mirror of
https://github.com/apache/httpd.git
synced 2025-08-07 04:02:58 +03:00
mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive
to opt-in previous behaviour (2.2) with CRLs verification when checking certificate(s) with no corresponding CRL. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1734561 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
@@ -122,6 +122,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
|
||||
mctx->crl_path = NULL;
|
||||
mctx->crl_file = NULL;
|
||||
mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
|
||||
mctx->crl_check_flags = UNSET;
|
||||
|
||||
mctx->auth.ca_cert_path = NULL;
|
||||
mctx->auth.ca_cert_file = NULL;
|
||||
@@ -272,6 +273,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
|
||||
cfgMerge(crl_path, NULL);
|
||||
cfgMerge(crl_file, NULL);
|
||||
cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
|
||||
cfgMergeInt(crl_check_flags);
|
||||
|
||||
cfgMergeString(auth.ca_cert_path);
|
||||
cfgMergeString(auth.ca_cert_file);
|
||||
@@ -998,8 +1000,29 @@ const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *cmd,
|
||||
const char *arg)
|
||||
{
|
||||
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
||||
const char *err, *w;
|
||||
|
||||
return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mode);
|
||||
w = ap_getword_conf(cmd->temp_pool, &arg);
|
||||
err = ssl_cmd_crlcheck_parse(cmd, w, &sc->server->crl_check_mode);
|
||||
if (err || sc->server->crl_check_mode == SSL_CRLCHECK_NONE) {
|
||||
return err;
|
||||
}
|
||||
|
||||
if (sc->server->crl_check_flags == UNSET) {
|
||||
sc->server->crl_check_flags = 0;
|
||||
}
|
||||
while (*arg) {
|
||||
w = ap_getword_conf(cmd->temp_pool, &arg);
|
||||
if (strcEQ(w, "no_crl_for_cert_ok")) {
|
||||
sc->server->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
|
||||
}
|
||||
else {
|
||||
return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
|
||||
": Invalid flag '", w, "'",
|
||||
NULL);
|
||||
}
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static const char *ssl_cmd_verify_parse(cmd_parms *parms,
|
||||
@@ -1512,8 +1535,29 @@ const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *cmd,
|
||||
const char *arg)
|
||||
{
|
||||
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
|
||||
const char *err, *w;
|
||||
|
||||
return ssl_cmd_crlcheck_parse(cmd, arg, &sc->proxy->crl_check_mode);
|
||||
w = ap_getword_conf(cmd->temp_pool, &arg);
|
||||
err = ssl_cmd_crlcheck_parse(cmd, w, &sc->proxy->crl_check_mode);
|
||||
if (err || sc->proxy->crl_check_mode == SSL_CRLCHECK_NONE) {
|
||||
return err;
|
||||
}
|
||||
|
||||
if (sc->proxy->crl_check_flags == UNSET) {
|
||||
sc->proxy->crl_check_flags = 0;
|
||||
}
|
||||
while (*arg) {
|
||||
w = ap_getword_conf(cmd->temp_pool, &arg);
|
||||
if (strcEQ(w, "no_crl_for_cert_ok")) {
|
||||
sc->proxy->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
|
||||
}
|
||||
else {
|
||||
return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
|
||||
": Invalid flag '", w, "'",
|
||||
NULL);
|
||||
}
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd,
|
||||
|
Reference in New Issue
Block a user