httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r1059917 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_ocsp.c modules/ssl/ssl_private.h
Date Mon, 17 Jan 2011 13:27:04 GMT
Author: jorton
Date: Mon Jan 17 13:27:03 2011
New Revision: 1059917

URL: http://svn.apache.org/viewvc?rev=1059917&view=rev
Log:
* modules/ssl/ssl_engine_config.c, modules/ssl/ssl_private.h: Add
  config hooks for OCSP response time skew, maximum age, timeout.

* modules/ssl/ssl_engine_ocsp.c (verify_ocsp_status): Respect
  config settings for above.

* docs/: Update accordingly.

Submitted by: Kaspar Brand <httpd-dev.2011 velox.ch>

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
    httpd/httpd/trunk/modules/ssl/mod_ssl.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1059917&r1=1059916&r2=1059917&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Jan 17 13:27:03 2011
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.3.11
 
+  *) mod_ssl: Add config options for OCSP: SSLOCSPResponderTimeout,
+     SSLOCSPResponseMaxAge, SSLOCSPResponseTimeSkew.  
+     [Kaspar Brand <httpd-dev.2011 velox.ch>]
+
   *) mod_ssl: Revamp output buffering to reduce network overhead for
      output fragmented into many buckets, such as chunked HTTP responses.
      [Joe Orton] 

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1059917&r1=1059916&r2=1059917&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Mon Jan 17 13:27:03 2011
@@ -1856,6 +1856,53 @@ certificate being validated references a
 </directivesynopsis>
 
 <directivesynopsis>
+<name>SSLOCSPResponseTimeSkew</name>
+<description>Maximum allowable time skew for OCSP response validation</description>
+<syntax>SSLOCSPResponseTimeSkew <em>seconds</em></syntax>
+<default>SSLOCSPResponseTimeSkew 300</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option sets the maximum allowable time skew for OCSP responses
+(when checking their <code>thisUpdate</code> and <code>nextUpdate</code>
fields).</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLOCSPResponseMaxAge</name>
+<description>Maximum allowable age for OCSP responses</description>
+<syntax>SSLOCSPResponseMaxAge <em>seconds</em></syntax>
+<default>SSLOCSPResponseMaxAge -1</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option sets the maximum allowable age ("freshness") for OCSP responses.
+The default value (<code>-1</code>) does not enforce a maximum age,
+which means that OCSP responses are considered valid as long as their
+<code>nextUpdate</code> field is in the future.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
+<name>SSLOCSPResponderTimeout</name>
+<description>Timeout for OCSP queries</description>
+<syntax>SSLOCSPResponderTimeout <em>seconds</em></syntax>
+<default>SSLOCSPResponderTimeout 10</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</compatibility>
+
+<usage>
+<p>This option sets the timeout for queries to OCSP responders, when
+<directive module="mod_ssl">SSLOCSPEnable</directive> is turned on.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
 <name>SSLInsecureRenegotiation</name>
 <description>Option to enable support for insecure renegotiation</description>
 <syntax>SSLInsecureRenegotiation <em>flag</em></syntax>

Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1059917&r1=1059916&r2=1059917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Mon Jan 17 13:27:03 2011
@@ -197,6 +197,12 @@ static const command_rec ssl_config_cmds
                "URL of the default OCSP Responder")
     SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
                "Force use of the default responder URL ('on', 'off')")
+    SSL_CMD_SRV(OCSPResponseTimeSkew, TAKE1,
+                "Maximum time difference in OCSP responses")
+    SSL_CMD_SRV(OCSPResponseMaxAge, TAKE1,
+                "Maximum age of OCSP responses")
+    SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
+                "OCSP responder query timeout")
 
 #ifdef HAVE_OCSP_STAPLING
     /*

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1059917&r1=1059916&r2=1059917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Mon Jan 17 13:27:03 2011
@@ -130,6 +130,9 @@ static void modssl_ctx_init(modssl_ctx_t
     mctx->ocsp_enabled        = FALSE;
     mctx->ocsp_force_default  = FALSE;
     mctx->ocsp_responder      = NULL;
+    mctx->ocsp_resptime_skew  = UNSET;
+    mctx->ocsp_resp_maxage    = UNSET;
+    mctx->ocsp_responder_timeout = UNSET;
 
 #ifdef HAVE_OCSP_STAPLING
     mctx->stapling_enabled                   = UNSET;
@@ -243,6 +246,9 @@ static void modssl_ctx_cfg_merge(modssl_
     cfgMergeBool(ocsp_enabled);
     cfgMergeBool(ocsp_force_default);
     cfgMerge(ocsp_responder, NULL);
+    cfgMergeInt(ocsp_resptime_skew);
+    cfgMergeInt(ocsp_resp_maxage);
+    cfgMergeInt(ocsp_responder_timeout);
 #ifdef HAVE_OCSP_STAPLING
     cfgMergeBool(stapling_enabled);
     cfgMergeInt(stapling_resptime_skew);
@@ -1445,6 +1451,36 @@ const char *ssl_cmd_SSLOCSPDefaultRespon
     return NULL;
 }
 
+const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->server->ocsp_resptime_skew = atoi(arg);
+    if (sc->server->ocsp_resptime_skew < 0) {
+        return "SSLOCSPResponseTimeSkew: invalid argument";
+    }
+    return NULL;
+}
+
+const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->server->ocsp_resp_maxage = atoi(arg);
+    if (sc->server->ocsp_resp_maxage < 0) {
+        return "SSLOCSPResponseMaxAge: invalid argument";
+    }
+    return NULL;
+}
+
+const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->server->ocsp_responder_timeout = apr_time_from_sec(atoi(arg));
+    if (sc->server->ocsp_responder_timeout < 0) {
+        return "SSLOCSPResponderTimeout: invalid argument";
+    }
+    return NULL;
+}
+
 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c?rev=1059917&r1=1059916&r2=1059917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c Mon Jan 17 13:27:03 2011
@@ -141,10 +141,10 @@ static int verify_ocsp_status(X509 *cert
 
     request = create_request(ctx, cert, &certID, s, pool);
     if (request) {
-        /* Use default I/O timeout for the server. */
-        response = modssl_dispatch_ocsp_request(ruri, 
-                                                mySrvFromConn(c)->timeout,
-                                                request, c, pool);
+        apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ?
+                                 DEFAULT_OCSP_TIMEOUT :
+                                 sc->server->ocsp_responder_timeout;
+        response = modssl_dispatch_ocsp_request(ruri, to, request, c, pool);
     }
 
     if (!request || !response) {
@@ -205,15 +205,16 @@ static int verify_ocsp_status(X509 *cert
             rc = status;
         }
 
-        /* TODO: make these configurable. */
-#define MAX_SKEW (60)
-#define MAX_AGE (360)
-
         /* Check whether the response is inside the defined validity
          * period; otherwise fail.  */
         if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
-            int vrc  = OCSP_check_validity(thisup, nextup, MAX_SKEW, MAX_AGE);
-            
+            long resptime_skew = sc->server->ocsp_resptime_skew == UNSET ?
+                                 DEFAULT_OCSP_MAX_SKEW : sc->server->ocsp_resptime_skew;
+            /* oscp_resp_maxage can be passed verbatim - UNSET (-1) means
+             * that responses can be of any age as long as nextup is in the
+             * future. */
+            int vrc  = OCSP_check_validity(thisup, nextup, resptime_skew,
+                                           sc->server->ocsp_resp_maxage);
             if (vrc != 1) {
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
                 ssl_log_cxerror(SSLLOG_MARK, APLOG_ERR, 0, c, cert,

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1059917&r1=1059916&r2=1059917&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Mon Jan 17 13:27:03 2011
@@ -179,6 +179,16 @@ ap_set_module_config(c->conn_config, &ss
 #define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
 #endif
 
+/* Default for OCSP response validity */
+#ifndef DEFAULT_OCSP_MAX_SKEW
+#define DEFAULT_OCSP_MAX_SKEW (60 * 5)
+#endif
+
+/* Default timeout for OCSP queries */
+#ifndef DEFAULT_OCSP_TIMEOUT
+#define DEFAULT_OCSP_TIMEOUT 10
+#endif
+
 /**
  * Support for MM library
  */
@@ -516,6 +526,9 @@ typedef struct {
     BOOL ocsp_force_default; /* true if the default responder URL is
                               * used regardless of per-cert URL */
     const char *ocsp_responder; /* default responder URL */
+    long ocsp_resptime_skew;
+    long ocsp_resp_maxage;
+    apr_interval_time_t ocsp_responder_timeout;
 
 } modssl_ctx_t;
 
@@ -620,6 +633,9 @@ const char  *ssl_cmd_SSLProxyCheckPeerCN
 
 const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
 const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
 
 const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);



Mime
View raw message