1
0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00

mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive

to opt-in previous behaviour (2.2) with CRLs verification when checking
certificate(s) with no corresponding CRL.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1734561 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2016-03-11 13:51:17 +00:00
parent cdfb2f5fd6
commit bafafe600b
7 changed files with 100 additions and 21 deletions

View File

@@ -122,6 +122,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
mctx->crl_path = NULL;
mctx->crl_file = NULL;
mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
mctx->crl_check_flags = UNSET;
mctx->auth.ca_cert_path = NULL;
mctx->auth.ca_cert_file = NULL;
@@ -272,6 +273,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
cfgMerge(crl_path, NULL);
cfgMerge(crl_file, NULL);
cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
cfgMergeInt(crl_check_flags);
cfgMergeString(auth.ca_cert_path);
cfgMergeString(auth.ca_cert_file);
@@ -998,8 +1000,29 @@ const char *ssl_cmd_SSLCARevocationCheck(cmd_parms *cmd,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err, *w;
return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mode);
w = ap_getword_conf(cmd->temp_pool, &arg);
err = ssl_cmd_crlcheck_parse(cmd, w, &sc->server->crl_check_mode);
if (err || sc->server->crl_check_mode == SSL_CRLCHECK_NONE) {
return err;
}
if (sc->server->crl_check_flags == UNSET) {
sc->server->crl_check_flags = 0;
}
while (*arg) {
w = ap_getword_conf(cmd->temp_pool, &arg);
if (strcEQ(w, "no_crl_for_cert_ok")) {
sc->server->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
}
else {
return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
": Invalid flag '", w, "'",
NULL);
}
}
return NULL;
}
static const char *ssl_cmd_verify_parse(cmd_parms *parms,
@@ -1512,8 +1535,29 @@ const char *ssl_cmd_SSLProxyCARevocationCheck(cmd_parms *cmd,
const char *arg)
{
SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
const char *err, *w;
return ssl_cmd_crlcheck_parse(cmd, arg, &sc->proxy->crl_check_mode);
w = ap_getword_conf(cmd->temp_pool, &arg);
err = ssl_cmd_crlcheck_parse(cmd, w, &sc->proxy->crl_check_mode);
if (err || sc->proxy->crl_check_mode == SSL_CRLCHECK_NONE) {
return err;
}
if (sc->proxy->crl_check_flags == UNSET) {
sc->proxy->crl_check_flags = 0;
}
while (*arg) {
w = ap_getword_conf(cmd->temp_pool, &arg);
if (strcEQ(w, "no_crl_for_cert_ok")) {
sc->proxy->crl_check_flags |= MODSSL_CCF_NO_CRL_FOR_CERT_OK;
}
else {
return apr_pstrcat(cmd->temp_pool, cmd->cmd->name,
": Invalid flag '", w, "'",
NULL);
}
}
return NULL;
}
const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *cmd,