mod_ssl: Add support for OCSP validation of client certificates:

* modules/ssl/ssl_engine_config.c (modssl_ctx_init, modssl_ctx_cfg_merge): Initialize and merge OCSP config options. (ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder, ssl_cmd_SSLOCSPEnable): Add functions. * modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options. * modules/ssl/ssl_private.h: Add prototypes, config options to modssl_ctx_t. * modules/ssl/ssl_util_ocsp.c: New file, utility interface for dispatching OCSP requests. * modules/ssl/ssl_engine_ocsp.c: New file, interface for performing OCSP validation. * modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform OCSP validation if configured, and the cert is so-far verified to be trusted. Fail if OCSP validation is configured an the optional-no-ca check tripped. * modules/ssl/config.m4: Check for OCSP support, build new files. * modules/ssl/mod_ssl.dsp: Build new files. * modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP interfaces. PR: 41123 Submitted by: Marc Stern <marc.stern approach.be>, Joe Orton Reviewed by: Steve Henson <steve openssl.org> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@599385 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2007-11-29 11:18:40 +00:00
parent 4df56cc5aa
commit 33c045efb2
10 changed files with 677 additions and 1 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1293,12 +1293,35 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
    }

    /*
-     * Additionally perform CRL-based revocation checks
+     * Perform OCSP/CRL-based revocation checks
     */
    if (ok) {
        if (!(ok = ssl_callback_SSLVerify_CRL(ok, ctx, conn))) {
            errnum = X509_STORE_CTX_get_error(ctx);
        }
+        
+#ifdef HAVE_OCSP
+        /* If there was an optional verification error, it's not
+         * possible to perform OCSP validation since the issuer may be
+         * missing/untrusted.  Fail in that case. */
+        if (ok && ssl_verify_error_is_optional(errnum)
+            && sc->server->ocsp_enabled) {
+            X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
+            errnum = X509_V_ERR_APPLICATION_VERIFICATION;
+            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
+                          "cannot perform OCSP validation for cert "
+                          "if issuer has not been verified "
+                          "(optional_no_ca configured)");
+            ok = FALSE;
+        }
+
+        if (ok && sc->server->ocsp_enabled) {
+            ok = modssl_verify_ocsp(ctx, sc, s, conn, conn->pool);
+            if (!ok) {
+                errnum = X509_STORE_CTX_get_error(ctx);
+            }
+        }
+#endif
    }

    /*