[mod_openssl] detect certs marked OCSP Must-Staple
parent
1c5def49f6
commit
f56c8e58e4
|
|
@ -129,6 +129,7 @@ typedef struct {
|
|||
const buffer *ssl_stapling_file;
|
||||
time_t ssl_stapling_loadts;
|
||||
time_t ssl_stapling_nextts;
|
||||
char must_staple;
|
||||
} plugin_cert;
|
||||
|
||||
typedef struct {
|
||||
|
|
@ -1675,6 +1676,12 @@ mod_openssl_refresh_stapling_file (server *srv, plugin_cert *pc, const time_t cu
|
|||
/* discard expired OCSP stapling response */
|
||||
buffer_free(pc->ssl_stapling);
|
||||
pc->ssl_stapling = NULL;
|
||||
if (pc->must_staple) {
|
||||
log_error(srv->errh, __FILE__, __LINE__,
|
||||
"certificate marked OCSP Must-Staple, "
|
||||
"but OCSP response expired from ssl.stapling-file %s",
|
||||
pc->ssl_stapling_file->ptr);
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
|
@ -1699,7 +1706,39 @@ mod_openssl_refresh_stapling_files (server *srv, const plugin_data *p, const tim
|
|||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
static int
|
||||
mod_openssl_crt_must_staple (const X509 *crt)
|
||||
{
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L \
|
||||
|| defined(BORINGSSL_API_VERSION) \
|
||||
|| defined(LIBRESSL_VERSION_NUMBER)
|
||||
/*(not currently supported in BoringSSL or LibreSSL)*/
|
||||
UNUSED(crt);
|
||||
return 0;
|
||||
#else
|
||||
/* openssl/x509v3.h:typedef STACK_OF(ASN1_INTEGER) TLS_FEATURE; */
|
||||
|
||||
TLS_FEATURE *tlsf = X509_get_ext_d2i(crt, NID_tlsfeature, NULL, NULL);
|
||||
if (NULL == tlsf) return 0;
|
||||
|
||||
int rc = 0;
|
||||
|
||||
for (int i = 0; i < sk_ASN1_INTEGER_num(tlsf); ++i) {
|
||||
ASN1_INTEGER *ai = sk_ASN1_INTEGER_value(tlsf, i);
|
||||
long tlsextid = ASN1_INTEGER_get(ai);
|
||||
if (tlsextid == 5) { /* 5 = OCSP Must-Staple */
|
||||
rc = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
sk_ASN1_INTEGER_pop_free(tlsf, ASN1_INTEGER_free);
|
||||
return rc; /* 1 if OCSP Must-Staple found; 0 if not */
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_NO_OCSP */
|
||||
|
||||
|
||||
static plugin_cert *
|
||||
|
|
@ -1743,6 +1782,11 @@ network_openssl_load_pemfile (server *srv, const buffer *pemfile, const buffer *
|
|||
pc->ssl_stapling_file= ssl_stapling_file;
|
||||
pc->ssl_stapling_loadts = 0;
|
||||
pc->ssl_stapling_nextts = 0;
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
pc->must_staple = mod_openssl_crt_must_staple(ssl_pemfile_x509);
|
||||
#else
|
||||
pc->must_staple = 0;
|
||||
#endif
|
||||
|
||||
if (!buffer_string_is_empty(pc->ssl_stapling_file)) {
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
|
|
@ -1755,6 +1799,11 @@ network_openssl_load_pemfile (server *srv, const buffer *pemfile, const buffer *
|
|||
pc->ssl_stapling_file->ptr);
|
||||
#endif
|
||||
}
|
||||
else if (pc->must_staple) {
|
||||
log_error(srv->errh, __FILE__, __LINE__,
|
||||
"certificate %s marked OCSP Must-Staple, "
|
||||
"but ssl.stapling-file not provided", pemfile->ptr);
|
||||
}
|
||||
|
||||
return pc;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue