Add support for OCSP "stapling":

* modules/ssl/ssl_util_stapling.c: New file. * modules/ssl/config.m4, modules/ssl/mod_ssl.dsp: Build it. * modules/ssl/ssl_toolkit_compat.h: Define HAVE_OCSP_STAPLING if OpenSSL is of suitable version (>= 0.9.8g) and capability (TLS extension support enabled). * modules/ssl/mod_ssl.c: Add config directives. * modules/ssl/ssl_private.h: Add prototypes for new functions. (SSLModConfigRec): Add fields for stapling socache instance and associated mutex. (modssl_ctx_t): Add config fields for stapling. * modules/ssl/ssl_engine_init.c (ssl_init_Module, ssl_init_Child): Call the stapling initialization functions. * modules/ssl/ssl_engine_config.c: Add config hooks. * modules/ssl/ssl_scache.c: Create, initialize and destroy the socache instance for OCSP responses. Submitted by: Dr Stephen Henson <shenson oss-institute.org> git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@829619 13f79535-47bb-0310-9956-ffa450edef68
2025-08-07 04:02:58 +03:00 · 2009-10-25 17:21:10 +00:00
parent 299688e2b1
commit b2cb650f61
10 changed files with 1051 additions and 1 deletions
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -249,6 +249,13 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
    if (!ssl_mutex_init(base_server, p)) {
        return HTTP_INTERNAL_SERVER_ERROR;
    }
+#ifdef HAVE_OCSP_STAPLING
+    if (!ssl_stapling_mutex_init(base_server, p)) {
+        return HTTP_INTERNAL_SERVER_ERROR;
+    }
+
+    ssl_stapling_ex_init();
+#endif

    /*
     * initialize session caching
@@ -382,6 +389,15 @@ static void ssl_init_ctx_tls_extensions(server_rec *s,
        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
        ssl_die();
    }
+
+#ifdef HAVE_OCSP_STAPLING
+    /*
+     * OCSP Stapling support, status_request extension
+     */
+    if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) {
+        modssl_init_stapling(s, p, ptemp, mctx);
+    }
+#endif
 }
 #endif

@@ -773,6 +789,15 @@ static int ssl_server_import_cert(server_rec *s,
        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
        ssl_die();
    }
+  
+#ifdef HAVE_OCSP_STAPLING
+    if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) {
+        if (!ssl_stapling_init_cert(s, mctx, cert)) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                         "Unable to configure server certificate for stapling");
+        }
+    }
+#endif

    mctx->pks->certs[idx] = cert;

@@ -1246,6 +1271,9 @@ void ssl_init_Child(apr_pool_t *p, server_rec *s)

    /* open the mutex lockfile */
    ssl_mutex_reinit(s, p);
+#ifdef HAVE_OCSP_STAPLING
+    ssl_stapling_mutex_reinit(s, p);
+#endif
 }

 #define MODSSL_CFG_ITEM_FREE(func, item) \