httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r1589398 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl_ct.xml modules/ssl/mod_ssl_ct.c
Date Wed, 23 Apr 2014 12:45:46 GMT
Author: trawick
Date: Wed Apr 23 12:45:45 2014
New Revision: 1589398

URL: http://svn.apache.org/r1589398
Log:
allow operation without any logs configured or without the
log client tool configured

this supports configurations where SCTs are managed by the admin or
by some other infrastructure

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml
    httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml?rev=1589398&r1=1589397&r2=1589398&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl_ct.xml Wed Apr 23 12:45:45 2014
@@ -279,6 +279,10 @@ testing.</p>
 
   <p>An alternative implementation could be used to retrieve SCTs for a
   server certificate as long as the command-line interface is equivalent.</p>
+
+  <p>If this directive is not configured, server certificates cannot be
+  submitted to logs in order to obtain SCTs; thus, only admin-managed
+  SCTs will be provided to clients.</p>
 </usage>
 </directivesynopsis>
 

Modified: httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c?rev=1589398&r1=1589397&r2=1589398&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl_ct.c Wed Apr 23 12:45:45 2014
@@ -17,14 +17,13 @@
 /*
  * Issues
  *
- * + Major limitations
- *   . ???
- *
  * + Known low-level code kludges/problems
  *   . proxy: an httpd child process validates SCTs from a server only on the
  *     first time the data is received; but it could fail once due to invalid
- *     timestamp and succeed later after time elapses; fixit!
+ *     timestamp, and not be rechecked later after (potentially) time elapses
+ *     and the timestamp is now in a valid range
  *   . server: shouldn't have to read file of server SCTs on every handshake
+ *     (shared memory or cached file?)
  *   . split mod_ssl_ct.c into more pieces
  *   . research: Is it possible to send an SCT that is outside of the known
  *     valid interval for the log?
@@ -764,26 +763,33 @@ static apr_status_t refresh_scts_for_cer
 
     config_elts  = (ct_log_config **)log_config->elts;
 
-    rv = update_log_list_for_cert(s, p, cert_sct_dir, log_config);
-    if (rv != APR_SUCCESS) {
-        return rv;
-    }
-
-    for (i = 0; i < log_config->nelts; i++) {
-        if (!config_elts[i]->url) {
-            continue;
-        }
-        if (!log_valid_for_sent_sct(config_elts[i])) {
-            continue;
-        }
-        rv = fetch_sct(s, p, cert_fn,
-                       cert_sct_dir,
-                       &config_elts[i]->uri,
-                       ct_exe,
-                       max_sct_age);
+    if (ct_exe) {
+        rv = update_log_list_for_cert(s, p, cert_sct_dir, log_config);
         if (rv != APR_SUCCESS) {
             return rv;
         }
+
+        for (i = 0; i < log_config->nelts; i++) {
+            if (!config_elts[i]->url) {
+                continue;
+            }
+            if (!log_valid_for_sent_sct(config_elts[i])) {
+                continue;
+            }
+            rv = fetch_sct(s, p, cert_fn,
+                           cert_sct_dir,
+                           &config_elts[i]->uri,
+                           ct_exe,
+                           max_sct_age);
+            if (rv != APR_SUCCESS) {
+                return rv;
+            }
+        }
+    }
+    else {
+        /* Log client tool (from certificate-transparency open source project)
+         * not configured; we can only use admin-managed SCTs
+         */
     }
 
     rv = collate_scts(s, p, cert_sct_dir, static_cert_sct_dir, max_sh_sct);
@@ -1266,9 +1272,14 @@ static int ssl_ct_post_config(apr_pool_t
         active_log_config = sconf->db_log_config;
     }
     else {
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s_main,
-                     "No non-empty log configuration was provided");
-        return HTTP_INTERNAL_SERVER_ERROR;
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s_main,
+                     "No log URLs were configured; only admin-managed SCTs can be sent");
+        /* if a db is configured, it could be updated later */
+        if (!sconf->db_log_config) { /* no DB configured, need permanently
+                                      * empty array */
+            active_log_config = apr_array_make(pconf, 1,
+                                               sizeof(ct_log_config *));
+        }
     }
 
     /* Ensure that we already have, or can fetch, fresh SCTs for each 
@@ -1348,9 +1359,10 @@ static int ssl_ct_check_config(apr_pool_
     }
 
     if (!sconf->ct_exe) {
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s_main,
-                     "Directive CTLogClient is required");
-        return HTTP_INTERNAL_SERVER_ERROR;
+        ap_log_error(APLOG_MARK, APLOG_INFO, 0, s_main,
+                     "Directive CTLogClient isn't set; server certificates "
+                     "can't be submitted to configured logs; only admin-"
+                     "managed SCTs can be provided to clients");
     }
 
     if (sconf->log_config_fname) {



Mime
View raw message