httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rpl...@apache.org
Subject svn commit: r1726881 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_config.c ssl_private.h ssl_util_ocsp.c
Date Tue, 26 Jan 2016 20:24:33 GMT
Author: rpluem
Date: Tue Jan 26 20:24:33 2016
New Revision: 1726881

URL: http://svn.apache.org/viewvc?rev=1726881&view=rev
Log:
* Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy.
  Documentation to follow.

Modified:
    httpd/httpd/trunk/modules/ssl/mod_ssl.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h
    httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c

Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1726881&r1=1726880&r2=1726881&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Tue Jan 26 20:24:33 2016
@@ -253,6 +253,8 @@ static const command_rec ssl_config_cmds
                 "OCSP responder query timeout")
     SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
                 "Whether OCSP queries use a nonce or not ('on', 'off')")
+    SSL_CMD_SRV(OCSPProxyURL, TAKE1,
+                "Proxy URL to use for OCSP requests")
 
 #ifdef HAVE_OCSP_STAPLING
     /*

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1726881&r1=1726880&r2=1726881&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Tue Jan 26 20:24:33 2016
@@ -136,6 +136,7 @@ static void modssl_ctx_init(modssl_ctx_t
     mctx->ocsp_resp_maxage    = UNSET;
     mctx->ocsp_responder_timeout = UNSET;
     mctx->ocsp_use_request_nonce = UNSET;
+    mctx->proxy_uri              = NULL;
 
 #ifdef HAVE_OCSP_STAPLING
     mctx->stapling_enabled           = UNSET;
@@ -285,6 +286,7 @@ static void modssl_ctx_cfg_merge(apr_poo
     cfgMergeInt(ocsp_resp_maxage);
     cfgMergeInt(ocsp_responder_timeout);
     cfgMergeBool(ocsp_use_request_nonce);
+    cfgMerge(proxy_uri, NULL);
 #ifdef HAVE_OCSP_STAPLING
     cfgMergeBool(stapling_enabled);
     cfgMergeInt(stapling_resptime_skew);
@@ -1643,6 +1645,18 @@ const char *ssl_cmd_SSLOCSPUseRequestNon
     return NULL;
 }
 
+const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg,
+                                    const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    sc->server->proxy_uri = apr_palloc(cmd->pool, sizeof(apr_uri_t));
+    if (apr_uri_parse(cmd->pool, arg, sc->server->proxy_uri) != APR_SUCCESS) {
+        return apr_psprintf(cmd->pool,
+                            "SSLOCSPProxyURL: Cannot parse URL %s", arg);
+    }
+    return NULL;
+}
+
 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1726881&r1=1726880&r2=1726881&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Tue Jan 26 20:24:33 2016
@@ -628,6 +628,7 @@ typedef struct {
     long ocsp_resp_maxage;
     apr_interval_time_t ocsp_responder_timeout;
     BOOL ocsp_use_request_nonce;
+    apr_uri_t *proxy_uri;
 
 #ifdef HAVE_SSL_CONF_CMD
     SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
@@ -754,6 +755,7 @@ const char *ssl_cmd_SSLOCSPResponseMaxAg
 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg);
 
 #ifdef HAVE_SSL_CONF_CMD
 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const
char *arg2);

Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=1726881&r1=1726880&r2=1726881&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Tue Jan 26 20:24:33 2016
@@ -27,7 +27,8 @@
 
 /* Serialize an OCSP request which will be sent to the responder at
  * given URI to a memory BIO object, which is returned. */
-static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri)
+static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri,
+                              const apr_uri_t *proxy_uri)
 {
     BIO *bio;
     int len;
@@ -36,7 +37,13 @@ static BIO *serialize_request(OCSP_REQUE
 
     bio = BIO_new(BIO_s_mem());
 
-    BIO_printf(bio, "POST %s%s%s HTTP/1.0\r\n"
+    BIO_printf(bio, "POST ");
+    /* Use full URL instead of URI in case of a request through a proxy */
+    if (proxy_uri) {
+        BIO_printf(bio, "http://%s:%d",
+                   uri->hostname, uri->port);
+    }
+    BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
                "Host: %s:%d\r\n"
                "Content-Type: application/ocsp-request\r\n"
                "Content-Length: %d\r\n"
@@ -58,25 +65,38 @@ static BIO *serialize_request(OCSP_REQUE
  * NULL on error. */
 static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri,
                                   apr_interval_time_t timeout,
-                                  conn_rec *c, apr_pool_t *p)
+                                  conn_rec *c, apr_pool_t *p,
+                                  const apr_uri_t *proxy_uri)
 {
     apr_status_t rv;
     apr_sockaddr_t *sa;
     apr_socket_t *sd;
     char buf[HUGE_STRING_LEN];
     int len;
+    const apr_uri_t *next_hop_uri;
+
+    if (proxy_uri) {
+        next_hop_uri = proxy_uri;
+    }
+    else {
+        next_hop_uri = uri;
+    }
 
-    rv = apr_sockaddr_info_get(&sa, uri->hostname, APR_UNSPEC, uri->port, 0, p);
+    rv = apr_sockaddr_info_get(&sa, next_hop_uri->hostname, APR_UNSPEC,
+                               next_hop_uri->port, 0, p);
     if (rv) {
         ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01972)
-                      "could not resolve address of OCSP responder %s",
-                      uri->hostinfo);
+                      "could not resolve address of %s %s",
+                      proxy_uri ? "proxy" : "OCSP responder",
+                      next_hop_uri->hostinfo);
         return NULL;
     }
 
     /* establish a connection to the OCSP responder */
     ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01973)
-                  "connecting to OCSP responder '%s'", uri->hostinfo);
+                  "connecting to %s '%s'",
+                  proxy_uri ? "proxy" : "OCSP responder",
+                  uri->hostinfo);
 
     /* Cycle through address until a connect() succeeds. */
     for (; sa; sa = sa->next) {
@@ -94,8 +114,9 @@ static apr_socket_t *send_request(BIO *r
 
     if (sa == NULL) {
         ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01974)
-                      "could not connect to OCSP responder '%s'",
-                      uri->hostinfo);
+                      "could not connect to %s '%s'",
+                      proxy_uri ? "proxy" : "OCSP responder",
+                      next_hop_uri->hostinfo);
         return NULL;
     }
 
@@ -289,8 +310,10 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_requ
     OCSP_RESPONSE *response = NULL;
     apr_socket_t *sd;
     BIO *bio;
+    const apr_uri_t *proxy_uri;
 
-    bio = serialize_request(request, uri);
+    proxy_uri = (mySrvConfigFromConn(c))->server->proxy_uri;
+    bio = serialize_request(request, uri, proxy_uri);
     if (bio == NULL) {
         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01989)
                       "could not serialize OCSP request");
@@ -298,7 +321,7 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_requ
         return NULL;
     }
 
-    sd = send_request(bio, uri, timeout, c, p);
+    sd = send_request(bio, uri, timeout, c, p, proxy_uri);
     if (sd == NULL) {
         /* Errors already logged. */
         BIO_free(bio);



Mime
View raw message