Commit 7c64b2e4 authored by Yann Ylavic's avatar Yann Ylavic
Browse files

Merge r1826995, r1827001 from trunk: 

Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf of a
certificate chain. PR62112 [Ricardo Martin Camarero <rickyepoderi yahoo.es>] 

Fixed OCSPEnable to keep accepting "off", not "none".

Submitted by: icing
Reviewedby: icing, ylavic, rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1834089 13f79535-47bb-0310-9956-ffa450edef68
parent e6223f9d

CHANGES

+4 −0
Original line number Diff line number Diff line 
                                                         -*- coding: utf-8 -*-

Changes with Apache 2.4.34



  *) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf

     of a certificate chain.  PR62112.

     [Ricardo Martin Camarero <rickyepoderi yahoo.es>]



  *) http: Fix small memory leak per request when handling persistent

     connections.  [Ruediger Pluem, Joe Orton]

docs/manual/mod/mod_ssl.xml

+4 −2
Original line number Diff line number Diff line
@@ -2298,16 +2298,18 @@ SSLCryptoDevice ubsec 
<directivesynopsis>

<name>SSLOCSPEnable</name>

<description>Enable OCSP validation of the client certificate chain</description>

<syntax>SSLOCSPEnable on|off</syntax>

<syntax>SSLOCSPEnable on|leaf|off</syntax>

<default>SSLOCSPEnable off</default>

<contextlist><context>server config</context>

<context>virtual host</context></contextlist>

<compatibility>Mode <em>leaf</em> available in httpd 2.4.34 and later</compatibility>



<usage>

<p>This option enables OCSP validation of the client certificate

chain.  If this option is enabled, certificates in the client's

certificate chain will be validated against an OCSP responder after

normal verification (including CRL checks) have taken place.</p>

normal verification (including CRL checks) have taken place. In 

mode 'leaf', only the client certificate itself will be validated.</p>



<p>The OCSP responder used is either extracted from the certificate

itself, or derived by configuration; see the

modules/ssl/mod_ssl.c

+2 −2
Original line number Diff line number Diff line
@@ -243,8 +243,8 @@ static const command_rec ssl_config_cmds[] = { 
                "request body if a per-location SSL renegotiation is required due to "

                "changed access control requirements")



    SSL_CMD_SRV(OCSPEnable, FLAG,

               "Enable use of OCSP to verify certificate revocation ('on', 'off')")

    SSL_CMD_SRV(OCSPEnable, RAW_ARGS,

               "Enable use of OCSP to verify certificate revocation mode ('on', 'leaf', 'off')")

    SSL_CMD_SRV(OCSPDefaultResponder, TAKE1,

               "URL of the default OCSP Responder")

    SSL_CMD_SRV(OCSPOverrideResponder, FLAG,

modules/ssl/ssl_engine_config.c

+43 −7
Original line number Diff line number Diff line
@@ -137,8 +137,8 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p) 
    mctx->auth.verify_depth   = UNSET;

    mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;



    mctx->ocsp_enabled        = FALSE;

    mctx->ocsp_force_default  = FALSE;

    mctx->ocsp_mask           = UNSET;

    mctx->ocsp_force_default  = UNSET;

    mctx->ocsp_responder      = NULL;

    mctx->ocsp_resptime_skew  = UNSET;

    mctx->ocsp_resp_maxage    = UNSET;
@@ -281,7 +281,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p, 
    cfgMergeInt(auth.verify_depth);

    cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);



    cfgMergeBool(ocsp_enabled);

    cfgMergeInt(ocsp_mask);

    cfgMergeBool(ocsp_force_default);

    cfgMerge(ocsp_responder, NULL);

    cfgMergeInt(ocsp_resptime_skew);
@@ -1681,11 +1681,46 @@ const char *ssl_cmd_SSLUserName(cmd_parms *cmd, void *dcfg, 
    return NULL;

}



const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag)

static const char *ssl_cmd_ocspcheck_parse(cmd_parms *parms,

                                           const char *arg,

                                           int *mask)

{

    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

    const char *w;



    w = ap_getword_conf(parms->temp_pool, &arg);

    if (strcEQ(w, "off")) {

        *mask = SSL_OCSPCHECK_NONE;

    }

    else if (strcEQ(w, "leaf")) {

        *mask = SSL_OCSPCHECK_LEAF;

    }

    else if (strcEQ(w, "on")) {

        *mask = SSL_OCSPCHECK_CHAIN;

    }

    else {

        return apr_pstrcat(parms->temp_pool, parms->cmd->name,

                           ": Invalid argument '", w, "'",

                           NULL);

    }



    while (*arg) {

        w = ap_getword_conf(parms->temp_pool, &arg);

        if (strcEQ(w, "no_ocsp_for_cert_ok")) {

            *mask |= SSL_OCSPCHECK_NO_OCSP_FOR_CERT_OK;

        }

        else {

            return apr_pstrcat(parms->temp_pool, parms->cmd->name,

                               ": Invalid argument '", w, "'",

                               NULL);

        }

    }



    return NULL;

}



    sc->server->ocsp_enabled = flag ? TRUE : FALSE;

const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, const char *arg)

{

    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);



#ifdef OPENSSL_NO_OCSP

    if (flag) {
@@ -1694,7 +1729,7 @@ const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag) 
    }

#endif



    return NULL;

    return ssl_cmd_ocspcheck_parse(cmd, arg, &sc->server->ocsp_mask);

}



const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag)
@@ -2073,3 +2108,4 @@ void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) 
    }



}

modules/ssl/ssl_engine_init.c

+4 −0
Original line number Diff line number Diff line
@@ -902,6 +902,10 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s, 
    char *cfgp = mctx->pkp ? "SSLProxy" : "SSL";

    int crl_check_mode;



    if (mctx->ocsp_mask == UNSET) {

        mctx->ocsp_mask = SSL_OCSPCHECK_NONE;

    }



    if (mctx->crl_check_mask == UNSET) {

        mctx->crl_check_mask = SSL_CRLCHECK_NONE;

    }