Add support for OCSP "stapling":

* modules/ssl/ssl_util_stapling.c: New file. * modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it. * modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS extension support enabled). * modules/ssl/mod_ssl.c: Add config directives. * modules/ssl/ssl_private.h: Add prototypes for new functions. (SSLModConfigRec): Add fields for stapling socache instance and associated mutex. (modssl_ctx_t): Add config fields for stapling. * modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child): Call the stapling initialization functions. * modules/ssl/ssl_engine_config.c: Add config hooks. * modules/ssl/ssl_scache.c: Create, initialize and destroy the socache instance for OCSP responses. Submitted by: Dr Stephen Henson <shenson oss-institute.org> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@829619 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2009-10-25 17:21:10 +00:00
parent 299688e2b1
commit b2cb650f61
10 changed files with 1051 additions and 1 deletions
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -197,6 +197,36 @@ static const command_rec ssl_config_cmds[] = {
    SSL_CMD_SRV(OCSPOverrideResponder, FLAG,
               "Force use of the default responder URL ('on', 'off')")

+#ifdef HAVE_OCSP_STAPLING
+    /*
+     * OCSP Stapling options
+     */
+    SSL_CMD_SRV(StaplingMutex, TAKE1, AP_ALL_AVAILABLE_MUTEXES_STRING)
+    SSL_CMD_SRV(StaplingCache, TAKE1,
+                "SSL Stapling Response Cache storage "
+                "(`dbm:/path/to/file')")
+    SSL_CMD_SRV(UseStapling, FLAG,
+                "SSL switch for the OCSP Stapling protocol " "(`on', `off')")
+    SSL_CMD_SRV(StaplingResponseTimeSkew, TAKE1,
+                "SSL stapling option for maximum time difference in OCSP responses")
+    SSL_CMD_SRV(StaplingResponderTimeout, TAKE1,
+                "SSL stapling option for OCSP responder timeout")
+    SSL_CMD_SRV(StaplingResponseMaxAge, TAKE1,
+                "SSL stapling option for maximum age of OCSP responses")
+    SSL_CMD_SRV(StaplingStandardCacheTimeout, TAKE1,
+                "SSL stapling option for normal OCSP Response Cache Lifetime")
+    SSL_CMD_SRV(StaplingReturnResponderErrors, FLAG,
+                "SSL stapling switch to return Status Errors Back to Client"
+		"(`on', `off')")
+    SSL_CMD_SRV(StaplingFakeTryLater, FLAG,
+                "SSL stapling switch to send tryLater response to client on error "
+		"(`on', `off')")
+    SSL_CMD_SRV(StaplingErrorCacheTimeout, TAKE1,
+                "SSL stapling option for OCSP Response Error Cache Lifetime")
+    SSL_CMD_SRV(StaplingForceURL, TAKE1,
+                "SSL stapling option to Force the OCSP Stapling URL")
+#endif
+
    /* Deprecated directives. */
    AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
      "SSLLog directive is no longer supported - use ErrorLog."),