ssl_util_stapling.c

Checkout Tools
  • last updated 1 hour ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
update aplogno in recent hook changes
  1. … 1 more file in changeset.
* moving the openssl related new hooks into mod_ssl_openssl.h

* chaning type parameter to openssl types

* adding explanation of return value in get_stapling_status()

* adding array element description for add_cert_files and add_fallback_cert_files hooks

  1. … 3 more files in changeset.
*) mod_ssl/mod_md:

Adding 2 new hooks for init/get of OCSP stapling status information when

other modules want to provide those. Falls back to own implementation with

same behaviour as before.

  1. … 3 more files in changeset.
Revert r1798456

* For the time being keep on caching OCSP_RESPONSE_STATUS_TRYLATER. The effect can be limited by setting SSLStaplingErrorCacheTimeout.

* Only report success, if had real one.
* Do not cache OCSP_RESPONSE_STATUS_TRYLATER.
* Mark OCSP_RESPONSE_STATUS_TRYLATER as error response
Silence compiler warning:

"686: warning: 'ok' may be used uninitialized in

this function"

This is a false positive, because the value of "ok"

will only be used if stapling_get_cached_response()

sets "rsp" to non-NULL in which case it will always

have set "ok".

Support for OpenSSL 1.1.0:

- X509_STORE_CTX is now opaque.

  1. … 3 more files in changeset.
Support OpenSSL 1.1.0.

- use common code for OpenSSL pre-1.1.0 and

1.1.0 where possible.

  1. … 7 more files in changeset.
Fix compiler warning when using OpenSSL 1.1.0.

The old compatibility macro check no longer works,

because those are now actual functions, so an

ifndef is not the correct check.

  1. … 1 more file in changeset.
Support for OpenSSL 1.1.0:

- mod_ssl

Look out for "XXX: OpenSSL 1.1.0:" for a few

open problems.

Not tested with test suite yet.

  1. … 7 more files in changeset.
Added many log numbers to log statements that

had none.

Those were not detected by the coccinelle script.

  1. … 34 more files in changeset.
Added many log numbers to log statements that

had none.

Handled all files in modules/.

I used the coccinelle script provided by Stefan.

  1. … 35 more files in changeset.
insert missing LOGNO in ssl_util_stapling.c
  1. … 1 more file in changeset.
For the "SSLStaplingReturnResponderErrors off" case, make sure to only

staple responses with certificate status "good". Also avoids including

inaccurate responses when the OCSP responder is not completely up

to date in terms of the CA-issued certificates (and provides interim

"unknown" or "extended revoked" [RFC 6960] status replies).

Log a certificate status other than "good" in stapling_check_response().

Propagate the "ok" status from stapling_check_response() back via both

stapling_renew_response() and get_and_check_cached_response() to the

callback code in stapling_cb(), enabling the decision whether to include

or skip the response.

  1. … 2 more files in changeset.
OCSP stapling: slight simplification to some internal interfaces,

add a few comments and sanity checks

Follow-up to r1679032:

Fix regression in check for cached response.

(Essentially) Submitted by: ylavic

mod_ssl OCSP Stapling: Don't block initial handshakes while refreshing

the OCSP response for a different certificate. mod_ssl has an additional

global mutex, "ssl-stapling-refresh".

Not mentioned in CHANGES:

Stapling no longer uses a mutex when using a stapling cache

implementation which doesn't require it. (A further, unrelated

code change to mod_ssl is required to allow the use of memcache

as a stapling cache, and I haven't tested with distcache; thus

it isn't clear if this helps in practice yet.)

  1. … 5 more files in changeset.
follow up to r1641077:

one bug was traded for another in r1641077; track the response

length and the cached object length separately to avoid such

confusion

mod_ssl: Fix recognition of OCSP stapling responses that are encoded

improperly or too large.

The one byte "ok" flag stored with the response was accounted for in

the wrong condition.

  1. … 1 more file in changeset.
Follow up to r1629372 and r1629485: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_[num|value|pop] macros).
  1. … 1 more file in changeset.
Follow up to r1629372: ensure compatibily with OpenSSL < 1.0 (sk_OPENSSL_STRING_value).
Move OCSP stapling information from a per-certificate store

(ex_data attached to an X509 *) to a per-server hash which is

allocated from the pconf pool. Fixes PR 54357, PR 56919 and

a leak with the certinfo_free cleanup function (missing

OCSP_CERTID_free).

* modules/ssl/ssl_util_stapling.c: drop certinfo_free, and add

ssl_stapling_certid_free (used with apr_pool_cleanup_register).

Switch to a stapling_certinfo hash which is keyed by the SHA-1

digest of the certificate's DER encoding, rework ssl_stapling_init_cert

to only store info once per certificate (allocated from the pconf

to the extent possible) and extend the logging.

* modules/ssl/ssl_private.h: adjust prototype for

ssl_stapling_init_cert, replace ssl_stapling_ex_init with

ssl_stapling_certinfo_hash_init

* modules/ssl/ssl_engine_init.c: adjust ssl_stapling_* calls

Based on initial work by Alex Bligh <alex alex.org.uk>

  1. … 4 more files in changeset.
ssl_stapling_init_cert: do not return success when no responder URI is found

stapling_renew_response: abort early (before apr_uri_parse) if ocspuri is empty

  1. … 1 more file in changeset.
Address a todo listed in

https://mail-archives.apache.org/mod_mbox/httpd-dev/200205.mbox/%3CPine.LNX.4.33.0205292300380.27841-100000%40mako.covalent.net%3E

"init functions should return status code rather than ssl_die()"

For diagnostic purposes, ssl_die() is still there, but instead

of abruptly exit(1)ing, it will return APR_EGENERAL to the

ssl_init_* callers in ssl_engine_init.c, and these will propagate

the status back to ssl_init_Module.

  1. … 7 more files in changeset.
Typo
Pass the server_rec to ssl_die() and use it to log a message to the main error

log, pointing to the appropriate virtual host error log

  1. … 8 more files in changeset.
Set OPENSSL_NO_SSL_INTERN when compiling against OpenSSL 1.0.1

or later, so that mod_ssl retains binary compatibility with future

versions when internal structures are changed. Use API functions

where available, and fall back to direct access for OpenSSL up

to 1.0.0, where needed.

Remove SSL_make_ciphersuite() from ssl_util_ssl.[ch], as it was

never used by any released version of mod_ssl.

  1. … 6 more files in changeset.
Add some more log message tags

Remove some log message tags from ap_log_* calls that log lots of

different error messages, in particular the config parsing errors.

Not sure how we should handle those.

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 12 more files in changeset.