diff options
| author | Stefan Eissing <icing@apache.org> | 2018-03-16 16:25:08 +0100 |
|---|---|---|
| committer | Stefan Eissing <icing@apache.org> | 2018-03-16 16:25:08 +0100 |
| commit | 1184290ddd8193558cf9932fee36b7d550554279 (patch) | |
| tree | 74de39d11e6171a5cb2a2a3d2807d16464ab10bc /modules/ssl/ssl_engine_config.c | |
| parent | mod_md: Fix compilation with OpenSSL before version 1.0.2. (diff) | |
| download | apache2-1184290ddd8193558cf9932fee36b7d550554279.tar.xz apache2-1184290ddd8193558cf9932fee36b7d550554279.zip | |
Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi@yahoo.es>]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1826995 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/ssl/ssl_engine_config.c')
| -rw-r--r-- | modules/ssl/ssl_engine_config.c | 49 |
1 files changed, 42 insertions, 7 deletions
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 66bb74aeec..686a44aac5 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -141,7 +141,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) mctx->auth.verify_depth = UNSET; mctx->auth.verify_mode = SSL_CVERIFY_UNSET; - mctx->ocsp_enabled = UNSET; + mctx->ocsp_mask = UNSET; mctx->ocsp_force_default = UNSET; mctx->ocsp_responder = NULL; mctx->ocsp_resptime_skew = UNSET; @@ -288,7 +288,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, cfgMergeInt(auth.verify_depth); cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); - cfgMergeBool(ocsp_enabled); + cfgMergeInt(ocsp_mask); cfgMergeBool(ocsp_force_default); cfgMerge(ocsp_responder, NULL); cfgMergeInt(ocsp_resptime_skew); @@ -1965,11 +1965,46 @@ const char *ssl_cmd_SSLUserName(cmd_parms *cmd, void *dcfg, return NULL; } -const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag) +static const char *ssl_cmd_ocspcheck_parse(cmd_parms *parms, + const char *arg, + int *mask) { - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + const char *w; + + w = ap_getword_conf(parms->temp_pool, &arg); + if (strcEQ(w, "none")) { + *mask = SSL_OCSPCHECK_NONE; + } + else if (strcEQ(w, "leaf")) { + *mask = SSL_OCSPCHECK_LEAF; + } + else if (strcEQ(w, "on")) { + *mask = SSL_OCSPCHECK_CHAIN; + } + else { + return apr_pstrcat(parms->temp_pool, parms->cmd->name, + ": Invalid argument '", w, "'", + NULL); + } + + while (*arg) { + w = ap_getword_conf(parms->temp_pool, &arg); + if (strcEQ(w, "no_ocsp_for_cert_ok")) { + *mask |= SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK; + } + else { + return apr_pstrcat(parms->temp_pool, parms->cmd->name, + ": Invalid argument '", w, "'", + NULL); + } + } - sc->server->ocsp_enabled = flag ? TRUE : FALSE; + return NULL; +} + +const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); #ifdef OPENSSL_NO_OCSP if (flag) { @@ -1978,7 +2013,7 @@ const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag) } #endif - return NULL; + return ssl_cmd_ocspcheck_parse(cmd, arg, &sc->server->ocsp_mask); } const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag) @@ -2703,7 +2738,7 @@ static void modssl_ctx_dump(modssl_ctx_t *ctx, apr_pool_t *p, int proxy, DMP_STRING("SSLSRPUnknownUserSeed", ctx->srp_unknown_user_seed); DMP_STRING("SSLSRPVerifierFile", ctx->srp_vfile); #endif - DMP_ON_OFF("SSLOCSPEnable", ctx->ocsp_enabled); + DMP_LONG( "SSLOCSPEnable", ctx->ocsp_mask); DMP_ON_OFF("SSLOCSPOverrideResponder", ctx->ocsp_force_default); DMP_STRING("SSLOCSPDefaultResponder", ctx->ocsp_responder); DMP_LONG( "SSLOCSPResponseTimeSkew", ctx->ocsp_resptime_skew); |