Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B368918C5A for ; Tue, 26 Jan 2016 20:24:35 +0000 (UTC) Received: (qmail 35201 invoked by uid 500); 26 Jan 2016 20:24:35 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 35134 invoked by uid 500); 26 Jan 2016 20:24:35 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 35125 invoked by uid 99); 26 Jan 2016 20:24:35 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Jan 2016 20:24:35 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 24B2DC23B9 for ; Tue, 26 Jan 2016 20:24:35 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.799 X-Spam-Level: * X-Spam-Status: No, score=1.799 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 6NS9dd84TZIY for ; Tue, 26 Jan 2016 20:24:34 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTP id 3D7C7205FA for ; Tue, 26 Jan 2016 20:24:34 +0000 (UTC) Received: from svn01-us-west.apache.org (svn.apache.org [10.41.0.6]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id C738DE0185 for ; Tue, 26 Jan 2016 20:24:33 +0000 (UTC) Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id CA4B93A027B for ; Tue, 26 Jan 2016 20:24:33 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1726881 - in /httpd/httpd/trunk/modules/ssl: mod_ssl.c ssl_engine_config.c ssl_private.h ssl_util_ocsp.c Date: Tue, 26 Jan 2016 20:24:33 -0000 To: cvs@httpd.apache.org From: rpluem@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20160126202433.CA4B93A027B@svn01-us-west.apache.org> Author: rpluem Date: Tue Jan 26 20:24:33 2016 New Revision: 1726881 URL: http://svn.apache.org/viewvc?rev=1726881&view=rev Log: * Introduce SSLOCSPProxyURL in order to do OCSP requests via a HTTP proxy. Documentation to follow. Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c httpd/httpd/trunk/modules/ssl/ssl_engine_config.c httpd/httpd/trunk/modules/ssl/ssl_private.h httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1726881&r1=1726880&r2=1726881&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original) +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Tue Jan 26 20:24:33 2016 @@ -253,6 +253,8 @@ static const command_rec ssl_config_cmds "OCSP responder query timeout") SSL_CMD_SRV(OCSPUseRequestNonce, FLAG, "Whether OCSP queries use a nonce or not ('on', 'off')") + SSL_CMD_SRV(OCSPProxyURL, TAKE1, + "Proxy URL to use for OCSP requests") #ifdef HAVE_OCSP_STAPLING /* Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1726881&r1=1726880&r2=1726881&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Tue Jan 26 20:24:33 2016 @@ -136,6 +136,7 @@ static void modssl_ctx_init(modssl_ctx_t mctx->ocsp_resp_maxage = UNSET; mctx->ocsp_responder_timeout = UNSET; mctx->ocsp_use_request_nonce = UNSET; + mctx->proxy_uri = NULL; #ifdef HAVE_OCSP_STAPLING mctx->stapling_enabled = UNSET; @@ -285,6 +286,7 @@ static void modssl_ctx_cfg_merge(apr_poo cfgMergeInt(ocsp_resp_maxage); cfgMergeInt(ocsp_responder_timeout); cfgMergeBool(ocsp_use_request_nonce); + cfgMerge(proxy_uri, NULL); #ifdef HAVE_OCSP_STAPLING cfgMergeBool(stapling_enabled); cfgMergeInt(stapling_resptime_skew); @@ -1643,6 +1645,18 @@ const char *ssl_cmd_SSLOCSPUseRequestNon return NULL; } +const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, + const char *arg) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + sc->server->proxy_uri = apr_palloc(cmd->pool, sizeof(apr_uri_t)); + if (apr_uri_parse(cmd->pool, arg, sc->server->proxy_uri) != APR_SUCCESS) { + return apr_psprintf(cmd->pool, + "SSLOCSPProxyURL: Cannot parse URL %s", arg); + } + return NULL; +} + const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag) { SSLSrvConfigRec *sc = mySrvConfig(cmd->server); Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1726881&r1=1726880&r2=1726881&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original) +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Tue Jan 26 20:24:33 2016 @@ -628,6 +628,7 @@ typedef struct { long ocsp_resp_maxage; apr_interval_time_t ocsp_responder_timeout; BOOL ocsp_use_request_nonce; + apr_uri_t *proxy_uri; #ifdef HAVE_SSL_CONF_CMD SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */ @@ -754,6 +755,7 @@ const char *ssl_cmd_SSLOCSPResponseMaxAg const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); +const char *ssl_cmd_SSLOCSPProxyURL(cmd_parms *cmd, void *dcfg, const char *arg); #ifdef HAVE_SSL_CONF_CMD const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg, const char *arg1, const char *arg2); Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=1726881&r1=1726880&r2=1726881&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Tue Jan 26 20:24:33 2016 @@ -27,7 +27,8 @@ /* Serialize an OCSP request which will be sent to the responder at * given URI to a memory BIO object, which is returned. */ -static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri) +static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri, + const apr_uri_t *proxy_uri) { BIO *bio; int len; @@ -36,7 +37,13 @@ static BIO *serialize_request(OCSP_REQUE bio = BIO_new(BIO_s_mem()); - BIO_printf(bio, "POST %s%s%s HTTP/1.0\r\n" + BIO_printf(bio, "POST "); + /* Use full URL instead of URI in case of a request through a proxy */ + if (proxy_uri) { + BIO_printf(bio, "http://%s:%d", + uri->hostname, uri->port); + } + BIO_printf(bio, "%s%s%s HTTP/1.0\r\n" "Host: %s:%d\r\n" "Content-Type: application/ocsp-request\r\n" "Content-Length: %d\r\n" @@ -58,25 +65,38 @@ static BIO *serialize_request(OCSP_REQUE * NULL on error. */ static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri, apr_interval_time_t timeout, - conn_rec *c, apr_pool_t *p) + conn_rec *c, apr_pool_t *p, + const apr_uri_t *proxy_uri) { apr_status_t rv; apr_sockaddr_t *sa; apr_socket_t *sd; char buf[HUGE_STRING_LEN]; int len; + const apr_uri_t *next_hop_uri; + + if (proxy_uri) { + next_hop_uri = proxy_uri; + } + else { + next_hop_uri = uri; + } - rv = apr_sockaddr_info_get(&sa, uri->hostname, APR_UNSPEC, uri->port, 0, p); + rv = apr_sockaddr_info_get(&sa, next_hop_uri->hostname, APR_UNSPEC, + next_hop_uri->port, 0, p); if (rv) { ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01972) - "could not resolve address of OCSP responder %s", - uri->hostinfo); + "could not resolve address of %s %s", + proxy_uri ? "proxy" : "OCSP responder", + next_hop_uri->hostinfo); return NULL; } /* establish a connection to the OCSP responder */ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01973) - "connecting to OCSP responder '%s'", uri->hostinfo); + "connecting to %s '%s'", + proxy_uri ? "proxy" : "OCSP responder", + uri->hostinfo); /* Cycle through address until a connect() succeeds. */ for (; sa; sa = sa->next) { @@ -94,8 +114,9 @@ static apr_socket_t *send_request(BIO *r if (sa == NULL) { ap_log_cerror(APLOG_MARK, APLOG_ERR, rv, c, APLOGNO(01974) - "could not connect to OCSP responder '%s'", - uri->hostinfo); + "could not connect to %s '%s'", + proxy_uri ? "proxy" : "OCSP responder", + next_hop_uri->hostinfo); return NULL; } @@ -289,8 +310,10 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_requ OCSP_RESPONSE *response = NULL; apr_socket_t *sd; BIO *bio; + const apr_uri_t *proxy_uri; - bio = serialize_request(request, uri); + proxy_uri = (mySrvConfigFromConn(c))->server->proxy_uri; + bio = serialize_request(request, uri, proxy_uri); if (bio == NULL) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01989) "could not serialize OCSP request"); @@ -298,7 +321,7 @@ OCSP_RESPONSE *modssl_dispatch_ocsp_requ return NULL; } - sd = send_request(bio, uri, timeout, c, p); + sd = send_request(bio, uri, timeout, c, p, proxy_uri); if (sd == NULL) { /* Errors already logged. */ BIO_free(bio);