cache'
-
- #
- # override_cert_url::
- #
- # The OCSP Responder URL can be automatically extracted
- # from the certificate in question. To override the
- # OCSP Responder URL set `override_cert_url = yes`.
- #
- override_cert_url = yes
-
- #
- # url::
- #
- # If the OCSP Responder address is not extracted from
- # the certificate, the URL can be defined here.
- #
- url = "http://127.0.0.1/ocsp/"
-
- #
- # use_nonce::
- #
- # If the OCSP Responder can not cope with nonce in the
- # request, then it can be disabled here.
- #
- # [WARNING]
- # ====
- # * For security reasons, disabling this option is not
- # recommended as nonce protects against replay attacks.
- #
- # * Microsoft AD Certificate Services OCSP
- # Responder does not enable nonce by default. It is more
- # secure to enable nonce on the responder than to
- # disable it in the query here. See
- # http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
- # ====
- #
-# use_nonce = yes
-
- #
- # Number of seconds before giving up waiting for OCSP
- # response.
- #
- # Default is `0`.
- #
-# timeout = 0
-
- #
- # softfail::
- #
- # Normally if we can't query the OCSP Responder
- # we issue a fatal alert, and abort. Set this to `true`
- # to allow the session to continue without an OCSP
- # stapling response being sent to the TLS client.
- #
-# softfail = no
- }
}
#
SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)tls_session);
SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_IDENTITY, (void *)&(eap_session->identity));
-#ifdef HAVE_OPENSSL_OCSP_H
- SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp.store);
-#endif
return eap_tls_session;
}
ctx.c \
engine.c \
log.c \
- ocsp.c \
pairs.c \
session.c \
utils.c \
int fr_tls_dict_init(void);
-/*
- * tls/ocsp.c
- */
-int fr_tls_ocsp_staple_cb(SSL *ssl, void *data);
-
-int fr_tls_ocsp_check(request_t *request, SSL *ssl,
- X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
- fr_tls_ocsp_conf_t *conf, bool staple_response);
-
-int fr_tls_ocsp_state_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs);
-
-int fr_tls_ocsp_staple_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs);
-
/*
* tls/utils.c
*/
extern "C" {
#endif
-#ifdef HAVE_OPENSSL_OCSP_H
-/** OCSP Configuration
- *
- */
-typedef struct {
- bool enable; //!< Enable OCSP checks
- char const *cache_server; //!< Virtual server to restore retrieved OCSP status.
- bool override_url; //!< Always use the configured OCSP URL even if the
- //!< certificate contains one.
- char const *url;
- bool use_nonce;
- X509_STORE *store;
- uint32_t timeout;
- bool softfail;
-
-
- fr_tls_cache_t cache; //!< Cached cache section pointers. Means we don't have
- ///< to look them up at runtime.
-} fr_tls_ocsp_conf_t;
-#endif
-
/** Different chain building modes
*
*/
bool require_client_cert;
-#ifdef HAVE_OPENSSL_OCSP_H
- fr_tls_ocsp_conf_t ocsp; //!< Configuration for validating client certificates
- //!< with ocsp.
- fr_tls_ocsp_conf_t staple; //!< Configuration for validating server certificates
- //!< with ocsp.
-#endif
-
#ifndef OPENSSL_NO_ECDH
char const *ecdh_curve;
#endif
{ FR_CONF_OFFSET("cache", FR_TYPE_SUBSECTION, fr_tls_conf_t, cache), .subcs = (void const *) cache_config },
-#ifdef HAVE_OPENSSL_OCSP_H
- { FR_CONF_OFFSET("ocsp", FR_TYPE_SUBSECTION, fr_tls_conf_t, ocsp), .subcs = (void const *) ocsp_config },
-
- { FR_CONF_OFFSET("staple", FR_TYPE_SUBSECTION, fr_tls_conf_t, staple), .subcs = (void const *) ocsp_config },
-#endif
+ { FR_CONF_DEPRECATED("verify", FR_TYPE_SUBSECTION, fr_tls_conf_t, NULL) },
CONF_PARSER_TERMINATOR
};
* added to automatically free the data when the CONF_SECTION
* is freed.
*/
-static int _conf_server_free(
-#if !defined(HAVE_OPENSSL_OCSP_H) && defined(NDEBUG)
- UNUSED
-#endif
- fr_tls_conf_t *conf)
+static int _conf_server_free(fr_tls_conf_t *conf)
{
-#ifdef HAVE_OPENSSL_OCSP_H
- if (conf->ocsp.store) X509_STORE_free(conf->ocsp.store);
- conf->ocsp.store = NULL;
- if (conf->staple.store) X509_STORE_free(conf->staple.store);
- conf->staple.store = NULL;
-#endif
-
-#ifndef NDEBUG
memset(conf, 0, sizeof(*conf));
-#endif
return 0;
}
if (conf_cert_admin_password(conf) < 0) goto error;
#endif
-#ifdef HAVE_OPENSSL_OCSP_H
- /*
- * @fixme: This is all pretty terrible.
- * The stores initialized here are for validating
- * OCSP responses. They have nothing to do with
- * verifying other certificates.
- */
-
- /*
- * Initialize OCSP Revocation Store
- */
- if (conf->ocsp.enable) {
- conf->ocsp.store = conf_ocsp_revocation_store(conf);
- if (conf->ocsp.store == NULL) goto error;
- }
-
- if (conf->staple.enable) {
- conf->staple.store = conf_ocsp_revocation_store(conf);
- if (conf->staple.store == NULL) goto error;
- }
-#endif /*HAVE_OPENSSL_OCSP_H*/
-
/*
* Ensure our virtual server contains the
* correct sections for the specified
fr_rand_buffer(conf->cache.session_ticket_key_rand, sizeof(conf->cache.session_ticket_key_rand));
}
-#ifdef HAVE_OPENSSL_OCSP_H
- if (conf->ocsp.cache_server) {
- CONF_SECTION *server_cs;
-
- server_cs = virtual_server_find(conf->ocsp.cache_server);
- if (!server_cs) {
- ERROR("No such virtual server '%s'", conf->ocsp.cache_server);
- goto error;
- }
-
- if (fr_tls_ocsp_state_cache_compile(&conf->ocsp.cache, server_cs) < 0) goto error;
- }
-
- if (conf->staple.cache_server) {
- CONF_SECTION *server_cs;
-
- server_cs = virtual_server_find(conf->staple.cache_server);
- if (!server_cs) {
- ERROR("No such virtual server '%s'", conf->staple.cache_server);
- goto error;
- }
-
- if (fr_tls_ocsp_staple_cache_compile(&conf->staple.cache, server_cs) < 0) goto error;
- }
-#endif
-
/*
* Cache conf in cs in case we're asked to parse this again.
*/
}
} /* check_cert_cn */
-#ifdef HAVE_OPENSSL_OCSP_H
- /*
- * Do OCSP last, so we have the complete set of attributes
- * available for the virtual server.
- *
- * Fixme: Do we want to store the matching TLS-Client-cert-Filename?
- */
- if (my_ok && conf->ocsp.enable){
- X509 *issuer_cert;
-
- RDEBUG2("Starting OCSP Request");
-
- /*
- * If we don't have an issuer, then we can't send
- * and OCSP request, but pass the NULL issuer in
- * so fr_tls_ocsp_check can decide on the correct
- * return code.
- */
- issuer_cert = X509_STORE_CTX_get0_current_issuer(x509_ctx);
- my_ok = fr_tls_ocsp_check(request, ssl, conf->ocsp.store, issuer_cert, cert, &(conf->ocsp), false);
- }
-#endif
-
/*
* If we have a client certificate, cache whether or not
* we validated it.
--- /dev/null
+#ifdef HAVE_OPENSSL_OCSP_H
+ { FR_CONF_OFFSET("ocsp", FR_TYPE_SUBSECTION, fr_tls_conf_t, ocsp), .subcs = (void const *) ocsp_config },
+
+ { FR_CONF_OFFSET("staple", FR_TYPE_SUBSECTION, fr_tls_conf_t, staple), .subcs = (void const *) ocsp_config },
+#endif
+
+#ifdef HAVE_OPENSSL_OCSP_H
+ if (conf->ocsp.cache_server) {
+ CONF_SECTION *server_cs;
+
+ server_cs = virtual_server_find(conf->ocsp.cache_server);
+ if (!server_cs) {
+ ERROR("No such virtual server '%s'", conf->ocsp.cache_server);
+ goto error;
+ }
+
+ if (fr_tls_ocsp_state_cache_compile(&conf->ocsp.cache, server_cs) < 0) goto error;
+ }
+
+ if (conf->staple.cache_server) {
+ CONF_SECTION *server_cs;
+
+ server_cs = virtual_server_find(conf->staple.cache_server);
+ if (!server_cs) {
+ ERROR("No such virtual server '%s'", conf->staple.cache_server);
+ goto error;
+ }
+
+ if (fr_tls_ocsp_staple_cache_compile(&conf->staple.cache, server_cs) < 0) goto error;
+ }
+#endif
+
+#ifdef HAVE_OPENSSL_OCSP_H
+ /*
+ * @fixme: This is all pretty terrible.
+ * The stores initialized here are for validating
+ * OCSP responses. They have nothing to do with
+ * verifying other certificates.
+ */
+
+ /*
+ * Initialize OCSP Revocation Store
+ */
+ if (conf->ocsp.enable) {
+ conf->ocsp.store = conf_ocsp_revocation_store(conf);
+ if (conf->ocsp.store == NULL) goto error;
+ }
+
+ if (conf->staple.enable) {
+ conf->staple.store = conf_ocsp_revocation_store(conf);
+ if (conf->staple.store == NULL) goto error;
+ }
+#endif /*HAVE_OPENSSL_OCSP_H*/
+
+
+static int _conf_server_free(
+#if !defined(HAVE_OPENSSL_OCSP_H) && defined(NDEBUG)
+ UNUSED
+#endif
+ fr_tls_conf_t *conf)
+{
+#ifdef HAVE_OPENSSL_OCSP_H
+ if (conf->ocsp.store) X509_STORE_free(conf->ocsp.store);
+ conf->ocsp.store = NULL;
+ if (conf->staple.store) X509_STORE_free(conf->staple.store);
+ conf->staple.store = NULL;
+#endif
+
+#ifndef NDEBUG
+ memset(conf, 0, sizeof(*conf));
+#endif
+ return 0;
+}
+
+/* Session init */
+#ifdef HAVE_OPENSSL_OCSP_H
+ SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp.store);
+#endif
+
+/* Validation checks */
+#ifdef HAVE_OPENSSL_OCSP_H
+ /*
+ * Do OCSP last, so we have the complete set of attributes
+ * available for the virtual server.
+ *
+ * Fixme: Do we want to store the matching TLS-Client-cert-Filename?
+ */
+ if (my_ok && conf->ocsp.enable){
+ X509 *issuer_cert;
+
+ RDEBUG2("Starting OCSP Request");
+
+ /*
+ * If we don't have an issuer, then we can't send
+ * and OCSP request, but pass the NULL issuer in
+ * so fr_tls_ocsp_check can decide on the correct
+ * return code.
+ */
+ issuer_cert = X509_STORE_CTX_get0_current_issuer(x509_ctx);
+ my_ok = fr_tls_ocsp_check(request, ssl, conf->ocsp.store, issuer_cert, cert, &(conf->ocsp), false);
+ }
+#endif
--- /dev/null
+
+
+ #
+ # ### OCSP Configuration
+ #
+ # Certificates can be verified against an OCSP Responder.
+ # This makes it possible to immediately revoke certificates without
+ # the distribution of new Certificate Revocation Lists (CRLs).
+ #
+ # In addition to the configuration items below, the behaviour of
+ # OCSP can be altered by runtime attributes.
+ #
+ # If OCSP is enabled, the `&reply.TLS-OCSP-Cert-Valid` attribute will
+ # be added after OCSP completes. One of the following values will
+ # be set:
+ #
+ # [options="header,autowidth"]
+ # |===
+ # | Value | Description
+ # | no | OCSP responder indicated the certificate is not valid.
+ # | yes | OCSP responder indicated the certificate is valid.
+ # | skipped | OCSP checks were skipped.
+ # |===
+ #
+ # If an OCSP check is performed, the `&reply.TLS-OCSP-Next-Update`
+ # attribute will also be added. The value of this will attribute
+ # be the number of seconds until the certificate state need be refreshed.
+ # This can be used as a `Cache-TTL` value if you wish to use the cache
+ # module to store OCSP certificate validation status.
+ #
+ # If when the OCSP check is performed, a `&control.TLS-OCSP-Cert-Valid`
+ # attribute is present, its value will force the outcome of the OCSP
+ # check, and the OCSP responder will not be contacted.
+ # Values map to the following OCSP responses:
+ #
+ # [options="header,autowidth"]
+ # |===
+ # | Value | Description
+ # | no | Invalid.
+ # | yes | Valid.
+ # | skipped | If `softfail = yes` value else invalid.
+ # |===
+ #
+ ocsp {
+ #
+ # enable::
+ #
+ # Deleting the entire `ocsp` subsection also disables ocsp checking.
+ #
+ # Default is `no`.
+ #
+# enable = no
+
+ #
+ # virtual_server::
+ #
+ # OCSP checks are performed immediately after the
+ # complete certificate is received from the supplicant,
+ # and directly after the attributes from that
+ # certificate are inserted into the request.
+ #
+ # In order to retrieve cached OCSP states, a virtual
+ # server must be defined here.
+ #
+ # See `raddb/sites-available/tls-cache` for details.
+ #
+# virtual_server = 'tls-cache'
+
+ #
+ # override_cert_url::
+ #
+ # The OCSP Responder URL can be automatically extracted
+ # from the certificate in question. To override the
+ # OCSP Responder URL set `override_cert_url = yes`.
+ #
+ override_cert_url = yes
+
+ #
+ # url::
+ #
+ # If the OCSP Responder address is not extracted from
+ # the certificate, the URL can be defined here.
+ #
+ url = "http://127.0.0.1/ocsp/"
+
+ #
+ # use_nonce::
+ #
+ # If the OCSP Responder can not cope with nonce in the
+ # request, then it can be disabled here.
+ #
+ # [WARNING]
+ # ====
+ # * For security reasons, disabling this option is not
+ # recommended as nonce protects against replay attacks.
+ #
+ # * Microsoft AD Certificate Services OCSP
+ # Responder does not enable nonce by default. It is more
+ # secure to enable nonce on the responder than to
+ # disable it in the query here.
+ #
+ # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+ # ====
+ #
+# use_nonce = yes
+
+ #
+ # timeout::
+ #
+ # Number of seconds before giving up waiting for OCSP
+ # response.
+ #
+ # Default is `0`.
+ #
+# timeout = 0
+
+ #
+ # softfail::
+ #
+ # Normally an error in querying the OCSP responder (no
+ # response from server, server did not understand the
+ # request, etc) will result in a validation failure.
+ #
+ # To treat these errors as `soft` failures and still
+ # accept the certificate, enable this option.
+ #
+ # WARNING: this may enable clients with revoked
+ # certificates to connect if the OCSP responder is not
+ # available. *Use with caution*.
+ #
+# softfail = no
+ }
+
+ #
+ # ### OCSP stapling for server certificates
+ #
+ # If requested, we query either the server listed below (as url),
+ # or the one specified in our server certificate, to retrieve an
+ # OCSP response to pass back to the TLS client.
+ #
+ # staple { ... }::
+ #
+ # This allows TLS clients to check for certificate revocation before
+ # divulging credentials to a (possibly rogue) server, that may be
+ # presenting a compromised certificate.
+ #
+ staple {
+ #
+ # enable::
+ #
+ # Enable it. Deleting the entire `ocsp` subsection also disables ocsp checking.
+ #
+ # Default is `no`.
+ #
+# enable = no
+
+ #
+ # virtual_server::
+ #
+ # OCSP checks are performed whenever a TLS client includes
+ # an OCSP stapling extension.
+ #
+ # In order to retrieve cached OCSP staples, a virtual
+ # server must be defined here.
+ #
+ # The same virtual server can be used for caching
+ # client OCSP response states, and stapling information.
+ #
+ # See `raddb/sites-available/tls-cache` for details.
+ #
+# virtual_server = 'tls-cache'
+
+ #
+ # override_cert_url::
+ #
+ # The OCSP Responder URL can be automatically extracted
+ # from the certificate in question. To override the
+ # OCSP Responder URL set `override_cert_url = yes`.
+ #
+ override_cert_url = yes
+
+ #
+ # url::
+ #
+ # If the OCSP Responder address is not extracted from
+ # the certificate, the URL can be defined here.
+ #
+ url = "http://127.0.0.1/ocsp/"
+
+ #
+ # use_nonce::
+ #
+ # If the OCSP Responder can not cope with nonce in the
+ # request, then it can be disabled here.
+ #
+ # [WARNING]
+ # ====
+ # * For security reasons, disabling this option is not
+ # recommended as nonce protects against replay attacks.
+ #
+ # * Microsoft AD Certificate Services OCSP
+ # Responder does not enable nonce by default. It is more
+ # secure to enable nonce on the responder than to
+ # disable it in the query here. See
+ # http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+ # ====
+ #
+# use_nonce = yes
+
+ #
+ # Number of seconds before giving up waiting for OCSP
+ # response.
+ #
+ # Default is `0`.
+ #
+# timeout = 0
+
+ #
+ # softfail::
+ #
+ # Normally if we can't query the OCSP Responder
+ # we issue a fatal alert, and abort. Set this to `true`
+ # to allow the session to continue without an OCSP
+ # stapling response being sent to the TLS client.
+ #
+# softfail = no
+ }
--- /dev/null
+/** OCSP Configuration
+ *
+ */
+typedef struct {
+ bool enable; //!< Enable OCSP checks
+ char const *cache_server; //!< Virtual server to restore retrieved OCSP status.
+ bool override_url; //!< Always use the configured OCSP URL even if the
+ //!< certificate contains one.
+ char const *url;
+ bool use_nonce;
+ X509_STORE *store;
+ uint32_t timeout;
+ bool softfail;
+
+
+ fr_tls_cache_t cache; //!< Cached cache section pointers. Means we don't have
+ ///< to look them up at runtime.
+} fr_tls_ocsp_conf_t;
+
+#ifdef HAVE_OPENSSL_OCSP_H
+ fr_tls_ocsp_conf_t ocsp; //!< Configuration for validating client certificates
+ //!< with ocsp.
+ fr_tls_ocsp_conf_t staple; //!< Configuration for validating server certificates
+ //!< with ocsp.
+#endif
+
+/*
+ * tls/ocsp.c
+ */
+int fr_tls_ocsp_staple_cb(SSL *ssl, void *data);
+
+int fr_tls_ocsp_check(request_t *request, SSL *ssl,
+ X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
+ fr_tls_ocsp_conf_t *conf, bool staple_response);
+
+int fr_tls_ocsp_state_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs);
+
+int fr_tls_ocsp_staple_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs);